Data Protection aspects when using the ChatGPT-API

In light of current developments in the AI sector, the activities of OpenAI, the developer behind the AI platform ChatGPT, are increasingly coming under scrutiny from data protection supervisory authorities.

Measures by the Italian Data Protection Authority
The Italian data protection authority has recently taken corrective and sanctioning measures against OpenAI regarding the management of the ChatGPT service. This measure is the result of an investigation initiated in March 2023 and follows the EDPB's statement.

According to the Italian data protection authority, OpenAI has committed several violations, including failure to report a data breach, insufficient legal bases for data processing, violations of transparency obligations, and lack of age verification mechanisms.

The authority ordered a six-month institutional communication campaign and imposed a fine of 15 million euros. The campaign aims to promote public understanding of ChatGPT and the rights of affected individuals.

Following the establishment of its European headquarters in Ireland, the case files were transferred to the Irish Data Protection Commission (DPC), which became the lead supervisory authority.

EDPB ChatGPT Task Force
The European Data Protection Board has established a dedicated task force focusing on the following areas:

• Technical infrastructure of ChatGPT
• Data sources and processing procedures
• Legal bases for data processing
• Technical and organizational protection measures
• International data transfers

Outlook and Implementation Significance
In light of these developments, comprehensive regulatory and data protection planning is required when integrating the GPT API, especially in business-critical processes. The increased attention from data protection authorities emphasizes the necessity of GDPR-compliant implementation.

The OpenAI API provides developers with programmatic access to integrate AI capabilities directly into their applications. Unlike the ChatGPT web interface, the API enables automated and customized use of AI functions, allowing integration into existing systems and workflows without developing proprietary AI models.

Core Features and Data Protection
When using the API, company data is transmitted to OpenAI. Business customers are subject to special "Business Terms" with a Data Processing Agreement, ensuring that data from business accounts is not used for model training. This makes the API particularly suitable for enterprise applications requiring data protection compliance.

Available Models
GPT-4o (Omni) serves as OpenAI's flagship model with a 128,000 token context window and capabilities for both text and image processing. Its more efficient variant, GPT-4o mini, offers faster processing at lower costs for focused applications.

The o-series models (o1, o3-mini) are specifically optimized for scientific tasks, with enhanced analytical capabilities and a context window of up to 200,000 tokens. They excel particularly in mathematical and programming tasks.

Additional Features
Beyond text processing, OpenAI offers multimodal APIs including DALL·E 3 for image generation, Whisper for speech recognition (also available as open source), and TTS for text-to-speech conversion. The open-source availability of Whisper notably allows for local hosting and independent usage.

Detailed information about API specifications and pricing can be found in OpenAI's official documentation: OpenAI API Docs

OpenAI licensing fundamentally distinguishes between individual users and business customers. While individual users are subject to general terms of use, businesses are governed by special "Business Terms" including a Data Processing Agreement (DPA). API usage always falls under the Business Terms.

Options for Individual Users:
The free plan offers basic functionality with GPT-4o mini. The Plus plan ($20/month) extends usage limits and provides access to additional features. The Pro plan ($200/month) enables comprehensive access to advanced models and functions.

Options for Business Customers:
The Team plan (starting at $25/user/month) offers enhanced features and important privacy guarantees - user data is not used for model training. The Enterprise plan (individually priced) provides maximum performance, customizable privacy options, and dedicated support.

Data Usage for Model Training:
Particularly relevant for businesses is the distinction in data processing: Company data transmitted to OpenAI via API and business accounts is not used for model training.

In contrast, data from individual users of ChatGPT Free and ChatGPT Plus may be used to train the models unless users explicitly opt out in their preferences settings. This underscores the importance for businesses to choose appropriate account types based on their data protection requirements.

If a company integrates ChatGPT into its products and services via the API, the company itself is the controller within the meaning of data protection law, as it determines the “purposes and means” of the data processing (Art. 4 No. 7 GDPR).

When integrating the API, OpenAI generally becomes a processor as a service provider (Art. 28 GDPR), which acts on the instructions of the company using the API and processes personal data in this context.

The terms of use apply to the use of OpenAI products. For users in the European Economic Area (EEA), Switzerland and the UK, a specially adapted version applies: https://openai.com/de/policies/eu-terms-of-use (valid from: December 14, 2024), which differs from those for other users.

The following special features result from the terms of use

• Responsible company: OpenAI Ireland Limited is now the designated service provider for users in the EEA and Switzerland.

• For companies based in the EU that use the OpenAI APIs or ChatGPT Business, the contract is therefore concluded with the following company: OpenAI Ireland Ltd, 1st Floor, The Liffey Trust Center, 117-126 Sheriff Street Upper, Dublin 1, D01 YC43, Ireland

As OpenAI regularly becomes the company's processor, it is necessary to conclude a data processing agreement (DPA). This must meet the requirements of Art. 28 GDPR.

The process for concluding a DPA with OpenAI begins with the registration for a company account, such as the “Team Business Account”.
OpenAI's DPA is available at the following link: https://openai.com/policies/data-processing-addendum

No DPA is available for consumer services such as ChatGPT or DALL-E Labs, therefore companies should use business accounts instead of personal accounts as the DPA is required for the transfer of personal data to OpenAI Ireland Ltd.

Companies can request the DPA by clicking on the “Execute Data Processing Agreement” button at the bottom of the page.

The process to complete the Data Processing Addendum (DPA) includes the following steps:

1. complete online form: Companies complete an online form in which they must provide, among other things, their full legal company name and organization ID. For companies in the European Economic Area (EEA) or Switzerland, the location must also be specified.

2. select OpenAI entity: Companies in the EU should select OpenAI Ireland Ltd. as their contracting party.

3. provide contact details for signing: The email address and position of the person signing the DPA on behalf of the company must be provided.

4. review and accept the DPA: After submitting the form, the parties involved will receive an email request to review and electronically accept the agreement. This email will contain a link to the digital platform where the contract can be viewed and signed. Once signed electronically, both parties receive confirmation and access to a saved, digitally signed PDF copy of the DPA. The DPA becomes legally binding as soon as it is accepted by the company. The DPA received by email should then be stored in a suitable location in order to be able to prove compliance with data protection requirements (Art. 5, 28 GDPR).

According to Art. 28 GDPR, clients have the obligation to audit their service providers. The risk of the processing activity in question must be taken into account. Factors such as the type of customer data processed play a role in the risk assessment. The higher the risk to the rights and freedoms of natural persons, the stricter the requirements for the contractual provisions in the DPA should be (“risk-based audit approach”).

We have examined OpenAI's DPA with regard to the requirements of Art. 28 GDPR as an example. This examination serves as a reference for similar assessments and can generally be used as a template for your own assessments within the scope of Art. 28 GDPR. The examination should be adapted individually, taking into account the specific risks of the respective project. You can download the template with the table at the end of this article.

The controller must make data processing using OpenAI services transparent to its users (information obligations). This is regularly done by means of privacy policies.

In this case, however, it is not sufficient for the controller to merely refer to OpenAI's privacy policy. Rather, the controller must independently provide information on how and for what purposes the user's data is processed by the controller and its processors, how long it is stored and when it is deleted.

It is also necessary to make it clear to users how they can exercise their rights as data subjects. In addition, it must be determined between the controllers and OpenAI how compliance with the rights of data subjects can be ensured for service providers such as OpenAI. A sample formulation for the corresponding processing activity in the privacy policy of a company using the GPT API can be found here:

Example data protection notice for integrating the GPT API in the customer chatbot

• Type and purpose of processing:

Our website uses a customer chatbot powered by OpenAI's GPT API to efficiently and interactively process your requests. When you use the chatbot, the following types of personal data may be processed: text input in the chat that contains information about your request, and technical data such as IP address and usage times. This data is needed to understand your requests, respond appropriately, and improve our service.

• Legal basis:

The use of the GPT API in the context of our customer chatbot and the associated data transfer to OpenAI are based on Art. 6 para. 1 lit. b GDPR (processing of your requests) and Art. 6 para. 1 lit. f GDPR (our legitimate interest in improving our customer service).

• Data erasure:

The data collected in connection with the use of our customer chatbot will only remain in our memory for as long as is necessary to process your requests and for the existence of a customer relationship. Your data will be automatically deleted no later than three years after it has been collected.

• Transfer to third parties and place of processing:

OpenAI is commissioned in accordance with Art. 28 GDPR in conjunction with a corresponding data processing agreement. OpenAI acts as a processor bound by instructions and does not use the transmitted data for its own purposes. Your personal data will be passed on to OpenAI Ireland Ltd, the provider of the GPT API, and its affiliated companies. It is possible that this may also include a data transfer to affiliated companies of OpenAI Ireland Ltd. in the USA. In this regard, we refer to the “Data processing addendum” of OpenAI https://openai.com/policies/data-processing-addendum/.

If the data processing associated with using the ChatGPT API entails high risks for the data subjects, a data protection impact assessment (DPIA) must be carried out (Art. 35 GDPR).

The body of German data protection authorities (Datenschutzkonferenz - DSK) has published a so-called positive list of processing activities for which a DPIA is mandatory. Of particular relevance here are point 11 of the list (customer support using artificial intelligence) and point 13 (telephone conversation evaluation using algorithms).

The purposes for which the service is to be used are crucial for the legal assessment. If, for example, the chatbot is integrated into the customer support of a health insurance company and health data is processed, a DPIA would be required in any case. However, a DPIA may also be necessary for less sensitive data if the procedure as a whole entails a high risk.

The aim of the DPIA is to identify and assess the risks for the data subjects in a structured manner and to determine how these risks can be addressed and reduced to an acceptable level using technical and organizational measures.

The integration of OpenAI models into the Azure Cloud infrastructure via Microsoft's Azure OpenAI offers interesting opportunities for companies. Users gain access to extensive AI models such as GPT-4 and DALL-E via REST API, which integrates the functionalities of OpenAI into the Azure cloud platform.

Azure OpenAI offers two billing models: Firstly, usage-based billing (“on-demand”), where costs are incurred according to actual usage, and secondly, billing based on throughput capacity provided in advance (Provisioned Throughput Units, “PTUs”), which reserve a fixed amount of resources.

As the integration of OpenAI is part of Microsoft's preview functions, the extended terms of use (“Terms of Use”) for preview functions apply to the use of Azure OpenAI.

Microsoft also offers a guide to data, data protection and security. According to these documents, the possible uses of the data are regulated restrictively: Customer data is not accessible to other customers or to OpenAI and may not be used to improve OpenAI models or Microsoft products. However, there is the option to use your own data for training or individual fine-tuning of your own models.

Data transmitted to Microsoft during the use of Azure OpenAI is processed for content generation, creation of individual models and abuse monitoring. Microsoft emphasizes that customer data and generated content is stored to monitor and prevent misuse, with content including prompts being stored on special servers for 30 days.

If misuse is detected by the monitoring system, data is flagged and EU support staff decide on the next steps. Customers can object to data storage using a Microsoft form, but must submit a request that must be approved by Microsoft.
It is important to note that data that is integrated via Azure OpenAI is not stored on OpenAI, but on Microsoft's Azure cloud servers. For users in the EU, this means that their data is processed on EU servers, whereby the data residency principle is intended to ensure that this data is not transferred to third countries.

Despite the growing regulatory attention and the discussions about bans and risks, it is clear that the integration of AI-based services is possible in accordance with the data protection requirements of the GDPR. This finding underlines the importance of proactively monitoring technological and legal developments in order to be able to react to new regulatory requirements in a timely manner.

Data protection measures and compliance

OpenAI's Data Processing Addendum (DPA) provides a basis that meets the essential requirements of the GDPR. However, certain ambiguities remain (in particular with regard to the general reference to subcontractors and the possibility of data transfer to the US).

The actions of the data protection authorities should therefore be monitored. For companies planning to use OpenAI services, it is advisable to strategically consider data protection aspects from the outset (privacy by design). Implementing basic data protection practices enables the legally compliant use of OpenAI services in accordance with Art. 28 GDPR, especially when using the GPT API in products and services.

The steps required under data protection law include:

Verifying the service provider and entering into a data processing agreement.
Updating the directory of procedures.
Creating or revising the privacy policy.
Conducting a data protection impact assessment (if necessary).

Integration with Azure Cloud and future availability

The use of OpenAI models via Azure OpenAI is another option for companies that already use Microsoft's Azure cloud services. This integration can help to minimize certain data protection risks, particularly those associated with the transfer of data to third countries. However, given the current limited availability of Azure OpenAI, it is unclear when this option will be available to a wider user base.

Recommendations

In view of the careful scrutiny by data protection authorities, it is advisable to involve data protection officers in the use of OpenAI services at an early stage. In addition, it may be beneficial to consult the expertise of lawyers specializing in data protection for specific issues.

This strategy not only ensures compliance with applicable data protection regulations, but also strengthens the company's position with regard to future changes in data protection law. It also helps to prepare the company for possible audits by data protection authorities and to proactively manage potential risks when using AI technologies.

Despite the growing regulatory attention and discussions about bans and risks, it is clear that the integration of AI-based services is possible in accordance with the data protection regulations of the GDPR. This finding underlines the importance of proactively monitoring technological and legal developments in order to be able to react to new regulatory requirements in a timely manner.

The integration of AI technologies such as the OpenAI API holds great potential, but also presents companies with significant data protection challenges. Simpliant focuses on helping you to integrate AI language models such as GPT into your business processes in a data protection-compliant manner. If you need support in overcoming the complex data protection challenges in the AI sector, please contact us via our contact form.