ChatGPT: What about your personal data?
ChatGPT, OpenAI’s generative AI, has become the most popular chatbot since its launch in November 2022. This AI is based on a deep learning model, which involves the massive processing of data to improve the quality of the algorithm[1].
This article aims to clarify the practices related to the collection and processing of personal data by artificial intelligence (“AI” hereafter) systems.
OpenAI offers several subscription plans, including a free version with limited access and paid options offering more complete features, as well as two specific versions (Team and Enterprise). These last two versions will not be addressed in this article and will be the subject of another specific post.
Privacy policy applied for ChatGPT users
For european users, ChatGPT offers a common privacy policy for the three public versions.
What personal data are processed ?
For European users, ChatGPT offers a common privacy policy for the three public versions.
Data directly provided by users :
Categories | Examples |
|---|---|
Account-related information
| Name, contact information, account identifiers, date of birth, payment information and transaction history |
User inputs | Prompts and other content provided by users (files, images, audio)
|
Communication data | Information collected when users communicate with OpenAI via email or social media |
Other informations | Information provided by users when participating in events, surveys, or to verify their identity (age, …) |
Data indirectly collected by ChatGPT :
Type of data | Examples |
|---|---|
Connection data | IP address, browser settings |
Usage data | Features used, time zone, country, access time |
Device information | Device name, operating system |
Location Data | Geographical area |
For what purposes does ChatGPT process our personal data?
OpenAI processes personal data in connection with the use of its services, notably to ensure their proper functioning, improve its models, communicate with users, prevent abuse, or comply with certain legal obligations.
To this end, the company states that it relies on several legal bases, such as contract performance (e.g., processing user queries), legitimate interest (e.g., service improvement or system security), and compliance with legal obligations. In some cases, processing is also based on consent, especially for certain marketing communications.
OpenAI specifies that the data used to train its models comes from freely available sources on the Internet, excluding data from illegal channels such as the “dark web.” Furthermore, the company asserts that it does not create a dedicated training database and does not use data for profiling or commercial prospecting purposes. Technical safeguards, such as pseudonymization or data aggregation, are implemented to limit risks to the rights and freedoms of data subjects.
In addition, several mechanisms are offered to users: an opt-out system allows opposition to the use of data for model training, and a “temporary chats” feature offers the ability to interact without conversations being retained or used for that purpose (subject to a 30-day temporary retention for security purposes).
However, these safeguards were not sufficient to convince the Italian supervisory authority (“the Garante” hereafter). Following an investigation opened in March 2023[1], the Garante identified several GDPR violations, including the lack of an appropriate legal basis for processing personal data for model training purposes, insufficient and unclear information for users, and the absence of an age verification mechanism. Moreover, the company did not notify the authority of the data breach that occurred in March 2023.
On this basis, the Garante[2] imposed a €15 million fine on OpenAI, along with the obligation to implement a six-month information campaign to raise public awareness about how their data may be used for AI training and to inform them of their rights, including the rights to object, rectify, and delete data.
What about the rights of European users ?
Regarding user rights, OpenAI states in its privacy policies that it guarantees European users all the rights of data subjects provided by the GDPR, such as the right of access, rectification, and objection.
Users can exercise their rights directly through their account settings, but for more detailed requests, they can contact the company directly.
Regarding data accuracy, OpenAI specifies that it cannot guarantee the accuracy of data but allows users to request the correction or deletion of inaccurate data via the OpenAI privacy portal.
Nevertheless, during the first half of 2023[1], everal complaints were filed with the CNIL, the French data protection authority. These complaints notably followed a lack of response to an access request and the provision of inaccurate information concerning a data subject
Is ChatGPT currently GDPR compliant ?
OpenAI is increasingly aiming to comply with European requirements regarding personal data protection.
This effort has intensified following several disputes with supervisory authorities, which prompted the company to revise some of its practices. As a reminder, in March 2023[1], the Garante temporarily suspended access to ChatGPT in Italy due to identified GDPR breaches
Despite efforts made, shortcomings remain in terms of compliance. Privacy information is still scattered across several web pages, making it unintuitive for users to consult. Furthermore, except for the user privacy policy, most content, including the chatbot provided to answer questions, is only available in English. This lack of full translation is a real obstacle to the effective exercise of data subjects’ rights and understanding of the data processing involved.
In March 2025, the data protection NGO NOYB filed a complaint in Norway[2] concerning defamatory hallucinations generated by the system. These new reports reflect ongoing concerns about the respect of fundamental rights in the development of generative artificial intelligence.
Best practices
OpenAI has increased efforts to comply with the GDPR, notably by strengthening transparency and user control.
However, each user has an active role to play to ensure responsible use of these tools.
Regardless of which ChatGPT version you use, here are some essential recommendations:
- Configure your privacy settings
If you use the free, “Pro,” or “Plus” version of ChatGPT, check your settings and do not allow your data to be used to train the AI and/or activate “Temporary Chats” when desired.
- Limit the input of personal data and never share sensitive data
Avoid sharing personal data in queries sent to ChatGPT.
- Verify ChatGPT’s answers
ChatGPT responses may be incorrect, so it’s advisable to cross-check with multiple sources.
- Anonymize your data
Secure the data you exchange with ChatGPT (anonymization, pseudonymization if necessary).
- Keep a record of processing activities
Include the use of ChatGPT in your record of data processing activities.
- Choose the offer that suits your needs
Whether it’s the free, “Pro,” “Plus,” “Team,” or “Enterprise” options, choose the one that best fits your needs in terms of data security and control.
- Stay informed
Train yourself and your teams on best practices in data protection.
- AI policy (employers)
Define authorized uses, oversee personal data processing, and ensure GDPR compliance. This policy should provide clear rules, risk management procedures, and, if necessary, a Data Protection Impact Assessment (DPIA). It strengthens legal security and user trust.
4 LeMonde, « ChatGPT : premières plaintes auprès de la CNIL contre le logiciel d’intelligence artificielle », 05 avril 2023, disponible sur https://www.lemonde.fr/
5 See above, n°2
6 NOYB, « AI hallucinations: ChatGPT created a fake child murderer », 20 mars 2025, disponible sur www.noyb.eu
Do you want to guarantee the use of digital tools in compliance with the GDPR within your organisation?
Our compliance consultants help you to move forward with peace of mind.
Explore more articles
About us
CTI CONSULTING helps organizations use digital with impact, integrity and efficiency.
Our multidisciplinary team of consultants supports you to design, acquire, integrate and use digital tools in an effective and responsible manner.
Want to know more ?
Do you need to ensure GDPR compliance for your organisation or your digital solutions ?
Our compliance consultants help you to move forward with peace of mind.