ChatGPT (OpenAI)
OpenAI
Status badges are conditional: validate the exact plan, DPA, subprocessors, retention, residency, and feature settings before using the tool with personal or confidential data.
Pricing / Contract Route
Guide pricing; verify by region and plan
Enterprise Features
ChatGPT/API residency for eligible configurations, inference residency where supported, approved abuse-monitoring/ZDR controls, admin controls
Last Updated
June 23, 2026
Data Security & GDPR Compliance for OpenAI Models Version: June 2026 - prepared by WAIMAKERS B.V.
1 Purpose
This concise report provides an at-a-glance insight into how different ChatGPT subscriptions and the OpenAI API process personal data in relation to the European General Data Protection Regulation (GDPR).
2 Comparison of versions
| Plan | GDPR‑compliant? | EU data‑residency | Primary processing / storage | Retention | Guide price* | DPA / policy‑quote |
|---|---|---|---|---|---|---|
| Free / Plus | ⚠️ Limited for business | ❌ No | Global processing; storage primarily in OpenAI infrastructure (incl. U.S.) | Not explicitly defined; history persists unless deleted | Plus: €23 / month (incl. NL 21% VAT; VAT rate varies by country) | "Consumer plans (Free/Plus) are used for training by default; users must opt out via Data Controls > 'Improve the model for everyone.' Business/Enterprise/API data is not used for training by default." [A] |
| ChatGPT Business (renamed from Team on Aug 29, 2025) | ✅ Yes | ❌ No (no EU‑only option yet) | OpenAI‑operated infra (incl. U.S.); OpenAI Ireland Ltd. is contracting entity for EEA/CH customers | "End users control chat retention; deleted or unsaved conversations are removed within 30 days (unless legally required)." | $25 / seat / month (monthly) or $20 / seat / month (annual) - excl. VAT (USD list price; EU accounts billed in EUR at conversion) | "We do not train on your business data by default."; DPA available. [B][C][D] |
| ChatGPT Enterprise / Edu | ✅ Yes | ✅ Yes (regional at-rest + inference residency where supported) | Data residency available for Europe, US, UAE and other storage regions; inference residency currently available for Europe and the US when enabled for eligible workspaces | Admin‑configurable; deleted conversations removed in ≤30 days (unless legally required) | Custom (EUR) | "Data residency and inference residency for ChatGPT" now define storage regions, inference regions, and excluded features. [E][F] |
| OpenAI API (Business/Edu) | ✅ Yes | ✅ Yes (eligible API projects/endpoints) | API residency is eligibility-, project-, and endpoint-dependent; OpenAI says non-US residency requires approval for abuse-monitoring controls and a Zero Data Retention (ZDR) amendment | Abuse monitoring logs may include customer content and are retained up to 30 days by default; ZDR/MAM available only for approved eligible use cases/endpoints | Usage‑based - listed in USD on openai.com; billed to EU accounts in EUR per Multi‑currency FAQ [L] (e.g., $0.05 / 1M input tokens on GPT‑5 nano) | "API inputs/outputs may be retained up to 30 days by default; ZDR/MAM and residency require eligibility and approval." [G][H][I] |
- Guide prices based on publicly available information as of June 2026. EU VAT handling varies by plan and company VAT status.
Notes
- Team → Business rename (no change to features/limits/pricing): OpenAI renamed ChatGPT Team to ChatGPT Business on Aug 29, 2025. [J]
- Data residency scope: For ChatGPT, data residency currently applies to eligible Enterprise and Education workspaces (not Business). Supported storage regions include Europe, the US, UAE, UK, Canada, India, Japan, Singapore, South Korea, and Australia; inference residency is currently available for Europe and the US. External integrations such as Apps/MCP, web search, and some metadata/processing steps remain outside the residency guarantee. [F]
- Currency & VAT: ChatGPT subscriptions for EU customers are charged in EUR; consumer Plus typically shows €23/month incl. VAT in NL. Business seats are listed by OpenAI in USD ($20/$25) excl. VAT and billed to EU accounts in EUR at conversion; VAT may be exempt with a valid VAT ID. API pricing is published in USD; EU invoices settle in EUR per OpenAI’s multi‑currency billing. [A][B][L]
- New DPA (Jan 1, 2026): OpenAI’s updated DPA includes an anonymised data carve-out and enhanced audit rights. Enterprise customers should review the updated terms.
- Credit pack / flexible pricing: ChatGPT Business supports credit pack top-ups for overflow usage beyond seat allowances.
- Data residency geography: OpenAI data residency now covers 10+ countries including UK, US, Japan, Canada, and others in addition to the EU.
- Stargate Norway: OpenAI announced a data center partnership in Norway (Stargate programme, Narvik) for expanded European compute capacity; note Norway is in the EEA, not the EU, the facility is still being built out, and this is infrastructure rather than a ChatGPT/API data- or inference-residency guarantee.
- Regulatory: Italy’s Garante fined OpenAI €15M (Dec 2024); the Court of Rome upheld OpenAI's appeal and overturned the fine in March 2026. The EDPB issued an Art. 64 opinion on AI model training (Dec 2024). The Irish DPC is the lead supervisory authority for OpenAI in Europe.
5 Disclaimer
This overview is intended solely as an informative tool. We strongly advise customers to thoroughly review all Data Processing Agreements (DPAs) of AI models they wish to deploy within their organisation and to explicitly ensure that personal data is processed securely. WAIMAKERS applies this same principle internally; all tools we use have been thoroughly assessed and included in our own privacy and security documentation (see https://www.waimakers.com/en/privacy). Customers should always carefully evaluate the official documentation, terms, and DPAs of each AI provider they use - especially when (special categories of) personal data are processed. WAIMAKERS cannot be held legally liable for the accuracy, currency, or completeness of the information in this document; the ultimate responsibility for GDPR compliance rests with the customer.
Prepared and issued by WAIMAKERS - June 2026.
References
- https://openai.com/enterprise-privacy - OpenAI Enterprise Privacy
- https://openai.com/index/introducing-data-residency-in-europe - OpenAI Data Residency in Europe
- https://help.openai.com/en/articles/9903489-data-residency-for-chatgpt - Data residency and inference residency for ChatGPT
- https://help.openai.com/en/articles/10124943-data-residency-for-the-openai-api - Data Residency for the OpenAI API
- https://openai.com/policies/data-processing-addendum - OpenAI DPA (updated Jan 1, 2026; anonymised data carve-out, enhanced audit rights)
- platform.openai.com - OpenAI API Documentation
- https://www.garanteprivacy.it/ - Italy Garante €15M fine on OpenAI (December 2024)
- https://www.edpb.europa.eu/ - EDPB Art. 64 Opinion on AI model training and personal data (Opinion 28/2024, December 2024)
Disclaimer
This overview is intended solely as an informative tool. We strongly advise customers to thoroughly review all Data Processing Agreements (DPAs) and privacy documentation before deploying OpenAI services in production environments - especially when personal data or proprietary business information are processed. WAIMAKERS applies this same principle internally; all tools we use have been thoroughly assessed and included in our own privacy and security documentation. Customers should always carefully evaluate the official documentation, terms, and DPAs of each AI provider they use. WAIMAKERS cannot be held legally liable for any mistakes, errors, inaccuracies, or for the accuracy, currency, or completeness of the information in this document; the ultimate responsibility for GDPR compliance rests with the customer.
Prepared and issued by WAIMAKERS B.V. - June 2026.