Data Security & GDPR Compliance for OpenAI Models Version: March 2026 - prepared by WAIMAKERS B.V.

1 Purpose

This concise report provides an at-a-glance insight into how different ChatGPT subscriptions and the OpenAI API process personal data in relation to the European General Data Protection Regulation (GDPR).

2 Comparison of versions

Plan	GDPR‑compliant?	EU data‑residency	Primary processing / storage	Retention	Guide price*	DPA / policy‑quote
Free / Plus	⚠️ Limited for business	❌ No	Global processing; storage primarily in OpenAI infrastructure (incl. U.S.)	Not explicitly defined; history persists unless deleted	Plus: €23 / month (incl. NL 21% VAT; VAT rate varies by country)	"By default, business data is not used for training; consumer plans can opt out." [A]
ChatGPT Business (renamed from Team on Aug 29, 2025)	✅ Yes	❌ No (no EU‑only option yet)	OpenAI‑operated infra (incl. U.S.); OpenAI Ireland Ltd. is contracting entity for EEA/CH customers	"End users control chat retention; deleted or unsaved conversations are removed within 30 days (unless legally required)."	€30 / seat / month (monthly) or €25 / seat / month (annual) - excl. VAT	"We do not train on your business data by default."; DPA available. [B][C][D]
ChatGPT Enterprise / Edu	✅ Yes	✅ Yes (EU at‑rest + EU inference residency* since Jan 2026)*	EU data residency available (customer content stored at rest in Europe); inference now also processed in EU for new Enterprise/Edu/Healthcare workspaces (Jan 2026)	Admin‑configurable; deleted conversations removed in ≤30 days (unless legally required)	Custom (EUR)	"New ChatGPT Enterprise and Edu customers can choose to have customer content stored at rest in Europe." EU inference residency: Jan 2026. [E][F]
OpenAI API (Business/Edu)	✅ Yes	✅ Yes (API projects can be set to Europe)	When EU data residency is enabled, requests are handled in‑region with Zero Data Retention (ZDR) by default; otherwise standard global processing	Defaults to 7 days (reduced from 30); ZDR available for eligible endpoints/use‑cases	Usage‑based - listed in USD on openai.com; billed to EU accounts in EUR per Multi‑currency FAQ [L] (e.g., $0.05 / 1M input tokens on GPT‑5 nano)	"We may retain API inputs/outputs up to 30 days; ZDR available"; "Eligible customers can opt to store and process data within Europe." [G][H][I]

Guide prices based on publicly available information as of March 2026. EU VAT handling varies by plan and company VAT status.

Notes

Team → Business rename (no change to features/limits/pricing): OpenAI renamed ChatGPT Team to ChatGPT Business on Aug 29, 2025. [J]
Data residency scope: For ChatGPT, data residency currently applies to Enterprise and Education workspaces (not Business). Regions include Europe and others. [F]
Currency & VAT: ChatGPT subscriptions for EU customers are charged in EUR; consumer Plus typically shows €23/month incl. VAT in NL. Business seats display €25/€30 excl. VAT; VAT may be exempt with a valid VAT ID. API pricing is published in USD; EU invoices settle in EUR per OpenAI’s multi‑currency billing. [A][B][L]
New DPA (Jan 1, 2026): OpenAI’s updated DPA includes an anonymised data carve-out and enhanced audit rights. Enterprise customers should review the updated terms.
Credit pack / flexible pricing: ChatGPT Business supports credit pack top-ups for overflow usage beyond seat allowances.
Data residency geography: OpenAI data residency now covers 10+ countries including UK, US, Japan, Canada, and others in addition to the EU.
Stargate EU: OpenAI announced a data center partnership in Norway (Stargate programme) for expanded EU inference capacity.
Regulatory: Italy’s Garante fined OpenAI €15M (Dec 2024). The EDPB issued an Art. 64 opinion on AI model training (2025). The Irish DPC is the lead supervisory authority for OpenAI in Europe.

5 Disclaimer

This overview is intended solely as an informative tool. We strongly advise customers to thoroughly review all Data Processing Agreements (DPAs) of AI models they wish to deploy within their organisation and to explicitly ensure that personal data is processed securely. WAIMAKERS applies this same principle internally; all tools we use have been thoroughly assessed and included in our own privacy and security documentation (see https://www.waimakers.com/en/privacy). Customers should always carefully evaluate the official documentation, terms, and DPAs of each AI provider they use - especially when (special categories of) personal data are processed. WAIMAKERS cannot be held legally liable for the accuracy, currency, or completeness of the information in this document; the ultimate responsibility for GDPR compliance rests with the customer.

Prepared and issued by WAIMAKERS - March 2026.

References

https://openai.com/enterprise-privacy - OpenAI Enterprise Privacy
https://openai.com/index/introducing-data-residency-in-europe - OpenAI Data Residency in Europe
https://help.openai.com/en/articles/9985383-data-residency-for-chatgpt - Data Residency for ChatGPT (incl. EU inference residency, Jan 2026)
https://help.openai.com/en/articles/10124943-data-residency-for-the-openai-api - Data Residency for the OpenAI API
https://openai.com/policies/data-processing-addendum - OpenAI DPA (updated Jan 1, 2026; anonymised data carve-out, enhanced audit rights)
platform.openai.com - OpenAI API Documentation
https://www.garanteprivacy.it/ - Italy Garante €15M fine on OpenAI (December 2024)
https://www.edpb.europa.eu/ - EDPB Art. 64 Opinion on AI model training and personal data (2025)

Disclaimer

This overview is intended solely as an informative tool. We strongly advise customers to thoroughly review all Data Processing Agreements (DPAs) and privacy documentation before deploying OpenAI services in production environments - especially when personal data or proprietary business information are processed. WAIMAKERS applies this same principle internally; all tools we use have been thoroughly assessed and included in our own privacy and security documentation. Customers should always carefully evaluate the official documentation, terms, and DPAs of each AI provider they use. WAIMAKERS cannot be held legally liable for any mistakes, errors, inaccuracies, or for the accuracy, currency, or completeness of the information in this document; the ultimate responsibility for GDPR compliance rests with the customer.

Prepared and issued by WAIMAKERS B.V. - March 2026.

2 Comparison of versions

Plan

GDPR‑compliant?

EU data‑residency

Primary processing / storage

Retention

Guide price*

DPA / policy‑quote

Free / Plus

⚠️ Limited for business

❌ No

Global processing; storage primarily in OpenAI infrastructure (incl. U.S.)

Not explicitly defined; history persists unless deleted

Plus: €23 / month (incl. NL 21% VAT; VAT rate varies by country)

"By default, business data is not used for training; consumer plans can opt out." [A]

ChatGPT Business (renamed from Team on Aug 29, 2025)

✅ Yes

❌ No (no EU‑only option yet)

OpenAI‑operated infra (incl. U.S.); OpenAI Ireland Ltd. is contracting entity for EEA/CH customers

"End users control chat retention; deleted or unsaved conversations are removed within 30 days (unless legally required)."

€30 / seat / month (monthly) or €25 / seat / month (annual) - excl. VAT

"We do not train on your business data by default."; DPA available. [B][C][D]

ChatGPT Enterprise / Edu

✅ Yes

✅ Yes (EU at‑rest + EU inference residency since Jan 2026)

EU data residency available (customer content stored at rest in Europe); inference now also processed in EU for new Enterprise/Edu/Healthcare workspaces (Jan 2026)

Admin‑configurable; deleted conversations removed in ≤30 days (unless legally required)

Custom (EUR)

"New ChatGPT Enterprise and Edu customers can choose to have customer content stored at rest in Europe." EU inference residency: Jan 2026. [E][F]

OpenAI API (Business/Edu)

✅ Yes

✅ Yes (API projects can be set to Europe)

When EU data residency is enabled, requests are handled in‑region with Zero Data Retention (ZDR) by default; otherwise standard global processing

Defaults to 7 days (reduced from 30); ZDR available for eligible endpoints/use‑cases

Usage‑based - listed in USD on openai.com; billed to EU accounts in EUR per Multi‑currency FAQ [L] (e.g., $0.05 / 1M input tokens on GPT‑5 nano)

"We may retain API inputs/outputs up to 30 days; ZDR available"; "Eligible customers can opt to store and process data within Europe." [G][H][I]

Guide prices based on publicly available information as of March 2026. EU VAT handling varies by plan and company VAT status.

Notes

Team → Business rename (no change to features/limits/pricing): OpenAI renamed ChatGPT Team to ChatGPT Business on Aug 29, 2025. [J]

Data residency scope: For ChatGPT, data residency currently applies to Enterprise and Education workspaces (not Business). Regions include Europe and others. [F]

Currency & VAT: ChatGPT subscriptions for EU customers are charged in EUR; consumer Plus typically shows €23/month incl. VAT in NL. Business seats display €25/€30 excl. VAT; VAT may be exempt with a valid VAT ID. API pricing is published in USD; EU invoices settle in EUR per OpenAI’s multi‑currency billing. [A][B][L]

New DPA (Jan 1, 2026): OpenAI’s updated DPA includes an anonymised data carve-out and enhanced audit rights. Enterprise customers should review the updated terms.

Credit pack / flexible pricing: ChatGPT Business supports credit pack top-ups for overflow usage beyond seat allowances.

Data residency geography: OpenAI data residency now covers 10+ countries including UK, US, Japan, Canada, and others in addition to the EU.

Stargate EU: OpenAI announced a data center partnership in Norway (Stargate programme) for expanded EU inference capacity.

Regulatory: Italy’s Garante fined OpenAI €15M (Dec 2024). The EDPB issued an Art. 64 opinion on AI model training (2025). The Irish DPC is the lead supervisory authority for OpenAI in Europe.

5 Disclaimer

Prepared and issued by WAIMAKERS - March 2026.

References

Disclaimer

Prepared and issued by WAIMAKERS B.V. - March 2026.

OpenAI (EU)

Need help navigating AI?

OpenAI (EU)

Need help navigating AI?