OpenAI OpCo LLC: Non-compliance with general data processing principles

The Italian DPA has imposed a fine of EUR 15 million on OpenAI in connection with the operation of the generative AI chatbot “ChatGPT”. The DPA found that OpenAI had violated provisions of the GDPR, inter alia, by failing to notify the DPA of a data breach that occurred in 2023, by using users' personal data to train ChatGPT without providing a valid legal basis for such processing, and by violating the principle of transparency. Additionally, OpenAI did not implement age verification, potentially risking exposure of children under 13 to inappropriate content. Furthermore the DPA ordered OpenAI to carry out a six-month public information campaign to educate users on how ChatGPT processes data and how they can exercise their GDPR rights.

GDPR Articles: Art. 5 (1) a) GDPR, Art. 5 (2) GDPR, Art. 6 GDPR, Art. 12 GDPR, Art. 13 GDPR, Art. 24 GDPR, Art. 25 GDPR, Art. 32 GDPR
Industry: Media, Telecoms and Broadcasting