OpenAI API GDPR Compliance for German Businesses: DPA and AVV Guide
OpenAI offers a Data Processing Agreement (DPA) for API customers. German businesses using the OpenAI API must sign this DPA — which serves as the Auftragsverarbeitungsvertrag (AVV) required under Article 28 DSGVO — before processing any personal data through OpenAI endpoints. The API covers GPT-4o, GPT-4, GPT-3.5, Whisper, DALL-E, and the Assistants API. Data is processed on OpenAI’s US-based infrastructure, requiring Standard Contractual Clauses for EU-US transfers. API inputs and outputs are not used for model training by default. Enterprises with stricter data residency requirements should evaluate ChatGPT Enterprise or Azure OpenAI Service, which offer EU-region processing options.
Does OpenAI Have a Data Processing Agreement for the API?
Yes. OpenAI provides a Data Processing Addendum (DPA) for API customers, available directly through your OpenAI account settings or through an enterprise agreement with OpenAI sales. The DPA covers all API services and governs OpenAI’s role as a data processor on your behalf.
Key terms of the OpenAI API DPA:
- Processor designation: OpenAI acts as your data processor. You act as the data controller and are responsible for determining lawful bases and informing data subjects.
- No training on API data: API inputs and outputs are not used to train OpenAI models by default. This is a key distinction from the consumer ChatGPT product, where data may be used for training unless users opt out.
- Standard Contractual Clauses: The DPA incorporates EU SCCs (Commission Implementing Decision 2021/914) for transfers of personal data from the EU/EEA to OpenAI’s US infrastructure.
- Sub-processor list: OpenAI publishes and maintains a list of sub-processors, including Microsoft Azure (the primary cloud infrastructure provider). Customers receive notice of sub-processor changes.
- Data retention: API data is retained for a limited period for abuse monitoring and then deleted. Zero Data Retention (ZDR) options are available for some models through enterprise agreements — under ZDR, inputs and outputs are not stored after the API response is returned.
The DPA must be in place before you process any personal data via the API. Processing EU personal data without an Article 28 DSGVO-compliant data processing agreement is a violation that supervisory authorities can fine.
OpenAI API AVV for Germany (Auftragsverarbeitungsvertrag)
Under German and EU data protection law, any company that instructs a service provider to process personal data on its behalf must enter an Auftragsverarbeitungsvertrag (AVV) — the German term for a data processing agreement under Article 28 GDPR.
The OpenAI DPA functions as the AVV for German businesses using the API. Steps to establish a compliant AVV:
- Accept the OpenAI Data Processing Addendum through your OpenAI account settings under Usage Policies → Data Controls, or negotiate a signed DPA for enterprise API contracts.
- Confirm SCCs are included: The DPA must incorporate EU Standard Contractual Clauses (Controller-to-Processor, Module 2) for the EU-US data transfer. Verify the version matches the current Commission Decision.
- Update your processing register: Add OpenAI as a processor in your Verzeichnis von Verarbeitungstätigkeiten (Article 30 DSGVO) for each API-based processing activity.
- Review sub-processors: OpenAI’s primary sub-processor is Microsoft Azure. Review the full sub-processor list on OpenAI’s website and assess whether any sub-processor raises additional risk concerns.
- Update privacy notices: Your employee and customer-facing privacy notices must disclose that personal data may be processed by OpenAI as a processor, including the international transfer to the US.
Data Residency: Where Does OpenAI Process Your API Data?
Standard OpenAI API requests are processed on Microsoft Azure infrastructure in the United States. There is no EU-region option for the standard OpenAI API. This creates a mandatory EU-US data transfer subject to Chapter V GDPR obligations (covered by the SCCs in the OpenAI DPA).
Organizations with strict data residency requirements have two alternatives:
Azure OpenAI Service: Microsoft offers OpenAI models (GPT-4, GPT-3.5, etc.) through Azure, with the ability to select EU data center regions (e.g., Sweden Central, West Europe). Data processed through Azure OpenAI in a European region does not leave the EU. The DPA is then with Microsoft (Azure’s Data Processing Agreement), not OpenAI. This is the preferred option for organizations in regulated sectors — banking, insurance, healthcare — that require EU data localization.
ChatGPT Enterprise: OpenAI’s enterprise product includes a DPA with enhanced terms, an option for EU data processing, and additional controls. ChatGPT Enterprise is primarily a chat interface, not an API — but it can be relevant for business use cases that do not require direct API integration.
For most German startups and SMEs using the standard API, the SCCs in the OpenAI DPA provide the required EU-US transfer mechanism. Documented reliance on the SCCs, combined with a Transfer Impact Assessment (TIA) where required, is the standard approach.
OpenAI API vs. ChatGPT Enterprise — Compliance Differences
| Feature | OpenAI API | ChatGPT Enterprise |
|---|---|---|
| DPA / AVV available | Yes (API DPA) | Yes (Enterprise DPA) |
| Data used for training | No (default) | No |
| EU data processing option | No (Azure US) | Yes (via enterprise) |
| Zero Data Retention option | Yes (enterprise) | Yes |
| Sub-processor SCCs | Yes | Yes |
| SAML SSO / Access controls | No | Yes |
| Suitable for regulated sectors | With Azure OpenAI | Better fit |
If your use case involves processing sensitive personal data — health records, financial data, HR records — and EU data localization is a hard requirement, Azure OpenAI Service (not the standard OpenAI API) is the more defensible choice under German data protection law.
Using OpenAI API in Germany: EU AI Act Implications
The OpenAI API provides access to General-Purpose AI (GPAI) models — primarily GPT-4o, GPT-4, and GPT-3.5. Under the EU AI Act (Regulation (EU) 2024/1689), GPAI models placed on the EU market are subject to transparency and documentation requirements. OpenAI, as the GPAI model provider, bears these obligations — not the API customer directly.
However, as a deployer of the API, German businesses must:
- Classify the risk level of their specific application. An internal FAQ chatbot is limited risk; an automated decision system affecting employees or customers may be high risk.
- Implement human oversight where outputs of the AI system influence significant decisions.
- Disclose AI interaction to users when they interact directly with an AI-generated interface (Article 52 EU AI Act).
- Document use cases that fall within the high-risk categories listed in Annex III of the AI Act, which include systems used in employment, education, essential services, and law enforcement.
Most API-based productivity tools, code assistants, content generation, and search applications fall under limited or minimal risk under the AI Act. More complex use cases — automated CV screening, AI-assisted credit scoring, predictive HR analytics — require a full conformity assessment and registration before deployment.
Checklist for GDPR-Compliant OpenAI API Integration
- DPA/AVV accepted: OpenAI Data Processing Addendum accepted via account settings or signed enterprise agreement
- SCCs confirmed: EU Standard Contractual Clauses (Module 2) incorporated in DPA for US data transfers
- Sub-processor list reviewed: OpenAI’s sub-processor list reviewed; Microsoft Azure noted as primary processor
- Processing register updated: OpenAI API added to Art. 30 DSGVO register for each relevant processing activity
- Legal basis documented: Art. 6(1) lawful basis identified for each API use case (b — contract, f — legitimate interest, a — consent where required)
- Privacy notices updated: Customer- and employee-facing notices disclose API-based processing and US data transfer
- Zero Data Retention assessed: Evaluated whether ZDR is needed for sensitive use cases; enterprise agreement in place if required
- Azure OpenAI evaluated: If EU data residency required, Azure OpenAI Service assessed as an alternative
- AI Act classification done: Use case risk level assessed under EU AI Act Annex III categories
- DPIA conducted: If processing is high risk under Art. 35 DSGVO (large-scale, special category, or automated decision-making)
- Works council consulted: Betriebsrat notified if the API tool affects employee work processes under §87 BetrVG
- Prompt security review done: API prompts reviewed to ensure personal data minimization — do not include unnecessary personal data in prompts
Compound Law advises German businesses on OpenAI API deployments: DPA review, Transfer Impact Assessments, DPIA preparation, and AI Act compliance. See our compliance services for details.
For related guidance, see our guides on OpenAI Whisper GDPR compliance and the AI Act compliance hub.
Frequently Asked Questions
Does OpenAI have a Data Processing Agreement (DPA) for the API?
Yes. OpenAI provides a Data Processing Addendum for API customers, available through your OpenAI account settings. The DPA designates OpenAI as a data processor, incorporates EU Standard Contractual Clauses for EU-US data transfers, and confirms that API data is not used for model training. For German businesses, this DPA functions as the Auftragsverarbeitungsvertrag (AVV) required under Article 28 DSGVO. It must be accepted before any personal data is processed via the API.
Is the OpenAI API GDPR compliant?
The OpenAI API can be used in a GDPR-compliant manner, but compliance depends on how you configure and use it. You must have a signed DPA with OpenAI, document a lawful basis for processing, update your privacy notices to disclose the API use and US data transfer, and add OpenAI to your Article 30 processing register. OpenAI itself does not certify GDPR compliance — your organization’s implementation determines whether use is lawful under the DSGVO.
What is the OpenAI API AVV in Germany?
The OpenAI Data Processing Addendum functions as the Auftragsverarbeitungsvertrag (AVV) required under Article 28 DSGVO for German businesses using the API. It sets out the subject matter, duration, nature, and purpose of the processing, the type of personal data involved, and the categories of data subjects, as required by Art. 28(3) DSGVO. You can accept it through your OpenAI account portal or negotiate a custom signed version for enterprise contracts.
Does OpenAI process API data in the EU?
Standard OpenAI API requests are processed on Microsoft Azure infrastructure in the United States, not in the EU. The OpenAI DPA includes Standard Contractual Clauses to cover this EU-US transfer. If EU data residency is a hard requirement for your organization, consider Azure OpenAI Service, which allows you to select European Azure regions (e.g., Sweden Central) and process data entirely within the EU under a Microsoft DPA.
Do I need a works council agreement to use the OpenAI API?
If you deploy the OpenAI API in a way that affects how employees work — for example, an AI writing assistant, code assistant, or internal search tool — the Betriebsrat may have co-determination rights under §87(1) No. 6 BetrVG. Any technical system that monitors employee behavior or performance, or significantly changes work processes, requires prior works council involvement. Consult your Betriebsrat before rolling out API-based tools to employees, and consider concluding a Betriebsvereinbarung governing acceptable use, data access, and monitoring limitations.
