OpenAI L.L.C. (the Controller) – Violation Found (Italy, 2023)

Following the decision of the Italian DPA to impose a temporary limitation on the processing activities of OpenAI L.L.C. (the controller) regarding ChatGPT, the controller contacted the DPA to express its willingness to cooperate and requested it to lift the temporary limitation. The Italian DPA argued that it would re-assess its decision on condition that the controller put in place concrete measures to protect the rights and freedoms of those whose data was used to train ChatGPT’s algorithms and those who are users of the service. These measures include: 1) Preparing and publishing an information notice on the controller's website which explains that the data collected from the data subjects (users and non-users of the service) is used to train ChatGPT’s algorithms, and also includes information on how the processing is carried out, the logic behind the processing as necessary for the operation of the service, data subjects' rights and any other information required by the GDPR. 2) Putting in place a tool, which could be accessible on the controller’s website, by which data subjects who log in from Italy can exercise their right to object to the processing of their personal data obtained from third parties, when the processing is carried out for purposes of algorithm training and provision of the service. 3) Making available on the controller's website a tool by which data subjects can request and obtain the correction of their data which was inaccurately processed in the generation of contents or, where this is not possible according to the state-of-the-art technology, erasure of such personal data. 4) Including a link to the privacy policy which shall be displayed before proceeding to registration. This link shall also appear prior to the reactivation of the service. 5) Modifying the legal basis for processing personal data for purposes of algorithm training. In particular, the controller shall not invoke the performance of a contract as an appropriate