OpenAI L.L.C. (the Controller) – Violation Found (Italy, 2023)
General GDPR enforcement action
This case relates to broader data protection obligations, not specifically to cookie or consent banner compliance. It is not included in cookie statistics or the Risk Calculator.
OpenAI L.L.C. was found to have issues with how it processes data for ChatGPT, prompting the Italian data protection authority to impose temporary restrictions. The company agreed to cooperate and implement measures to better protect user rights. This case shows that even tech giants must ensure they are transparent about data use and user rights.
What happened
OpenAI L.L.C. faced temporary limitations on processing data for ChatGPT due to concerns over user rights and data transparency.
Who was affected
Users of ChatGPT and individuals whose data was used to train its algorithms.
What the authority found
The authority indicated that OpenAI must take specific actions to protect users' rights and provide clear information about data processing.
Why this matters
This situation illustrates the ongoing scrutiny tech companies face regarding data privacy. Website operators should prioritize transparency and user consent in their data practices.
GDPR Articles Cited
View original scraped data
Original data from scraper before AI verification against source document.
National Law Articles
Following the decision of the Italian DPA to impose a temporary limitation on the processing activities of OpenAI L.L.C. (the controller) regarding ChatGPT, the controller contacted the DPA to express its willingness to cooperate and requested it to lift the temporary limitation. The Italian DPA argued that it would re-assess its decision on condition that the controller put in place concrete measures to protect the rights and freedoms of those whose data was used to train ChatGPT’s algorithms and those who are users of the service. These measures include: 1) Preparing and publishing an information notice on the controller's website which explains that the data collected from the data subjects (users and non-users of the service) is used to train ChatGPT’s algorithms, and also includes information on how the processing is carried out, the logic behind the processing as necessary for the operation of the service, data subjects' rights and any other information required by the GDPR. 2) Putting in place a tool, which could be accessible on the controller’s website, by which data subjects who log in from Italy can exercise their right to object to the processing of their personal data obtained from third parties, when the processing is carried out for purposes of algorithm training and provision of the service. 3) Making available on the controller's website a tool by which data subjects can request and obtain the correction of their data which was inaccurately processed in the generation of contents or, where this is not possible according to the state-of-the-art technology, erasure of such personal data. 4) Including a link to the privacy policy which shall be displayed before proceeding to registration. This link shall also appear prior to the reactivation of the service. 5) Modifying the legal basis for processing personal data for purposes of algorithm training. In particular, the controller shall not invoke the performance of a contract as an appropriate
Outcome
Violation Found
The DPA found a violation but did not impose a fine.
Related Enforcement Actions (0)
No other enforcement actions found for OpenAI L.L.C. (the Controller) in IT
This is the only recorded action for this entity in this jurisdiction.
Details
Decision Date
11 April 2023
Authority
Garante per la protezione dei dati personali
GDPRhub ID
gdprhub-5811About this data
Cite as: Cookie Fines. OpenAI L.L.C. (the Controller) - Italy (2023). Retrieved from cookiefines.eu
Last updated: