Italy

OpenAI OpCo LLC

15,000,000 €

GDPR enforcement action by Italian Data Protection Authority (Garante) on 2024-11-02.

Rank · Sector

#24

of 369 in Media, Telecoms and Broadcasting

Rank · Italy

of 543

Rank · All fines

#38

of 3,050

Case details

Authority: Italian Data Protection Authority (Garante)
Date: 2024-11-02
Controller / Processor: OpenAI OpCo LLC
Sector: Media, Telecoms and Broadcasting
Quoted Articles: Art. 5 (1) a) GDPR, Art. 5 (2) GDPR, Art. 6 GDPR, Art. 12 GDPR, Art. 13 GDPR, Art. 24 GDPR, Art. 25 GDPR, Art. 32 GDPR
Type of violation: Non-compliance with general data processing principles

Summary

The Italian DPA has imposed a fine of EUR 15 million on OpenAI in connection with the operation of the generative AI chatbot “ChatGPT”.
The DPA found that OpenAI had violated provisions of the GDPR, inter alia, by failing to notify the DPA of a data breach that occurred in 2023, by using users' personal data to train ChatGPT without providing a valid legal basis for such processing, and by violating the principle of transparency.
Additionally, OpenAI did not implement age verification, potentially risking exposure of children under 13 to inappropriate content.
Furthermore the DPA ordered OpenAI to carry out a six-month public information campaign to educate users on how ChatGPT processes data and how they can exercise their GDPR rights.

Open original source Links to the regulator's original publication or another source.