Skip to content
GDPRJuly 4, 20266 min read

GDPR Article 28 and AI Vendors: Do You Need a DPA for ChatGPT?

Without a valid Article 28 agreement, using a tool to process personal data has no lawful footing for the controller–processor relationship. Consumer tiers rarely give you one.

A

AIovert Security Team

GDPR & EU AI Act practitioners · Last updated July 4, 2026

The short answer

If an AI vendor processes personal data on your behalf, GDPR Article 28 requires a written data processing agreement (DPA) that binds the processor to specific obligations — processing only on your instructions, ensuring confidentiality and security, and assisting with data-subject rights. Consumer AI tiers frequently do not offer a compliant DPA, which is a key reason they are unsuitable for business processing of personal data. Enterprise and API tiers usually do provide one.

Without a valid Article 28 agreement in place, using a tool to process personal data generally lacks a lawful footing for the controller–processor relationship.

What Article 28 actually requires

The DPA must set out the subject matter, duration, nature and purpose of processing, the type of personal data and categories of data subjects, and the controller’s obligations and rights. It must also impose the specific processor duties listed in Article 28(3), including sub-processor controls and deletion or return of data at the end of the service.

Why consumer tiers fall short

Consumer AI services are typically offered under standard terms that do not constitute an Article 28 DPA and may permit the provider to use inputs to improve the service. That is incompatible with processing personal data strictly on the controller’s documented instructions — which is why putting customer data into ChatGPT can be a GDPR breach.

The practical control

Because you cannot rely on a DPA for consumer tools, the safer path is to prevent personal data from being entered into them at all — which is exactly what a browser paste-control does — while reserving personal-data workloads for tiers that provide a proper agreement. See how to make AI tools GDPR compliant for your company and when a DPIA is required for AI tools.

Frequently asked questions

Do we need a DPA if we only use the free version of ChatGPT?

If you enter personal data, you need a compliant Article 28 DPA — and the free tier typically does not provide one. That is why entering personal data into consumer tiers is high-risk and often best blocked technically.

Is the AI vendor a processor or a controller?

Usually a processor when acting on your documented instructions, but this depends on the terms. Some providers may act as an independent controller for certain purposes (like service improvement), which changes your obligations and risk.

What if the vendor uses our data to train models?

Training on your inputs is generally incompatible with processing solely on the controller's instructions, unless specifically agreed and lawful. Business tiers that commit not to train on your data avoid this problem.

Primary sources

Regulatory dates and requirements can change — verify against the official EU sources above before relying on them. This page is informational and not legal advice.

No DPA on the consumer tier? Block the data instead.

AIovert stops personal data reaching AI tools you have no processor agreement with, and reserves compliant workloads for tiers that do. Deploys in 15 minutes.