Using ChatGPT in compliance with data protection regulations
Employees of the University of Vienna can use ChatGPT in the Team or Enterprise version under certain conditions in compliance with data protection regulations. In cooperation with the Data Protection Officer of the University of Vienna, the ZID provides information on the legal framework and requirements on this page.
Requirements
You can use ChatGPT in compliance with data protection regulations as defined by the General Data Protection Regulation (GDPR) under these conditions:
- Use of the ChatGPT Team or ChatGPT Enterprise versions
- Compliance with the Terms of Use in conjunction with artificial intelligence (AI)
Licences
The ZID does not currently provide any ChatGPT licences.
Team or Enterprise licences can be purchased directly via the OpenAI for Business website.
Data protection framework
OpenAI supports the use of the Team and Enterprise versions of ChatGPT in compliance with data protection regulations (see also Enterprise privacy at OpenAI):
- Input from users is not used for training AI models.
- Deleted and unsaved data is permanently deleted after 30 days.
- There is no assurance for the Team version that data will be stored exclusively in the EU. Therefore, a comprehensive Data Transfer Impact Assessment (DTIA) has been carried out. The DTIA assesses the risks of transferring personal data to countries outside the EU and ensures that measures are in place to protect this data. OpenAI has also ensured permissible data transfers to third countries with the Standard Contractual Clauses (SCCs).
Note
Since data may be stored outside the EU, the following regulation from the Terms of Use in conjunction with artificial intelligence (AI) applies when using the Team version:
“… no undisclosed personal employee data or confidential information (e.g. trade and business secrets) may be processed (already during the prompting process).”
This means that you must not enter any sensitive data into ChatGPT.
The University of Vienna has also concluded a data processing agreement with OpenAI. This agreement applies to all purchases of Team or Enterprise licences by individual organisational units of the University and is stored in the record of processing activities of the University of Vienna. Users of these licences therefore do not need to take any further steps with regard to data protection.