On 31 July 2025, OpenAI announced the construction of its first European AI data centre with Stargate Norway. The facility, located in Narvik in northern Norway, is scheduled to become operational in 2026. According to OpenAI, Narvik’s abundant hydropower resources, low-cost energy supply, cool climate, and well-established industrial infrastructure make it an ideal location for building sustainable AI infrastructure at industrial scale.
What does this mean for European OpenAI customers? First and foremost, OpenAI currently does not operate an AI data centre in Europe. As a result, organizations should carefully evaluate which AI solution best meets their operational requirements while also complying with applicable data protection obligations.
A Fast Track to Data Protection Violations
Choosing what appears to be the easiest solution can have significant consequences from a data protection perspective. OpenAI, for example, promotes ChatGPT Team as the fastest way for organizations to start using ChatGPT at work, offering a shared workspace, administrative controls, and connectors to company applications.
“ChatGPT Team is the fastest way to start using ChatGPT for work - with a shared workspace, admin controls, and connectors to your company tools.”
Because ChatGPT Team is less expensive than ChatGPT Enterprise, particularly smaller organizations may be tempted to adopt it immediately. From a data protection perspective, however, this decision may introduce significant risks that could potentially compromise the rights and freedoms of data subjects.
Controller Responsibility and Data Processing Agreements
Regardless of whether an organization uses ChatGPT Team or ChatGPT Enterprise, it remains the data controller under the General Data Protection Regulation (GDPR) because it alone determines the purposes and means of processing personal data.
Whenever personal data is processed using these AI services, organizations must ensure that a Data Processing Agreement (DPA) in accordance with Article 28 GDPR has been concluded with OpenAI beforehand. For this purpose, OpenAI provides its standard Data Processing Addendum (DPA).
For organizations established within the European Economic Area (EEA) or Switzerland, the contractual relationship is with OpenAI Ireland Ltd, which provides the services within those jurisdictions. However, organizations should not assume that user prompts or other personal data are processed exclusively in Ireland.
Sub-processors and Affiliated Companies
OpenAI Ireland Ltd is a subsidiary of OpenAI, LLC, which is headquartered in the United States. OpenAI’s affiliated companies provide the technical and operational support required to deliver the services offered by OpenAI Ireland Ltd. Since OpenAI currently does not operate an AI data centre within the EEA or Switzerland, data processing necessarily takes place in OpenAI’s data centres located in the United States.

Ensuring an Equivalent Level of Protection for International Data Transfers
Transfers of personal data to a third country, such as the United States, are subject to specific requirements under the GDPR. Either the European Commission must have adopted a valid adequacy decision, confirming that the destination country ensures a level of data protection essentially equivalent to that of the European Union, or the data exporter - in this case OpenAI Ireland Ltd - must implement appropriate safeguards under the GDPR to ensure such protection in the specific case.
Since the adoption of the EU-U.S. Data Privacy Framework (DPF) in 2023, an adequacy decision exists for the United States. Regardless of the ongoing criticism of the DPF itself and the possibility that it could be revoked - either by the current U.S. administration or by the Court of Justice of the European Union in a potential Schrems III judgment - personal data may currently be transferred to U.S. organizations under the DPF, provided those organizations have registered and self-certified through the U.S. Department of Commerce.
To date, however, none of OpenAI’s companies have certified under the Data Privacy Framework. Consequently, the adequacy decision cannot currently serve as the legal basis for OpenAI Ireland Ltd’s transfers of personal data to the United States. Instead, OpenAI must rely on appropriate safeguards under Article 46 GDPR, such as the Standard Contractual Clauses (SCCs).
At present, it is not publicly known to what extent OpenAI Ireland Ltd has concluded such appropriate safeguards with its parent company, OpenAI, LLC. OpenAI Ireland Ltd refers to internal intra-group agreements, which may - but do not necessarily - include the European Commission’s Standard Contractual Clauses adopted on 4 June 2021.
Customers of OpenAI Ireland Ltd may, however, exercise their contractual rights under the Data Processing Agreement by requesting OpenAI’s privacy and security documentation, as well as other relevant information, in order to assess compliance with the GDPR.
U.S. District Court Decision Undermines Appropriate Safeguards
In its landmark Case C-311/18 (Schrems II), the Court of Justice of the European Union made it clear that controllers and processors acting as data exporters are responsible for assessing - on a case-by-case basis and, where necessary, together with the data importer - whether the legal framework and practical application of the law in the destination country ensure that the chosen appropriate safeguards remain effective.
Against this background, a decision issued by the U.S. District Court for the Southern District of New York on 13 May 2025 in the case The New York Times Company v. Microsoft Corporation et al. (Case No. 1:23-cv-11195), later upheld by the appellate court on 26 June 2025, raises significant concerns regarding the effectiveness of such safeguards.
The court order requires OpenAI Inc., the parent company of the OpenAI group, to preserve all ChatGPT output data in a segregated manner for evidentiary purposes and prohibits its deletion - even where European organizations would otherwise be required to delete such data in order to comply with their obligations under the GDPR.
This obligation conflicts with the GDPR’s right to erasure and currently prevents OpenAI Ireland Ltd from effectively implementing appropriate safeguards with its affiliated companies in the United States, as data subjects are ultimately unable to exercise their rights.
The exception to the right to erasure under Article 17(3)(b) GDPR, which applies where processing is necessary to comply with a legal obligation, does not apply here because the obligation originates neither from EU law nor from the law of an EU Member State. Likewise, the exception under Article 17(3)(e) GDPR, relating to the establishment, exercise, or defence of legal claims, is unlikely to apply, since the U.S. court order imposes a legal obligation on OpenAI Inc. rather than establishing a legal claim.
For this reason, the use of ChatGPT Team currently does not satisfy the applicable data protection requirements for processing personal data. By contrast, customer data processed through ChatGPT Enterprise, ChatGPT Edu, and the OpenAI API Platform with an active Zero Data Retention (ZDR) agreement are not affected by these preservation obligations.
Against this background, organizations processing personal data should refrain from using ChatGPT Team and instead consider alternative solutions.
Current Data Residency in Europe
Since February 2025, OpenAI has offered customers of ChatGPT Enterprise, ChatGPT Edu, and the API Platform the option of European Data Residency for data at rest. Under this offering, customer content is encrypted and stored on servers located within Europe.
The following content is covered:
- Conversations (text, images, and voice)
- Code Interpreter sessions and data analysis artifacts
- Files (e.g. uploaded images and documents)
- Image generation prompts and outputs
- ChatGPT Memory (saved conversation context)
- Custom GPTs (including associated prompts and outputs)
- Canvas (collaborative workspace content)
However, this applies only to newly created projects where Europe is explicitly selected as the storage region during setup.
The following information is not stored within Europe:
- Connectors and MCP
- Third-party services (e.g. web search, if enabled)
- Workspace metadata (e.g. workspace name, billing information, user authentication data)
- Temporary processing data and operational data required to provide the service
Unsurprisingly, European Data Residency currently refers only to the storage of data at rest. Because OpenAI does not yet operate AI data centres within Europe, the actual processing of customer data still takes place in the United States.
As long as the European Union cannot ensure comprehensive data sovereignty, European organizations remain exposed to the risk that judicial or regulatory decisions in third countries may negatively affect their operations. Careful strategic planning and thorough risk assessments therefore remain essential whenever AI systems—particularly those operated from outside the EU—are deployed in business environments.
If you are planning to implement an AI system within your organization, we would be pleased to support you throughout the process. Our consultants help you evaluate suitable AI solutions for your business and guide the implementation while ensuring compliance with applicable data protection requirements.
Sources:
https://openai.com/de-DE/index/introducing-stargate-norway
https://openai.com/de-DE/chatgpt/team
https://openai.com/policies/sub-processor-list
https://openai.com/de-DE/policies/data-processing-addendum
Urteil vom 16. Juli 2020, Schrems II, C-311/18, EU:C:2020:559, Rn. 134-137.
*https://www.courtlistener.com/docket/68117049/712/the-new-york-times-company-v-microsoft-corporation
https://openai.com/index/response-to-nyt-data-demands
https://openai.com/de-DE/index/introducing-data-residency-in-europe
https://help.openai.com/en/articles/9903489-data-residency-for-chatgpt
