Anthropic vs OpenAI: GDPR Compliance Differences (2026)

Both have GDPR DPAs and neither trains on API data. The differences are in EU data residency, sub-processor transparency, and what happens on consumer tiers.

TL;DR: Anthropic and OpenAI both offer GDPR Data Processing Agreements for API customers, but they differ in four key areas: (1) EU data residency, OpenAI offers EU-region processing via Azure OpenAI; Anthropic does not offer EU hosting on standard tiers; (2) data retention, Anthropic retains API inputs/outputs for 30 days for abuse detection; OpenAI retains for 30 days by default; (3) sub-processor transparency, both publish sub-processor lists but update frequencies differ; (4) training data, neither trains on API data by default, but consumer-tier terms differ. For strict EU data residency requirements, Azure OpenAI Service (not api.openai.com) is the more defensible choice.

DPA Coverage: What's Actually Included

Anthropic (Claude API)

Anthropic's API Terms of Service incorporate a GDPR Data Processing Addendum by reference. Key provisions:

• Controller/processor relationship: Anthropic acts as processor; you are the controller
• Purpose limitation: API data used only to provide the service, not for model training
• Sub-processors: Published list available at trust.anthropic.com
• Data transfers: Standard Contractual Clauses (Module Two: Controller to Processor) for EU-to-US transfers
• Data retention: inputs and outputs retained for 30 days for trust and safety purposes, then deleted
• Breach notification: "Prompt notice", not a specific timeframe

What's missing from standard terms: no 72-hour breach notification, no EU data residency, no financial SLA for downtime.

OpenAI (Direct API, api.openai.com)

OpenAI's API Terms include a Data Processing Addendum with similar provisions:

• Controller/processor relationship: OpenAI acts as processor for API data
• Training prohibition: API data not used for model training (default, no opt-out required)
• Sub-processors: Published list, updated with 30-day notice for material changes
• Data transfers: SCCs for EU-to-US transfers
• Data retention: 30 days by default; zero retention available (data deleted immediately after API response) via ZDR API, at additional cost
• Breach notification: "Prompt notice", same ambiguity as Anthropic

ChatGPT Business (renamed from ChatGPT Team in August 2025): $25/user/month billed annually, or $30/month billed monthly. Includes a GDPR DPA and does not train on conversation data. This is separate from the API, it is the ChatGPT web interface for business users.

Azure OpenAI Service

Azure OpenAI is Microsoft's deployment of OpenAI models (GPT-4, GPT-4o) with Microsoft's enterprise data handling:

• EU data residency: available, you can route all processing through EU Azure regions (Sweden Central, France Central, etc.)
• Breach notification: 72 hours, as part of Azure's contractual SLA
• Data retention: configurable, you can set retention to zero
• Audit rights: Microsoft provides SOC 2 Type II, ISO 27001, and supports audit rights under enterprise agreements
• GDPR status: covered under Microsoft's DPA, which is widely accepted by EU DPAs

The tradeoff: Azure OpenAI requires an Azure account, pricing is higher than direct OpenAI API, and model availability sometimes lags api.openai.com (new models appear there first).

The Four Differences That Matter for GDPR

1. EU Data Residency

This is the biggest practical difference.

Anthropic: no EU-region hosting option on any standard or enterprise tier as of May 2026. All API processing occurs in the US. Data transfers to the US are covered by SCCs, but the data leaves the EU.

OpenAI direct API: same, US processing only. SCCs cover the transfer mechanism, but EU data goes to US servers.

Azure OpenAI: EU-region processing is available. If you select an EU region, your API requests are processed in the EU and data does not leave. This is the only major hosted LLM API that offers this with a hard contractual guarantee.

When this matters: if your DPO or legal team requires that personal data stay within the EEA, only Azure OpenAI can satisfy that requirement. For most teams, SCCs are sufficient, but regulated sectors (healthcare, financial services, government) often face stricter requirements.

2. Breach Notification Timing

Both Anthropic and OpenAI standard terms use "prompt notice", which has no specific timeframe.

Under GDPR Article 33, you have 72 hours to notify your supervisory authority after discovering a breach. If your vendor takes 10 days to notify you, you miss that window.

Azure OpenAI contractually commits to 72-hour notification in its enterprise SLA. This directly maps to your GDPR obligation.

For API and ChatGPT Team customers: you can request 72-hour notification in a negotiated contract at enterprise tier. At self-serve tier, "prompt notice" is what you get.

3. Sub-Processor Transparency

Both Anthropic and OpenAI publish sub-processor lists, but the update frequency differs:

Anthropic: sub-processor list published at trust.anthropic.com. Updates posted; customer notification mechanism is less formalized in standard terms.

OpenAI: API terms include 30-day advance notice of material sub-processor changes, with the right to object. This maps more closely to GDPR Article 28(2) requirements.

GDPR Article 28 requirement: your DPA with an AI vendor should give you the right to be notified before new sub-processors are added, and the right to object. Check whether your specific tier includes this, it is often only in negotiated enterprise agreements.

4. Consumer Tier vs. API Tier, Critical Difference

This is where teams get into trouble.

The practical risk: employees use personal Claude.ai or ChatGPT accounts for work tasks. These accounts are on consumer terms, no GDPR DPA, and training opt-out is user-level, not enforceable at the organization level.

What to do: your AI acceptable use policy should explicitly prohibit pasting EU personal data into consumer-tier AI tools. Only API access (controlled by the organization) or business accounts (ChatGPT Team, Anthropic API with your credentials) are covered by a DPA.

Decision Guide: Which to Use

If EU data must stay in the EU: use Azure OpenAI. No other major hosted LLM API provides contractual EU data residency.

If you need a 72-hour breach notification commitment: use Azure OpenAI, or negotiate a custom enterprise agreement with Anthropic or OpenAI.

If you need Claude specifically (Anthropic models) and EU residency: no solution exists at self-serve tier as of May 2026. Contact Anthropic enterprise sales, data residency may be available under a custom agreement.

If SCCs are sufficient for your legal requirements (most small teams): both Anthropic API and OpenAI API are comparable. Choose based on model performance for your use case.

If you need to use the ChatGPT web interface (not API): use ChatGPT Team, not free/Plus. ChatGPT Team includes a GDPR DPA and does not train on your conversations.

What to Check in Your Current DPA

If you have already signed a DPA with Anthropic or OpenAI, verify these five clauses are present:

• Training prohibition is explicit (not just "improving services")
• Data retention period is stated (30 days, or configurable)
• Sub-processor list URL is referenced and a notification mechanism exists
• SCCs are incorporated by reference for EU-to-US transfers
• Breach notification timeframe (if "prompt notice", request a 72-hour amendment)

See the AI vendor contract redline template for exact language to request for each of these clauses.

Common Mistakes Teams Make

Using consumer accounts for work. The most common GDPR compliance failure is not a gap in the DPA, it is employees using personal ChatGPT or Claude.ai accounts for tasks that involve work data. These accounts are on consumer terms: no DPA, training opt-out is user-managed and not enforceable at the organisation level. Your AI acceptable use policy must explicitly prohibit this, and your shadow AI controls must catch it when it happens.

Assuming the DPA covers everything. Anthropic's and OpenAI's DPAs cover the API and specific business-tier products. If you purchase additional features, use a new product line (e.g., OpenAI's Responses API vs the Chat Completions API), or access models through a third-party wrapper, those channels may not be covered by the DPA you reviewed. Verify coverage at each procurement decision, not once at onboarding.

Missing the sub-processor notification window. Both Anthropic and OpenAI's standard terms give you 30 days advance notice of material sub-processor changes. If you are not monitoring for these notifications, you may miss a change that affects your compliance position. Assign someone to review AI vendor change notifications as part of your quarterly vendor review cadence.

Conflating training opt-out with data deletion. Opting out of model training does not mean your data is deleted immediately. Both providers retain API inputs and outputs for up to 30 days for trust and safety review. For regulated sectors that require shorter retention or real-time deletion, this 30-day window is a gap that requires either the zero-data-retention API option (OpenAI ZDR) or a custom enterprise agreement with Anthropic.

California AB 2013 and Training Data Transparency (2026)

Starting January 1, 2026, California AB 2013 requires AI developers who deploy systems to California residents to publish a summary of their training data on their website. Both Anthropic and OpenAI have disclosure pages that address this requirement:

• Anthropic publishes model cards and training data summaries at anthropic.com/research
• OpenAI publishes model documentation including training data information at openai.com/research

For teams building on these APIs, AB 2013 may apply to you directly if you train or fine-tune models and deploy them to California users. If you are using the APIs as-is without custom training, the disclosure obligation falls on the underlying provider rather than you. See the California AB 2013 AI training data compliance guide for the full obligation breakdown.

References

• Anthropic Privacy Policy and API Terms: anthropic.com/legal
• Anthropic Trust & Safety: trust.anthropic.com
• OpenAI Data Processing Addendum: openai.com/policies/data-processing-addendum
• OpenAI Enterprise Privacy: openai.com/enterprise-privacy
• Azure OpenAI Data Privacy: azure.microsoft.com/en-us/products/ai-services/openai-service (documentation)
• GDPR Article 28: Processor obligations
• GDPR Article 33: 72-hour breach notification requirement
• Related: AI vendor DPA tracker, full comparison of 25+ AI vendors

Related Reading

• AI vendor DPA tracker 2026, 25+ vendors compared
• Privacy-first AI APIs, which don't train on your data
• California AB 2013 AI training data transparency compliance
• AI vendor contract redline template
• AI vendor due diligence checklist 2026
• AI governance guide for small teams
• ChatGPT Dreaming V3 memory: business privacy and governance
• ChatGPT vs Claude vs Gemini enterprise compliance 2026
• OpenAI API governance data privacy developers 2026
• Claude vs ChatGPT compliance for small teams