Anthropic vs OpenAI: GDPR Compliance Differences (2026)

The short version: both have GDPR DPAs and neither trains on API data. The differences are in EU data residency, sub-processor transparency, and what happens on consumer tiers.

DPA Coverage: What's Actually Included

Anthropic (Claude API)

Anthropic's API Terms of Service incorporate a GDPR Data Processing Addendum by reference. Key provisions:

• Controller/processor relationship: Anthropic acts as processor; you are the controller
• Purpose limitation: API data used only to provide the service, not for model training
• Sub-processors: Published list available at trust.anthropic.com
• Data transfers: Standard Contractual Clauses (Module Two: Controller to Processor) for EU-to-US transfers
• Data retention: Inputs and outputs retained for 30 days for trust and safety purposes, then deleted
• Breach notification: "Prompt notice" — not a specific timeframe

What's missing from standard terms: No 72-hour breach notification, no EU data residency, no financial SLA for downtime.

OpenAI (Direct API — api.openai.com)

OpenAI's API Terms include a Data Processing Addendum with similar provisions:

• Controller/processor relationship: OpenAI acts as processor for API data
• Training prohibition: API data not used for model training (default, no opt-out required)
• Sub-processors: Published list, updated with 30-day notice for material changes
• Data transfers: SCCs for EU-to-US transfers
• Data retention: 30 days by default; zero retention available (data deleted immediately after API response) via ZDR API — at additional cost
• Breach notification: "Prompt notice" — same ambiguity as Anthropic

ChatGPT Team note: ChatGPT Team (the business plan at $25/user/month) includes a GDPR DPA and does not train on conversation data. This is separate from the API — it is the ChatGPT web interface for business users.

Azure OpenAI Service

Azure OpenAI is Microsoft's deployment of OpenAI models (GPT-4, GPT-4o) with Microsoft's enterprise data handling:

• EU data residency: Available — you can route all processing through EU Azure regions (Sweden Central, France Central, etc.)
• Breach notification: 72 hours, as part of Azure's contractual SLA
• Data retention: Configurable — you can set retention to zero
• Audit rights: Microsoft provides SOC 2 Type II, ISO 27001, and supports audit rights under enterprise agreements
• GDPR status: Covered under Microsoft's DPA, which is widely accepted by EU DPAs

The tradeoff: Azure OpenAI requires an Azure account, pricing is higher than direct OpenAI API, and model availability sometimes lags api.openai.com (new models appear there first).

The Four Differences That Matter for GDPR

1. EU Data Residency

This is the biggest practical difference.

Anthropic: No EU-region hosting option on any standard or enterprise tier as of May 2026. All API processing occurs in the US. Data transfers to the US are covered by SCCs, but the data leaves the EU.

OpenAI direct API: Same — US processing only. SCCs cover the transfer mechanism, but EU data goes to US servers.

Azure OpenAI: EU-region processing is available. If you select an EU region, your API requests are processed in the EU and data does not leave. This is the only major hosted LLM API that offers this with a hard contractual guarantee.

When this matters: If your DPO or legal team requires that personal data stay within the EEA, only Azure OpenAI can satisfy that requirement. For most teams, SCCs are sufficient — but regulated sectors (healthcare, financial services, government) often face stricter requirements.

2. Breach Notification Timing

Both Anthropic and OpenAI standard terms use "prompt notice" — which has no specific timeframe.

Under GDPR Article 33, you have 72 hours to notify your supervisory authority after discovering a breach. If your vendor takes 10 days to notify you, you miss that window.

Azure OpenAI contractually commits to 72-hour notification in its enterprise SLA. This directly maps to your GDPR obligation.

For API and ChatGPT Team customers: You can request 72-hour notification in a negotiated contract at enterprise tier. At self-serve tier, "prompt notice" is what you get.

3. Sub-Processor Transparency

Both Anthropic and OpenAI publish sub-processor lists, but the update frequency differs:

Anthropic: Sub-processor list published at trust.anthropic.com. Updates posted; customer notification mechanism is less formalized in standard terms.

OpenAI: API terms include 30-day advance notice of material sub-processor changes, with the right to object. This maps more closely to GDPR Article 28(2) requirements.

GDPR Article 28 requirement: Your DPA with an AI vendor should give you the right to be notified before new sub-processors are added, and the right to object. Check whether your specific tier includes this — it is often only in negotiated enterprise agreements.

4. Consumer Tier vs. API Tier — Critical Difference

This is where teams get into trouble.

The practical risk: employees use personal Claude.ai or ChatGPT accounts for work tasks. These accounts are on consumer terms — no GDPR DPA, and training opt-out is user-level, not enforceable at the organization level.

What to do: Your AI acceptable use policy should explicitly prohibit pasting EU personal data into consumer-tier AI tools. Only API access (controlled by the organization) or business accounts (ChatGPT Team, Anthropic API with your credentials) are covered by a DPA.

Decision Guide: Which to Use

If EU data must stay in the EU: Use Azure OpenAI. No other major hosted LLM API provides contractual EU data residency.

If you need a 72-hour breach notification commitment: Use Azure OpenAI, or negotiate a custom enterprise agreement with Anthropic or OpenAI.

If you need Claude specifically (Anthropic models) and EU residency: No solution exists at self-serve tier as of May 2026. Contact Anthropic enterprise sales — data residency may be available under a custom agreement.

If SCCs are sufficient for your legal requirements (most small teams): Both Anthropic API and OpenAI API are comparable. Choose based on model performance for your use case.

If you need to use the ChatGPT web interface (not API): Use ChatGPT Team, not free/Plus. ChatGPT Team includes a GDPR DPA and does not train on your conversations.

What to Check in Your Current DPA

If you have already signed a DPA with Anthropic or OpenAI, verify these five clauses are present:

• Training prohibition is explicit (not just "improving services")
• Data retention period is stated (30 days, or configurable)
• Sub-processor list URL is referenced and a notification mechanism exists
• SCCs are incorporated by reference for EU-to-US transfers
• Breach notification timeframe (if "prompt notice", request a 72-hour amendment)

See the AI vendor contract redline template for exact language to request for each of these clauses.

References

• Anthropic Privacy Policy and API Terms: anthropic.com/legal
• Anthropic Trust & Safety: trust.anthropic.com
• OpenAI Data Processing Addendum: openai.com/policies/data-processing-addendum
• OpenAI Enterprise Privacy: openai.com/enterprise-privacy
• Azure OpenAI Data Privacy: azure.microsoft.com/en-us/products/ai-services/openai-service (documentation)
• GDPR Article 28: Processor obligations
• GDPR Article 33: 72-hour breach notification requirement
• Related: AI vendor DPA tracker — full comparison of 25+ AI vendors