3. Data Retention: A Dubious Policy at Odds with GDPR

Risk: Penalties for Violating GDPR and LOPDGDD Principles, Including Data Minimization and Purpose Limitation
The ChatGPT platform holds onto your information for 30 days, even after you’ve opted out of data training. This policy not only raises ethical questions but also appears to contradict Article 17 of the GDPR, which confers the “right to erasure.”
(Platform) If I disable history, does the setting apply to all my conversations, or can I choose specific conversations to enable it for?  While history is disabled, new chats will be deleted from our systems within 30 days – and reviewed only when needed to monitor for abuse – and won’t be used for model training. Existing conversations will still be saved and may be used for model training if you have not opted out.[3]
Article 17. EU GPRD:  The data subject shall have the right to obtain from the controller the erasure of personal data concerning him or her without undue delay and the controller shall have the obligation to erase personal data without undue delay […] “.[2]

Best Practices: A Clear Path to Immediate Data Deletion

Given the GDPR’s stringent conditions for data retention, the platform’s 30-day policy raises compliance issues. Unless the platform can prove a compelling legal justification that aligns with GDPR exceptions, an immediate data erasure option should be made available and clearly marked within user settings.