3. Data Retention: A Dubious Policy at Odds with
GDPR
Risk: Penalties for Violating GDPR and LOPDGDD Principles,
Including Data Minimization and Purpose
Limitation
The ChatGPT platform holds onto your information for 30 days, even after
you’ve opted out of data training. This policy not only raises ethical
questions but also appears to contradict Article 17 of the GDPR, which
confers the “right to erasure.”
(Platform) If I disable history, does the setting apply to all
my conversations, or can I choose specific conversations to enable it
for? While history is disabled, new chats will be deleted from our
systems within 30 days – and reviewed only when needed to monitor for
abuse – and won’t be used for model training. Existing conversations
will still be saved and may be used for model training if you have not
opted out.[3]
Article 17. EU GPRD: “ The data subject shall have the
right to obtain from the controller the erasure of personal data
concerning him or her without undue delay and the controller shall have
the obligation to erase personal data without undue delay […]
“.[2]
Best Practices: A Clear Path to Immediate Data
Deletion
Given the GDPR’s stringent conditions for data retention, the platform’s
30-day policy raises compliance issues. Unless the platform can prove a
compelling legal justification that aligns with GDPR exceptions, an
immediate data erasure option should be made available and clearly
marked within user settings.