Is OpenAI/ChatGPT compliant with GDPR, if they don't allow changing or removing the Phone Number and Email Address?

Question

Italy has recently banned ChatGPT, and is now allowing it again in the country, after they implemented a few privacy controls.

The fact that it's now allowed again makes me wonder if Italy (and the rest of EU) is "finally happy" with ChatGPT, GDPR-wise.

Since day 1 of me using ChatGPT, what worries me the most is that:

1. I cannot change my email address associated with my account

2. I cannot view or change my phone number associated with my account

3. If I delete my account, the phone number (at least) stays saved in their database permanently, as we can no longer create a new account with the same phone number associated

4. Despite my numerous attempts, a human NEVER replies to my questions in the support chat (even though the Bot eventually says that they will reply within 1 week), and when I attempted to ask in the forum, my post was not approved. My questions to them were about changing/deleting the phone number and email address.

These are basic rules of GDPR ("right to erasure" (Article 17) and "right to rectification" (Article 19)), and I'm surprised that at this point, EU countries are still allowing OpenAI/ChatGPT to do this, and that Italy hasn't required them to make changes around these personal elements.

Am I wrong here? Is OpenAI/ChatGPT compliant with GDPR, if they don't allow changing or removing the Phone Number and Email Address?

Answer 1

GDPR allows companies to process data for various reasons, including user consent or to fulfill contractual or legal obligations. Using an email or phone number as the unique user ID is legal, and so is retaining the unique user ID of a deleted account to prevent abuse or fraud (or for tax purposes, if it is a paid service).

GDPR requires companies to publish contact details, but there is no requirement to have a chatbot to be this "official contact point." Somewhere in their legal boilerplate you should find a physical address where you can send a printed and signed letter. In this letter, you can request either information on your account or the correction of factually wrong data, but then your phone number is not "wrong" in this sense ...

PS -- I did not downvote, but it seems to me that your question seems to view GDPR as an universal "magic wand" when it is a quite specific set of regulations. About two minutes of googling got me the contact details in the EU/EEA and UK.