Garante per la protezione dei dati personali (Italy) - 9874702
From GDPRhub
| Garante per la protezione dei dati personali - 9874702 | |
|---|---|
 | |
| Authority: | Garante per la protezione dei dati personali (Italy) |
| Jurisdiction: | Italy |
| Relevant Law: | Article 12 GDPR Article 58 GDPR |
| Type: | Other |
| Outcome: | n/a |
| Started: | |
| Decided: | 11.04.2023 |
| Published: | 11.04.2023 |
| Fine: | n/a |
| Parties: | OpenAI L.L.C. (the Controller) |
| National Case Number/Name: | 9874702 |
| European Case Law Identifier: | n/a |
| Appeal: | n/a |
| Original Language(s): | Italian |
| Original Source: | Garante per la Protezione dei Dati Personali (in IT) |
| Initial Contributor: | n/a |
The Italian DPA lifted its ban on ChatGPT on the condition that OpenAI implements a list of appropriate measures envisaged by the supervisory authority.
English Summary
Facts
Following the decision of the Italian DPA to impose a temporary limitation on the processing activities of OpenAI L.L.C. (the controller) regarding ChatGPT, the controller contacted the DPA to express its willingness to cooperate and requested it to lift the temporary limitation.
Holding
The Italian DPA argued that it would re-assess its decision on condition that the controller put in place concrete measures to protect the rights and freedoms of those whose data was used to train ChatGPT’s algorithms and those who are users of the service. These measures include:
1) Preparing and publishing an information notice on the controller's website which explains that the data collected from the data subjects (users and non-users of the service) is used to train ChatGPT’s algorithms, and also includes information on how the processing is carried out, the logic behind the processing as necessary for the operation of the service, data subjects' rights and any other information required by the GDPR.
2) Putting in place a tool, which could be accessible on the controller’s website, by which data subjects who log in from Italy can exercise their right to object to the processing of their personal data obtained from third parties, when the processing is carried out for purposes of algorithm training and provision of the service.
3) Making available on the controller's website a tool by which data subjects can request and obtain the correction of their data which was inaccurately processed in the generation of contents or, where this is not possible according to the state-of-the-art technology, erasure of such personal data.
4) Including a link to the privacy policy which shall be displayed before proceeding to registration. This link shall also appear prior to the reactivation of the service.
5) Modifying the legal basis for processing personal data for purposes of algorithm training. In particular, the controller shall not invoke the performance of a contract as an appropriate legal basis but shall instead base its processing on consent or legitimate interest.
6) Implementing, on the controller's website, a tool that allows data subjects to object to the processing of their personal data collected during their use of Chat GPT, when data are processed to train the algorithms on the basis of a legitimate interest of the controller. This tool shall be easily accessible.
7) Putting in place an age gate system to filter out minors on the basis of the age declared by the data subject.
8) Submitting a plan to the Italian DPA by 31 May 2023 for the implementation of age verification tools which would prevent data subjects aged under 13 from using ChatGPT alongside with data subjects aged under 18 in the absence of a clear affirmative act of consent by the person holding parental responsibility over the latter.
9) Launching an information campaign, without promoting its services, on the main Italian mass communication channels to inform data subjects that there is a high probability that their personal data was collected for the purposes of algorithm training and the controller published an information notice and provided a tool by which data subjects can request and obtain the erasure of their personal data.
Moreover, pursuant to Article 58(1) GDPR, the Italian DPA asked the controller to communicate by 30 April 2023 the initiatives it took to put in place the measures 1 to 7. It also asked the controller to indicate the steps it took to implement the measures 8 and 9.
Comment
A summary of the previous decision of the Italian DPA of imposing a temporary limitation on the processing activities of OpenAI LLC is available via this link: Garante per la protezione dei dati personali (Italy) - 9870832.
Further Resources
Share blogs or news articles here!
English Machine Translation of the Decision
The decision below is a machine translation of the Italian original. Please refer to the Italian original for more details.
SEE ALSO - Press release dated 13 April 2023 - Press release dated 12 April 2023 - Press release dated 8 April 2023 - Press release dated 6 April 2023 - Press release dated April 4, 2023 - Press release dated March 31, 2023 - Provision of 30 March 2023 - English version [doc. web no. 9874702] Provision of April 11, 2023 Register of measures no. 114 of 11 April 2023 THE GUARANTOR FOR THE PROTECTION OF PERSONAL DATA IN today's meeting, which was attended by prof. Pasquale Stanzione, president, prof.ssa Ginevra Cerrina Feroni, vice president, dr. Agostino Ghiglia and the lawyer Guido Scorza, components, and the cons. Fabio Mattei, general secretary; HAVING REGARD TO Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016, concerning the protection of natural persons with regard to the processing of personal data, as well as the free movement of such data and repealing Directive 95/46/ CE, “General Data Protection Regulation” (hereinafter, “Regulation”); HAVING REGARD TO Legislative Decree 30 June 2003, n. 196 containing the "Code regarding the protection of personal data, containing provisions for the adaptation of the national legal system to Regulation (EU) 2016/679 of the European Parliament and of the Council, of 27 April 2016, relating to the protection of natural persons with regard to the processing of personal data, as well as to the free movement of such data and which repeals Directive 95/46/EC (hereinafter the "Code"); CONSIDERING the provision n. 112 of 30 March 2023 of temporary limitation pursuant to art. 58, par. 2, lit. f), of the Regulation, adopted against OpenAI L.L.C. (hereinafter also the "Company") by the President as a matter of urgency, pursuant to art. 5, paragraph 8, of Regulation no. 1/2000 on the organization and functioning of the Office of the Guarantor, which was ratified in the meeting of 8 April 2023; HAVING REGARD to the email dated 3 April 2023 with which the Company expressed its willingness to meet with the Guarantor; HAVING ACKNOWLEDGED the results of the meeting held by teleconference between the Board of Statutory Auditors and the top management of the Company on 5 April 2023; GIVEN the information acquired by OpenAI which, with the notes of 6 and 7 April 2023, expressed, among other things, its willingness to collaborate with the Guarantor, also requesting the revocation of the provision for the provisional limitation of the processing; CONSIDERED, in view of the information acquired and the willingness shown by the Company to implement a series of concrete measures to protect the rights and freedoms of the interested parties, whose data have been processed for the training of the algorithms instrumental to the provision of the service ChatGPT, and of the users of the service itself, without prejudice to the natural continuation of the preliminary investigation started, to be able to proceed to re-evaluate the existence of the conditions of the provision of provisional limitation, adopting the consequent determinations, provided that OpenAI takes steps to concretely implement a series of measures and provisions specifically identified below, which are ordered to the Company pursuant to art. 58, par. 2, lit. d), of the Regulation: 1. prepare and publish information on its website which, within the terms and in the manner set out in art. 12 of the Regulation, explain to the interested parties also other than users of the ChatGPT service, whose data have been collected and processed for the purpose of training the algorithms, the methods of treatment, the logic underlying the treatment necessary for the functioning of the service, the rights due to them as interested parties and any other information required by the Regulation; 2. make available, on its website, at least to interested parties, even other than users of the service, who connect from Italy, a tool through which they can exercise the right to object to the processing of their personal data, obtained from third parties, carried out by the company for the purpose of training the algorithms and providing the service; 3. make available, on its website, at least to interested parties, even other than users of the service, who connect from Italy, a tool through which they can request and obtain the correction of any personal data concerning them that have been processed inaccurately in the generation of contents or, if this proves impossible in the state of the art, the cancellation of personal data; 4. insert a link to the information addressed to the users of your services in the registration flow in a position that allows it to be read before proceeding with registration, through methods that allow all users who connect from Italy, including those already registered, on the first access following the possible reactivation of the service, to read this information; 5. modify the legal basis of the processing of users' personal data for the purpose of training the algorithms, eliminating any reference to the contract and assuming as the legal basis of the processing the consent or legitimate interest in relation to the assessments of the company's competence in a logic accountability; 6. make available, on its website, at least to users of the service, who connect from Italy, an easily accessible tool through which to exercise the right to object to the processing of their data acquired when using the service for training of algorithms if the legal basis chosen pursuant to point 5 above is legitimate interest; 7. during the possible reactivation of the service from Italy, insert the request, to all users who connect from Italy, including those already registered, to pass, during the first access, an age gate which excludes, on the based on the declared age, minor users; 8. submit to the Guarantor, by 31 May 2023, a plan for the adoption of age verification tools suitable for excluding access to the service to users under the age of thirteen and to minors in the absence of an express expression of will by those exercise parental responsibility over them. The implementation of this plan must start, at the latest, from 30 September 2023; 9. promote, by 15 May 2023, an information campaign, of a non-promotional nature, on all the main Italian mass media (radio, television, newspapers and the Internet) the contents of which will be agreed with the Guarantor, for the purpose to inform people of the probable collection of their personal data for the purpose of training the algorithms, of the publication on the Company's website of a specific detailed information and of the availability, again on the Company's website, of a tool through which all interested parties can request and obtain the cancellation of their personal data; CONSIDERING that the provisions referred to in points 1 to 7 must be fully fulfilled no later than 30 April 2023; CONSIDERING, under the aforementioned conditions, that it can suspend the effectiveness of its provisional limitation provision starting from the fulfillment of prescriptions from 1 to 7, with the exception of any further intervention, even of an urgent and temporary nature, in the case of unsuitable or insufficient implementation of the above provisions; SPECIFYING that today's decisions are in any case taken subject to any further measures that may be necessary at the conclusion of the formal investigation in progress; HAVING REGARD to the documentation in the deeds; SPEAKER Prof. Pasquale Stanzione; ALL THIS CONSIDERING THE GUARANTOR a) pursuant to art. 58, par. 2, lit. d) of the Regulation enjoins OpenAI L.L.C., a US company that develops and manages ChatGPT, as owner of the processing of personal data carried out through this application, within the terms set out in the premises: 1. the preparation and publication on its website of information which, within the terms and in the manner set out in art. 12 of the Regulation, explain to the interested parties also other than users of the ChatGPT service, whose data have been collected and processed for the purpose of training the algorithms, the methods of treatment, the logic underlying the treatment necessary for the functioning of the service in all different declinations (ChatGPT, API etc.), the rights due to them as data subjects and any other information required by the Regulation; 2. the provision, on its website, at least to interested parties, even other than users of the service, who connect from Italy, of an instrument through which they can exercise the right to object to the processing carried out by the company for the purposes algorithm training and service delivery; 3. the provision, on its website, at least to interested parties, even other than users of the service, who connect from Italy, of a tool through which to request and obtain the correction of any personal data concerning them processed in inaccurate way in the generation of contents or, if this proves impossible in the state of the art, the cancellation of personal data; 4. the inclusion of a link to the information addressed to users of one's services in the registration flow in a position that allows it to be read before proceeding with registration, ensuring that all users who connect from Italy, including those already registered, on the first access following the possible reactivation of the service, must read this information; 5. the modification of the legal basis of the processing of users' personal data for the purpose of algorithmic training, eliminating any reference to the contract and assuming as the legal basis of the processing the consent or legitimate interest in relation to the assessments of the company's competence in a logic accountability; 6. the provision, on its website, at least to users of the service, who connect from Italy, of an easily accessible tool through which to exercise the right to object to the processing of their data for the training of algorithms if the basis legal entity chosen pursuant to point 5 above is the legitimate interest; 7. in the event of a possible reactivation of the service from Italy, the request, to all users who connect from Italy, including those already registered, to pass, on first access, an age gate which excludes, on the basis of the declared age, minor users; 8. the submission to the Guarantor, by 31 May 2023, of a plan for the adoption of age verification tools suitable for excluding access to the service to users under thirteen and minors in the absence of an express expression of will by of those who exercise parental responsibility over them. The implementation of this plan must start, at the latest, from 30 September 2023; 9. the promotion, by 15 May 2023, of an information campaign, of a non-promotional nature, on all the main Italian mass media (radio, television, newspapers and the Internet) the contents of which will be agreed with the Guarantor for the purpose to inform people of the probable collection of their personal data for the purpose of training the algorithms, of the publication on the company's website of a specific detailed information and of the availability, again on the company's website, of a tool through which all interested parties will be able to request and obtain the cancellation of their personal data. b) suspends the provisional limitation provision adopted with the President's emergency resolution no. 112 of 30 March 2023 and ratified by the Board in the meeting of 8 April 2023 with effect from the fulfillment of the provisions referred to in points 1 to 7 above. The decisions referred to in the previous points are taken with full prejudice to any activity to ascertain any violations of the current regulations that may be implemented by the data controller and any further or different measure that may be necessary at the conclusion of the formal investigation in progress. The Guarantor, pursuant to art. 58, par. 1, of the Regulation and of the art. 157 of the Code invites the data controller who is the recipient of the provision, also, to communicate: - by 30 April 2023, what initiatives have been undertaken in order to implement the provisions of points 1 to 7; - within the dates established for their fulfillment what initiatives have been undertaken in order to implement the provisions of points 8 to 9. - Please note that failure to respond to requests pursuant to art. 58 of the Regulation is punished with the administrative sanction pursuant to art. 83, par. 5, letter. e), of the Regulation itself. Pursuant to art. 78 of the Regulation, as well as the articles 152 of the Code and 10 of Legislative Decree lg. 1 September 2011, no. 150, opposition to this provision may be lodged with the ordinary judicial authority, with an appeal lodged with the ordinary court of the place where the data controller has his residence, within the term of thirty days from the date of communication of the provision itself, or sixty days if the appellant resides abroad. Rome, 11 April 2023 PRESIDENT Station THE SPEAKER Station THE SECRETARY GENERAL Matthew __________ GUARANTOR FOR THE PROTECTION OF PERSONAL DATA At today's meeting, with the participation of Pasquale Stanzione, President, Ginevra Cerrina Feroni, Vice-President, Agostino Ghiglia and Guido Scorza, members, and Fabio Mattei, Secretary-General; Having regard to Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016, on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95 /46/EC, 'General Data Protection Regulation' (hereinafter 'the Regulation'); Having regard to Legislative Decree No 196 of 30 June 2003 laying down provisions for the adaptation of national law to Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016, on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (hereinafter 'the Code'); Having regard to Decision No 112 of 30 March 2023 on the temporary limitation referred to in Article 58(2)(f) of the Regulation, as adopted in respect of OpenAI LLC (hereinafter also 'the Company') by the President as a matter of urgency pursuant to Article 5 (8) of Regulation 1/2000 on the organization and functioning of the Guarantor's Office, which was ratified at the meeting of 8 April 2023; Having regard to the e-mail of 3 April 2023 in which the Company expressed its willingness to meet the Guarantor; Taking note of the outcome of the meeting held by videoconference between the Guarantor's Panel of Commissioners and the Company's top managers on 5 April 2023; Having regard to the information gathered from OpenAI, which stated, inter alia, its willingness to cooperate with the Guarantor in its letters of 6 and 7 April 2023, and also requested the lifting of the temporary limitation decision; Finding that it is possible to proceed with re-assessing the circumstances underpinning the temporary limitation decision by making the corresponding determinations, in the light of the information obtained and the willingness expressed by the Company to put in place concrete measures to protect the rights and freedoms both of the data subjects whose data have been processed to train the algorithms used to provide the ChatGPT service and of the users of that service, without prejudice to the continuation of the fact-finding activities initiated by the Garante, on condition that OpenAI factually implements the measures specified below which the Company is ordered to take pursuant to Article 58(2)(d) of the Regulation: 1. drafting and publishing, on the Company's website, an information notice which provides data subjects whose data have been collected and processed for the purpose of training algorithms – whether or not they are also users of the ChatGPT service - with information on how the processing is carried out, the logic underlying the processing that is necessary for the operation of the service, the rights to which they are entitled as data subjects, and any other element provided for in the Regulation within the terms and in accordance with the arrangements laid down in Article 12 of the latter; 2. making available, on the Company's website, at least to data subjects who are connected from Italy, whether or not they are also users of the service, a tool by which they can exercise their right to object to the Company's processing of their personal data for the purpose of training algorithms and providing the service in sofar as such data have been obtained from third parties; 3. making available, on the Company's website, at least to data subjects who are connected from Italy, whether or not they are also users of the service, a tool by which to request and obtain rectification of any personal data relating to them which they have been processed incorrectly in the generation of contents or, where this is not possible according to state-of-the-art technology, the erasure of their personal data; 4. including a link to the user information notice in the registration flow at such a location as can allow it to be read before continuing with the registration and in such a way as to enable all users connecting from Italy, including registered users, to view that information notice immediately they access the service following the possible reactivation of such service; 5. changing the legal basis of the processing of users' personal data for the purpose of algorithmic training, by removing any reference to contract and relying on consent or legitimate interest as legal bases by having regard to the assessment the Company is required to make from an accountability perspective; 6. making available, on the Company's website, at least to users who are connected from Italy, an easily accessible tool by which to exercise their right to object to the processing of their own data as acquired when using the service for the purpose of training algorithms, where the legal basis chosen under point 5 above is the Company's legitimate interest; 7. including a request to all users connecting from Italy, whether already registered or not, to go through an age gate upon their initial access following the possible reactivation of the service for Italy so as to filter out underage users on the basis of the inputted age; 8. submitting a plan for the deployment of age verification tools to the Garante by 31 May 2023, whereby users aged under 13 should be prevented from accessing the service along with users aged under 18 in the absence of an express indication of consent by the person exercising parental authority over the latter; implementation of this plan shall start at the latest on 30 September 2023; 9. promoting a non-marketing oriented information campaign by 15 May 2023, on all the main Italian mass media (including radio, television, newspapers and the Internet), the content of which shall be agreed upon with the Guarantor, in order to inform individuals that their personal data are likely to have been collected for the purpose of training algorithms, that an ad-hoc detailed information notice has been published on the Company's website, and that a tool has been made available, still on the Company's website, by means of which all data subjects can request and obtain the erasure of their personal data; Finding that the measures set out in points 1 to 7 above shall be complied with in full by 30 April 2023 at the latest; Finding, if the foregoing conditions are fulfilled, that enforcement of its temporary limitation decision may be suspended as from compliance with the measures set out in points 1 to 7 above, whereby this shall be without prejudice to such further action, even of an urgent and temporary nature, as may be taken in the event of inadequate or insufficient implementation of the above measures; Whereas the current decisions shall be without prejudice to any further measures as may prove necessary following the conclusion of the fact-finding activities under way; Having regard to the records on file; Acting on the report submitted by Prof. Pasquale Stanzione; BASED ON THE FOREGOING PREMISES, THE GUARANTEE a) orders OpenAI LLC, the US-based developer and manager of ChatGPT, in its capacity as the controller of the processing of personal data carried out through the said application, pursuant to Article 58(2)(d) of the Regulation, 1. to draft and publish, on the Company's website, an information notice which provides data subjects whose data have been collected and processed for the purpose of training algorithms – whether or not they are also users of the ChatGPT service - with information on how the processing is carried out, the logic underlying the processing that is necessary for the operation of the service including all the relevant features thereof (ChatGPT, APIs, etc), the rights to which they are entitled as data subjects, and any other element provided for in the Regulation within the terms and in accordance with the arrangements laid down in Article 12 of the latter; 2. to make available, on the Company's website, at least to data subjects who are connected from Italy, whether or not they are also users of the service, a tool by which they can exercise their right to object to the Company's processing of their personal data for the purpose of training algorithms and providing the service insofar as such data have been obtained from third parties; 3. to make available, on the Company's website, at least to data subjects who are connected from Italy, whether or not they are also users of the service, a tool by which to request and obtain rectification of any personal data relating to them which have been processed incorrectly in the generation of contents or, where this is not possible according to state-of-the-art technology, the erasure of their personal data; 4. to include a link to the user information notice in the registration flow at such a location as can allow it to be read before continuing with the registration and in such a way as to require all users connecting from Italy, including registered users, to view that information notice immediately they access the service following the possible reactivation of such service; 5. to change the legal basis of the processing of users' personal data for the purpose of algorithmic training, by removing any reference to contract and relying on consent or legitimate interest as legal bases by having regard to the assessment the Company is required to make from an accountability perspective; 6. to make available, on the Company's website, at least to users who are connected from Italy, an easily accessible tool by which to exercise their right to object to the processing of their own data as acquired when using the service for the purpose of training algorithms, where the legal basis chosen under point 5 above is the Company's legitimate interest; 7. to include a request to all users connecting from Italy, whether already registered or not, to go through an age gate upon their initial access following the possible reactivation of the service for Italy so as to filter out underage users on the basis of the inputted age; 8. to submit a plan for the deployment of age verification tools to the Garante by 31 May 2023, whereby users aged under 13 should be prevented from accessing the service along with users aged under 18 in the absence of an express indication of consent by the person exercising parental authority over the latter; implementation of this plan shall start at the latest on 30 September 2023; and 9. to promote a non-marketing oriented information campaign by 15 May 2023, on all the main Italian mass media (including radio, television, newspapers and the Internet), the content of which shall be agreed upon with the Guarantor, in order to inform individuals that their personal data are likely to have been collected for the purpose of training algorithms, that an ad-hoc detailed information notice has been published on the Company's website, and that a tool has been made available, still on the Company's website, by means of which all data subjects can request and obtain the erasure of their personal data, within the time limits set out in the premises hereof; b) suspends enforcement of the temporary limitation decision that was adopted by way of an urgent determination of the President (No 112 of 30 March 2023) and ratified by the Garante's Panel of Commissioners at its meeting of 8 April 2023 as from compliance with the measures set out in points 1 to 7 above. The foregoing decisions are made without prejudice to such activities as may be carried out to establish any infringements of the legislation in force by the controller and to such further or different measures as may prove necessary upon completion of the fact-finding activities under way. Pursuant to Article 58(1) of the Regulation and Section 157 of the Code, the Garante hereby requests the controller addressed by this decision to communicate the following: - what steps have been taken to implement the measures set out in points 1 to 7, by 30 April 2023; - what steps have been taken to implement the measures set out in points 8 to 9, by the dates referred to therein respectively. It is recalled hereby that failure to comply with orders under Article 58 of the Regulation carries the administrative fine referred to in Article 83(5)(e) of the Regulation. Under the terms of Article 78 of the Regulation as applied jointly with Section 152 of the Code and Section 10 of legislative decree No 150 of 1 September 2011, this decision may be challenged by lodging an appeal with the court of the place where the controller is resident by thirty days from notification hereof, or by sixty days if the appellant is resident abroad. Rome, 11 April 2023 THE PRESIDENT Station THE RAPPORTEUR Station THE SECRETARY-GENERAL Matthew SEE ALSO - Press release dated 13 April 2023 - Press release dated 12 April 2023 - Press release dated 8 April 2023 - Press release dated 6 April 2023 - Press release dated April 4, 2023 - Press release dated March 31, 2023 - Provision of 30 March 2023 - English version [doc. web no. 9874702] Provision of April 11, 2023 Register of measures no. 114 of 11 April 2023 THE GUARANTOR FOR THE PROTECTION OF PERSONAL DATA IN today's meeting, which was attended by prof. Pasquale Stanzione, president, prof.ssa Ginevra Cerrina Feroni, vice president, dr. Agostino Ghiglia and the lawyer Guido Scorza, components, and the cons. Fabio Mattei, general secretary; HAVING REGARD TO Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016, concerning the protection of natural persons with regard to the processing of personal data, as well as the free movement of such data and repealing Directive 95/46/ CE, “General Data Protection Regulation” (hereinafter, “Regulation”); HAVING REGARD TO Legislative Decree 30 June 2003, n. 196 containing the "Code regarding the protection of personal data, containing provisions for the adaptation of the national legal system to Regulation (EU) 2016/679 of the European Parliament and of the Council, of 27 April 2016, relating to the protection of natural persons with regard to the processing of personal data, as well as to the free movement of such data and which repeals Directive 95/46/EC (hereinafter the "Code"); CONSIDERING the provision n. 112 of 30 March 2023 of temporary limitation pursuant to art. 58, par. 2, lit. f), of the Regulation, adopted against OpenAI L.L.C. (hereinafter also the "Company") by the President as a matter of urgency, pursuant to art. 5, paragraph 8, of Regulation no. 1/2000 on the organization and functioning of the Office of the Guarantor, which was ratified in the meeting of 8 April 2023; HAVING REGARD to the email dated 3 April 2023 with which the Company expressed its willingness to meet with the Guarantor; HAVING ACKNOWLEDGED the results of the meeting held by teleconference between the Board of Statutory Auditors and the top management of the Company on 5 April 2023; GIVEN the information acquired by OpenAI which, with the notes of 6 and 7 April 2023, expressed, among other things, its willingness to collaborate with the Guarantor, also requesting the revocation of the provision for the provisional limitation of the processing; CONSIDERED, in view of the information acquired and the willingness shown by the Company to implement a series of concrete measures to protect the rights and freedoms of the interested parties, whose data have been processed for the training of the algorithms instrumental to the provision of the service ChatGPT, and of the users of the service itself, without prejudice to the natural continuation of the preliminary investigation started, to be able to proceed to re-evaluate the existence of the conditions of the provision of provisional limitation, adopting the consequent determinations, provided that OpenAI takes steps to concretely implement a series of measures and provisions specifically identified below, which are ordered to the Company pursuant to art. 58, par. 2, lit. d), of the Regulation: 1. prepare and publish information on its website which, within the terms and in the manner set out in art. 12 of the Regulation, explain to the interested parties also other than users of the ChatGPT service, whose data have been collected and processed for the purpose of training the algorithms, the methods of treatment, the logic underlying the treatment necessary for the functioning of the service, the rights due to them as interested parties and any other information required by the Regulation; 2. make available, on its website, at least to interested parties, even other than users of the service, who connect from Italy, a tool through which they can exercise the right to object to the processing of their personal data, obtained from third parties, carried out by the company for the purpose of training the algorithms and providing the service; 3. make available, on its website, at least to interested parties, even other than users of the service, who connect from Italy, a tool through which they can request and obtain the correction of any personal data concerning them that have been processed inaccurately in the generation of contents or, if this proves impossible in the state of the art, the cancellation of personal data; 4. insert a link to the information addressed to users of one's services in the registration flow in a position that allows it to be read before proceeding with registration, through methods that allow all users who connect from Italy, including those already register, on the first access following the possible reactivation of the service, to read this information; 5. modify the legal basis of the processing of users' personal data for the purpose of training the algorithms, eliminating any reference to the contract and assuming as the legal basis of the processing the consent or legitimate interest in relation to the assessments of the company's competence in a logic accountability; 6. make available, on its website, at least to users of the service, who connect from Italy, an easily accessible tool through which to exercise the right to object to the processing of their data acquired when using the service for training of algorithms if the legal basis chosen pursuant to point 5 above is legitimate interest; 7. during the possible reactivation of the service from Italy, insert the request, to all users who connect from Italy, including those already registered, to pass, during the first access, an age gate which excludes, on the based on the declared age, minor users; 8. submit to the Guarantor, by 31 May 2023, a plan for the adoption of age verification tools suitable for excluding access to the service to users under the age of thirteen and to minors in the absence of an express expression of will by those exercise parental responsibility over them. The implementation of this plan must start, at the latest, from 30 September 2023; 9. promote, by 15 May 2023, an information campaign, of a non-promotional nature, on all the main Italian mass media (radio, television, newspapers and the Internet) the contents of which will be agreed with the Guarantor, for the purpose to inform people of the probable collection of their personal data for the purpose of training the algorithms, of the publication on the Company's website of a specific detailed information and of the availability, again on the Company's website, of a tool through which all interested parties can request and obtain the cancellation of their personal data; CONSIDERING that the provisions referred to in points 1 to 7 must be fully fulfilled no later than 30 April 2023; CONSIDERING, under the aforementioned conditions, that it can suspend the effectiveness of its provisional limitation provision starting from the fulfillment of prescriptions from 1 to 7, with the exception of any further intervention, even of an urgent and temporary nature, in the case of unsuitable or insufficient implementation of the above provisions; SPECIFYING that today's decisions are in any case taken subject to any further measures that may be necessary at the conclusion of the formal investigation in progress; HAVING REGARD to the documentation in the deeds; SPEAKER Prof. Pasquale Stanzione; ALL THIS CONSIDERING THE GUARANTOR a) pursuant to art. 58, par. 2, lit. d) of the Regulation enjoins OpenAI L.L.C., a US company that develops and manages ChatGPT, as owner of the processing of personal data carried out through this application, within the terms set out in the premises: 1. the preparation and publication on its website of information which, within the terms and in the manner set out in art. 12 of the Regulation, explain to the interested parties also other than users of the ChatGPT service, whose data have been collected and processed for the purpose of training the algorithms, the methods of treatment, the logic underlying the treatment necessary for the functioning of the service in all different declinations (ChatGPT, API etc.), the rights due to them as data subjects and any other information required by the Regulation; 2. the provision, on its website, at least to interested parties, even other than users of the service, who connect from Italy, of an instrument through which they can exercise the right to object to the processing carried out by the company for the purposes algorithm training and service delivery; 3. the provision, on its website, at least to interested parties, even other than users of the service, who connect from Italy, of a tool through which to request and obtain the correction of any personal data concerning them processed in inaccurate way in the generation of contents or, if this proves impossible in the state of the art, the cancellation of personal data; 4. the inclusion of a link to the information addressed to users of one's services in the registration flow in a position that allows it to be read before proceeding with registration, ensuring that all users who connect from Italy, including those already registered, on the first access following the possible reactivation of the service, must read this information; 5. the modification of the legal basis of the processing of users' personal data for the purpose of algorithmic training, eliminating any reference to the contract and assuming as the legal basis of the processing the consent or legitimate interest in relation to the assessments of the company's competence in a logic accountability; 6. the provision, on its website, at least to users of the service, who connect from Italy, of an easily accessible tool through which to exercise the right to object to the processing of their data for the training of algorithms if the legal basis chosen pursuant to point 5 above is legitimate interest; 7. in the event of a possible reactivation of the service from Italy, the request, to all users who connect from Italy, including those already registered, to pass, on first access, an age gate which excludes, on the basis of the declared age, minor users; 8. the submission to the Guarantor, by 31 May 2023, of a plan for the adoption of age verification tools suitable for excluding access to the service to users under thirteen and minors in the absence of an express expression of will by of those who exercise parental responsibility over them. The implementation of this plan must start, at the latest, from 30 September 2023; 9. the promotion, by 15 May 2023, of an information campaign, of a non-promotional nature, on all the main Italian mass media (radio, television, newspapers and the Internet) the contents of which will be agreed with the Guarantor for the purpose to inform people of the probable collection of their personal data for the purpose of training the algorithms, of the publication on the company's website of a specific detailed information and of the availability, again on the company's website, of a tool through which all interested parties will be able to request and obtain the cancellation of their personal data. b) suspends the provisional limitation provision adopted with the President's emergency resolution no. 112 of 30 March 2023 and ratified by the Board in the meeting of 8 April 2023 with effect from the fulfillment of the provisions referred to in points 1 to 7 above. The decisions referred to in the previous points are taken with full prejudice to any activity to ascertain any violations of the current regulations that may be implemented by the data controller and any further or different measure that may be necessary at the conclusion of the formal investigation in progress. The Guarantor, pursuant to art. 58, par. 1, of the Regulation and of the art. 157 of the Code invites the data controller who is the recipient of the provision, also, to communicate: - by 30 April 2023, what initiatives have been undertaken in order to implement the provisions of points 1 to 7; - within the dates established for their fulfillment what initiatives have been undertaken in order to implement the provisions of points 8 to 9. - Please note that failure to respond to requests pursuant to art. 58 of the Regulation is punished with the administrative sanction pursuant to art. 83, par. 5, letter. e), of the Regulation itself. Pursuant to art. 78 of the Regulation, as well as the articles 152 of the Code and 10 of Legislative Decree lg. 1 September 2011, no. 150, opposition to this provision may be lodged with the ordinary judicial authority, with an appeal lodged with the ordinary court of the place where the data controller has his residence, within the term of thirty days from the date of communication of the provision itself, or sixty days if the appellant resides abroad. Rome, 11 April 2023 PRESIDENT station THE SPEAKER station THE SECRETARY GENERAL Matthew __________ GUARANTOR FOR THE PROTECTION OF PERSONAL DATA At today's meeting, with the participation of Pasquale Stanzione, President, Ginevra Cerrina Feroni, Vice-President, Agostino Ghiglia and Guido Scorza, members, and Fabio Mattei, Secretary-General; Having regard to Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016, on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95 /46/EC, 'General Data Protection Regulation' (hereinafter 'the Regulation'); Having regard to Legislative Decree No 196 of 30 June 2003 laying down provisions for the adaptation of national law to Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016, on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (hereinafter 'the Code'); Having regard to Decision No 112 of 30 March 2023 on the temporary limitation referred to in Article 58(2)(f) of the Regulation, as adopted in respect of OpenAI LLC (hereinafter also 'the Company') by the President as a matter of urgency pursuant to Article 5 (8) of Regulation 1/2000 on the organization and functioning of the Guarantor's Office, which was ratified at the meeting of 8 April 2023; Having regard to the e-mail of 3 April 2023 in which the Company expressed its willingness to meet the Guarantor; Taking note of the outcome of the meeting held by videoconference between the Guarantor's Panel of Commissioners and the Company's top managers on 5 April 2023; Having regard to the information gathered from OpenAI, which stated, inter alia, its willingness to cooperate with the Guarantor in its letters of 6 and 7 April 2023, and also requested the lifting of the temporary limitation decision; Finding that it is possible to proceed with re-assessing the circumstances underpinning the temporary limitation decision by making the corresponding determinations, in the light of the information obtained and the willingness expressed by the Company to put in place concrete measures to protect the rights and freedoms both of the data subjects whose data have been processed to train the algorithms used to provide the ChatGPT service and of the users of that service, without prejudice to the continuation of the fact-finding activities initiated by the Garante, on condition that OpenAI factually implements the measures specified below which the Company is ordered to take pursuant to Article 58(2)(d) of the Regulation: 1. drafting and publishing, on the Company’s website, an information notice which provides data subjects whose data have been collected and processed for the purpose of training algorithms – whether or not they are also users of the ChatGPT service - with information on how the processing is carried out, the logic underlying the processing that is necessary for the operation of the service, the rights to which they are entitled as data subjects, and any other element provided for in the Regulation within the terms and in accordance with the arrangements laid down in Article 12 of the latter; 2. making available, on the Company’s website, at least to data subjects who are connected from Italy, whether or not they are also users of the service, a tool by which they can exercise their right to object to the Company’s processing of their personal data for the purpose of training algorithms and providing the service insofar as such data have been obtained from third parties; 3. making available, on the Company’s website, at least to data subjects who are connected from Italy, whether or not they are also users of the service, a tool by which to request and obtain rectification of any personal data relating to them which have been processed incorrectly in the generation of contents or, where this is not possible according to state-of-the-art technology, the erasure of their personal data; 4. including a link to the user information notice in the registration flow at such a location as can allow it to be read before continuing with the registration and in such a way as to enable all users connecting from Italy, including registered users, to view that information notice immediately they access the service following the possible reactivation of such service; 5. changing the legal basis of the processing of users’ personal data for the purpose of algorithmic training, by removing any reference to contract and relying on consent or legitimate interest as legal bases by having regard to the assessment the Company is required to make from an accountability perspective; 6. making available, on the Company’s website, at least to users who are connected from Italy, an easily accessible tool by which to exercise their right to object to the processing of their own data as acquired when using the service for the purpose of training algorithms, where the legal basis chosen under point 5 above is the Company’s legitimate interest; 7. including a request to all users connecting from Italy, whether already registered or not, to go through an age gate upon their initial access following the possible reactivation of the service for Italy so as to filter out underage users on the basis of the inputted age; 8. submitting a plan for the deployment of age verification tools to the Garante by 31 May 2023, whereby users aged under 13 should be prevented from accessing the service along with users aged under 18 in the absence of an express indication of consent by the person exercising parental authority over the latter; implementation of this plan shall start at the latest on 30 September 2023; 9. promoting a non-marketing oriented information campaign by 15 May 2023, on all the main Italian mass media (including radio, television, newspapers and the Internet), the content of which shall be agreed upon with the Garante, in order to inform individuals that their personal data are likely to have been collected for the purpose of training algorithms, that an ad-hoc detailed information notice has been published on the Company’s website, and that a tool has been made available, still on the Company’s website, by means of which all data subjects can request and obtain the erasure of their personal data; Finding that the measures set out in points 1 to 7 above shall be complied with in full by 30 April 2023 at the latest; Finding, if the foregoing conditions are fulfilled, that enforcement of its temporary limitation decision may be suspended as from compliance with the measures set out in points 1 to 7 above, whereby this shall be without prejudice to such further action, even of an urgent and temporary nature, as may be taken in the event of inadequate or insufficient implementation of the above measures; Whereas the current decisions shall be without prejudice to any further measures as may prove necessary following the conclusion of the fact-finding activities under way; Having regard to the records on file; Acting on the report submitted by Prof. Pasquale Stanzione; BASED ON THE FOREGOING PREMISES, THE GARANTE a) orders OpenAI LLC, the US-based developer and manager of ChatGPT, in its capacity as the controller of the processing of personal data carried out through the said application, pursuant to Article 58(2)(d) of the Regulation, 1. to draft and publish, on the Company’s website, an information notice which provides data subjects whose data have been collected and processed for the purpose of training algorithms – whether or not they are also users of the ChatGPT service - with information on how the processing is carried out, the logic underlying the processing that is necessary for the operation of the service including all the relevant features thereof (ChatGPT, APIs, etc), the rights to which they are entitled as data subjects, and any other element provided for in the Regulation within the terms and in accordance with the arrangements laid down in Article 12 of the latter; 2. to make available, on the Company’s website, at least to data subjects who are connected from Italy, whether or not they are also users of the service, a tool by which they can exercise their right to object to the Company’s processing of their personal data for the purpose of training algorithms and providing the service insofar as such data have been obtained from third parties; 3. to make available, on the Company’s website, at least to data subjects who are connected from Italy, whether or not they are also users of the service, a tool by which to request and obtain rectification of any personal data relating to them which have been processed incorrectly in the generation of contents or, where this is not possible according to state-of-the-art technology, the erasure of their personal data; 4. to include a link to the user information notice in the registration flow at such a location as can allow it to be read before continuing with the registration and in such a way as to require all users connecting from Italy, including registered users, to view that information notice immediately they access the service following the possible reactivation of such service; 5. to change the legal basis of the processing of users’ personal data for the purpose of algorithmic training, by removing any reference to contract and relying on consent or legitimate interest as legal bases by having regard to the assessment the Company is required to make from an accountability perspective; 6. to make available, on the Company’s website, at least to users who are connected from Italy, an easily accessible tool by which to exercise their right to object to the processing of their own data as acquired when using the service for the purpose of training algorithms, where the legal basis chosen under point 5 above is the Company’s legitimate interest; 7. to include a request to all users connecting from Italy, whether already registered or not, to go through an age gate upon their initial access following the possible reactivation of the service for Italy so as to filter out underage users on the basis of the inputted age; 8. to submit a plan for the deployment of age verification tools to the Garante by 31 May 2023, whereby users aged under 13 should be prevented from accessing the service along with users aged under 18 in the absence of an express indication of consent by the person exercising parental authority over the latter; implementation of this plan shall start at the latest on 30 September 2023; and 9. to promote a non-marketing oriented information campaign by 15 May 2023, on all the main Italian mass media (including radio, television, newspapers and the Internet), the content of which shall be agreed upon with the Garante, in order to inform individuals that their personal data are likely to have been collected for the purpose of training algorithms, that an ad-hoc detailed information notice has been published on the Company’s website, and that a tool has been made available, still on the Company’s website, by means of which all data subjects can request and obtain the erasure of their personal data, within the time limits set out in the premises hereof; b) suspends enforcement of the temporary limitation decision that was adopted by way of an urgent determination of the President (No 112 of 30 March 2023) and ratified by the Garante’s Panel of Commissioners at its meeting of 8 April 2023 as from compliance with the measures set out in points 1 to 7 above. The foregoing decisions are made without prejudice to such activities as may be carried out to establish any infringements of the legislation in force by the controller and to such further or different measures as may prove necessary upon completion of the fact-finding activities under way. Pursuant to Article 58(1) of the Regulation and Section 157 of the Code, the Garante hereby requests the controller addressed by this decision to communicate the following: - what steps have been taken to implement the measures set out in points 1 to 7, by 30 April 2023; - what steps have been taken to implement the measures set out in points 8 to 9, by the dates referred to therein respectively. It is recalled hereby that failure to comply with orders under Article 58 of the Regulation carries the administrative fine referred to in Article 83(5)(e) of the Regulation. Under the terms of Article 78 of the Regulation as applied jointly with Section 152 of the Code and Section 10 of legislative decree No 150 of 1 September 2011, this decision may be challenged by lodging an appeal with the court of the place where the controller is resident by thirty days from notification hereof, or by sixty days if the appellant is resident abroad. Rome, 11 April 2023 THE PRESIDENT Stanzione THE RAPPORTEUR Stanzione THE SECRETARY GENERAL Mattei
