If you are building on an LLM API and you process anyone's personal data, the question lands sooner or later: which provider lets me do this and stay GDPR compliant, OpenAI, Anthropic, or Google? The honest answer is that all three can be configured to comply. The differences are in the defaults and in how much work each one leaves on your desk.
This is the hub for our three deep-dives: ChatGPT / OpenAI API, the Claude API, and the Gemini API. Here we put them side by side.
The one thing that decides it: tier, not brand
Most of the GDPR risk in an LLM API comes down to two questions. Does the provider train on your data? And can you get a real Article 28 contract with EU data residency and controlled retention? On the standard paid API tiers, all three providers give you a defensible answer. The traps are at the edges: free tiers, consumer apps, and the wrong default region.
The sharpest example is Google. The free Google AI Studio tier uses your prompts and responses to improve its products, with possible human review. The paid Gemini API and Vertex AI do not. Same brand, opposite answer, decided entirely by which tier you call. OpenAI and Anthropic are more uniform: their API does not train on your data by default, on free or paid.
Side by side (2026)
| OpenAI (ChatGPT API) | Anthropic (Claude API) | Google (Gemini) | |
|---|---|---|---|
| Trains on API data by default | No | No | No on paid API and Vertex AI; yes on free AI Studio |
| DPA available | Yes (with SCCs) | Yes (Irish governing law, SCCs, UK + Swiss addenda) | Cloud DPA via Vertex AI / Google Cloud (SCCs, UK addendum) |
| EU data residency | EU data processing for eligible endpoints | Transfers via SCCs/DPF; no EU-region pin confirmed | Per-request European regional endpoints on Vertex AI (global default can route to US) |
| Retention control | Zero-retention available, approval-gated | Limited retention; configurable | Zero Data Retention (ZDR) on Vertex AI |
| US transfer mechanism | DPF + SCCs | DPF + SCCs + UK/Swiss addenda | DPF + SCCs + UK addendum |
| Strongest path | Standard paid API + zero retention | No-training default + full DPA | Vertex AI, EU region pinned |
| EU AI Act role | GPAI provider; you are deployer | GPAI provider; you are deployer | GPAI provider; you are deployer |
The table is the short version. The configuration detail for each lives in the deep-dives linked throughout.
"Which AI API does not train on my data?"
This is the question a lot of teams actually start from, and the answer is cleaner than the noise around it suggests.
On the standard paid API, none of OpenAI, Anthropic, or Google trains on your prompts and responses. OpenAI and Anthropic hold that line on every API tier. Google holds it on the paid Gemini API and Vertex AI, and breaks it on the free AI Studio tier, where content is used to improve its products and may be read by reviewers.
So a "privacy-first, no training on your data" setup is available from all three. The rule of thumb: use a paid API tier, get the no-training commitment in writing in the DPA, and keep personal data out of free and consumer tiers. If you want the strongest version of that promise, Anthropic's training-by-default-off posture and Google's Vertex AI with Zero Data Retention are the two to look at first.
"Can I keep the data in the EU?"
Data residency is where the three diverge most, and it is usually the control that does the heavy lifting for a UK or EU controller.
- Google (Vertex AI) gives you the most explicit residency: choose a European region and address a European endpoint, and eligible inference stays in Europe. The catch worth knowing is that the default global endpoint can route to the US, so you set EU residency on each request, and the global default does not do it for you.
- OpenAI offers EU data processing for eligible API endpoints on qualifying plans, so data at rest can stay in Europe for those projects.
- Anthropic covers transfers through its DPA with the Standard Contractual Clauses and the UK and Swiss addenda. Claude traffic runs under those transfer safeguards rather than pinned to an EU region, so if in-region processing is a hard requirement, confirm the current options before you commit.
In every case the pattern is the same: residency is a setting you switch on and then confirm in your own configuration.
The DPA, and what it does not cover
All three give you an Article 28 Data Processing Agreement with the Standard Contractual Clauses for transfers. Anthropic's runs under Irish governing law with the UK and Swiss addenda; OpenAI's includes the SCCs; Google's robust DPA is the Cloud Data Processing Addendum on the Vertex AI and Google Cloud path, rather than the lighter terms on the standalone Gemini API. The eight DPA clauses that decide the risk are the same checklist for all three, and CompanyScope's vendor profiles set them out side by side.
The DPA matters, and it is not the finish line. It covers the provider's obligations. You are still the controller, and that half does not move whichever brand you pick:
- A DPIA before you go live.
- Data minimisation built into the prompt, so you are not shipping whole records when a fragment will do.
- A privacy notice that names the AI processor and where data is processed.
- A lawful basis, usually legitimate interest or contract.
- An automated-decision check: if an output drives a significant decision about a person by solely automated means, the Article 22A to 22D safeguards apply.
- The transfer recorded in your records of processing.
Where Mistral and self-hosting fit
Two options sit outside the big three and earn their place for GDPR work.
Mistral is an EU company, which quietly removes the international-transfer question for a lot of European controllers, and it offers a DPA. If data residency is your first concern and the model fits the task, it is worth a look.
Self-hosted open models (Llama, Mistral, Mixtral) keep data on your own infrastructure. There is no external processor, so no third-party DPA and no transfer to manage. The trade is operational: you run and secure the infrastructure yourself, and the DPIA and AI Act classification still apply to the processing.
How to choose
- You want the simplest path to compliant: OpenAI or Anthropic on the paid API. No-training by default, a DPA with SCCs, and zero or limited retention to configure.
- You want the strongest residency: Google's Vertex AI with an EU region pinned and Zero Data Retention, or OpenAI's EU data processing for eligible endpoints.
- Residency is non-negotiable and the model fits: Mistral or self-hosted, to take the transfer question off the table.
- Whatever you pick: the controller duties above are identical. The provider choice changes the starting difficulty. The destination is the same.
The bottom line
There is no single "most GDPR-compliant" LLM API. There is the right tier configured the right way, and the controller work done properly on top. OpenAI and Anthropic get you closest to compliant out of the box; Google gives you the strongest residency on Vertex AI but punishes the wrong tier; Mistral and self-hosting solve the transfer question outright. Pick on capability and residency, configure the no-training and retention settings, sign the DPA, and then do your own DPIA, minimisation, notice, and transfer record.
Michael K. Onyekwere is a CIPP/E certified data protection professional and the founder of Janus Compliance. For a real answer on your provider setup, transfers, retention, and DPIA, start with a £500 scoping review.
Current as at 24 June 2026. This is educational, not legal advice. Provider terms change; verify each provider's current DPA, training policy, retention, residency options, and certifications before you rely on them. Deep-dives: ChatGPT / OpenAI API, Claude API, Gemini API. See also: AI vendor due diligence.
Frequently Asked Questions
Which LLM API is the most GDPR compliant: OpenAI, Anthropic, or Google?
All three can be run GDPR compliant on the right tier, so the honest answer is that it depends less on the brand and more on the path. OpenAI and Anthropic do not train on API data by default and both offer a DPA with the SCCs. Google is the one where the tier decides everything: the free Google AI Studio tier trains on your data, while the paid Gemini API and Vertex AI do not. For EU data residency, Google's Vertex AI and OpenAI lead; for contractual strength and a no-training default, Anthropic is strong; for the simplest setup, OpenAI and Anthropic are closest to compliant out of the box.
Which AI APIs do not train on your data?
On their standard paid API tiers, OpenAI and Anthropic do not use your prompts or responses to train their models, and Google does not train on the paid Gemini API or Vertex AI. The exception is Google's free AI Studio tier, which does use submitted content to improve its products and may involve human review. If a no-training guarantee is your priority, use the paid API tier of any of the three, confirm it in the DPA, and avoid free or consumer tiers.
Can I keep LLM API data in the EU?
Google and OpenAI offer the clearest EU data residency. Google's Vertex AI lets you pin a European region per request (the default global endpoint can route to the US), and OpenAI offers EU data processing for eligible API endpoints on qualifying plans. Anthropic covers transfers through its DPA with the SCCs and the UK and Swiss addenda rather than an EU-region option, so confirm the current position if in-region processing is a hard requirement. In every case, residency is a setting you configure and confirm in your own integration; the default does not guarantee it.
Is a DPA enough to make an LLM API GDPR compliant?
No. The DPA (Article 28) is necessary but it only covers the provider's side. You remain the controller, which means the DPIA, data minimisation in your prompts, the privacy notice, the lawful basis, the automated-decision check under Article 22, and the transfer record are all still your responsibility regardless of which provider you choose. The provider lowers the starting difficulty; it does not remove your duties.
What about Mistral or self-hosted open models for GDPR?
Mistral is EU-based, which simplifies the data-residency and transfer questions, and it offers a DPA. Self-hosted open models (Llama, Mistral, Mixtral) keep data on your own infrastructure, so there is no external processor and no international transfer to manage, at the cost of running the infrastructure yourself. Both are legitimate GDPR-friendly options; the trade-off is model capability and operational overhead versus transfer simplicity.
Start with a £500 scoping review
If you need GDPR documentation, AI Act work, or a compliant AI build, the first step is a written scoping review. You get a real report, not a generic discovery call.
Related Articles
GDPR
Is the Gemini API GDPR Compliant? It Depends Which Gemini You Use (2026)
Google's Gemini has two front doors with very different data terms, and the GDPR answer turns on which one you use. The free Google AI Studio tier trains on your data and humans may read it. The paid Gemini API and Vertex AI do not train on your data, and Vertex AI gives you the Cloud Data Processing Addendum, EU data residency, and retention controls. Here is how to tell them apart and configure the compliant path: the DPA, residency, data minimisation, the DPIA, transfers, and where the EU AI Act lands.
GDPR
Is the Claude API GDPR Compliant? The 2026 Setup, Step by Step
Yes, the Claude (Anthropic) API can be run GDPR compliant, and the defaults start in a stronger place than most. The DPA is built into the Commercial Terms, API data is not used for training, and retention defaults to seven days. Here is exactly what to check and configure: the DPA, retention and zero-data-retention, data minimisation, the DPIA, international transfers, the Microsoft Copilot caveat, and where the EU AI Act lands.
GDPR
ChatGPT (OpenAI) API DPA & GDPR Setup: 2026 Checklist
Configure the ChatGPT / OpenAI API for GDPR: sign the DPA, turn on zero data retention, sanitise PII, and pass a DPIA review. The step-by-step 2026 setup.