The European Data Protection Supervisor (EDPS) today published its revised and updated guidelines on the use of generative Artificial Intelligence (AI) and processing of personal data by EU institutions, bodies, offices, and agencies (EUIs), reflecting the fast-moving technological landscape and the evolving challenges posed by generative AI systems.
This updated guidance reinforces the EDPS’ commitment to advising EUIs to help them fully comply with their data protection obligations set out in Regulation (EU) 2018/1725.
Building on feedback from EUIs, the revised guidance offers clearer and more practical instructions for the responsible development and deployment of generative AI tools. It introduces a number of key updates, including:
- a refined definition of generative AI for greater clarity and consistency;
- a new, action-oriented compliance checklist to help EUIs assess and ensure the lawfulness of their processing activities;
- clarified roles and responsibilities, assisting EUIs in determining whether they act as controllers, joint controllers, or processors;
- detailed advice on lawful bases, purpose limitation, and the handling of data subjects’ rights in the context of generative AI.
Wojciech Wiewiórowski, European Data Protection Supervisor, said: “Artificial intelligence is an extension of human ingenuity, and the rules governing it must evolve just as dynamically. This first revision of our Orientations is more than an update; it’s a reaffirmation of our dual mission: enabling human-centric innovation within the EU while rigorously safeguarding individual’s personal data. With this new version, we provide hands-on guidance to ensure that any generative AI used by EU institutions serves the public interest without compromising Europe’s data protection standards.”
The revised guidance underlines the EDPS’s proactive approach to monitoring technological developments and advising EU institutions on how to integrate innovation with respect for privacy and data protection. The EDPS will continue to track the evolution of generative AI and update its guidance where necessary to address emerging challenges.
The EDPS issues these guidelines within its role as independent data protection supervisory authority of the EUIs. The EDPS has not issued these guidelines within its role as a market surveillance authority under the EU’s Artificial Intelligence Act.
Questions can be directed to press@edps.europa.eu.
European Data Protection Supervisor