EDPS publishes revised guidance on generative AI and data protection

On October 28 2025, the European Data Protection Supervisor (EDPS), in its capacity as the EU’s independent data protection supervisory authority (rather than market surveillance authority under the EU AI Act), issued “Orientations for ensuring data protection compliance when using Generative AI Systems”, revised guidance on the use of generative AI and the processing of personal data by EU institutions, bodies, offices and agencies (EUIs) (the Orientations). 

This update comes 16 months after the first iteration (published on June 3 2024), which served as a preliminary step toward more comprehensive guidance. The Orientations refine, expand, and clarify the EDPS’s approach, providing practical measures to support EUIs in designing, developing, and deploying generative AI systems in compliance with the regulation (EU) 2018/1725 (the EUDPR). Key updates include:

Refined definition of generative AI.

To ensure greater precision, clarity, and internal consistency, the EDPS clarifies that generative AI is a subset of AI referring to deep learning models capable of producing high quality text, images and other content based on training data. The Orientations explain the technical background in accessible terms, emphasising pattern identification in large datasets and the generation of relevant content in response to natural language inputs, and place large language models within the conceptual hierarchy of AI.

Operational compliance checklist for EUIs.

The Orientations move beyond the previous generic recommendations. In this updated version, a new operational compliance checklist is introduced, which aims to assist EUIs in assessing and ensuring the lawfulness of their processing activities, including recommendations such as those outlined below:

• Define specific, explicit purposes of processing in the generative AI context and identify the appropriate lawful basis for each stage of the lifecycle. 
• Formally determine and document roles and responsibilities (controller, processor, joint controller) for each distinct processing operation. 
• Record all processing activities in the EUI’s register with the information required by Article 31 EUDPR. 
• Conduct a generative AI risk assessment in line with the EDPS Guidance for Risk Management for AI systems and carry out a Data Protection Impact Assessment (DPIA) where processing is likely to result in a high risk. 
• Implement data protection by design and by default measures and apply core principles including transparency, data minimisation, storage limitation, and security. 
• Maintain robust procedures for data subject rights, including access, rectification, and erasure. 
• Undertake thorough third party vendor due diligence. 
• Document mitigation measures and the final assessment that the generative AI system is trustworthy and compliant with the EUDPR, thereby demonstrating accountability. 

Roles and responsibilities in generative AI systems.

The Orientations include a dedicated new section to assist EUIs in determining whether they act as controllers, processors, or joint controllers, underlining that sectoral terms used in technology markets or the AI Act (such as “provider”, “developer”, “deployer”) do not correspond to EUDPR roles and should not be conflated. The EDPS reiterates the need for case by case qualification across development and deployment phases and transparent allocation of responsibilities.

Personal data and model anonymisation; web scraping.

The EDPS clarifies how to assess whether the use of an AI model involves personal data processing and sets out criteria (consistent with EDPB Opinion 28/2024) for considering a model “anonymous” in practice. The EDPS highlights the significant risks associated with web scraping and the need to demonstrate a valid lawful ground, ensure transparency, and comply with minimisation and accuracy obligations when publicly available personal data are collected for training. 

Lawfulness of processing; grounds and verification.

The EDPS emphasises that legitimate interests, often relied upon under the EUDPR by private providers for model development, is not available to EUIs under the EUDPR. EUIs must identify distinct lawful bases for processing at each stage of the lifecycle (development, fine tuning and deployment) and verify that any third party model used was not developed by unlawfully processing personal data. The Orientations also address data transfers under Chapter V EUDPR, with heightened scrutiny where cloud or cross border processing is involved. 

Purpose limitation across lifecycle phases.

The EDPS requires that EUIs define specific purposes for each phase: training, fine tuning and deployment; and conduct compatibility assessments under Article 6 EUDPR before reusing data for new purposes. These purposes and the associated categories of data must be documented in the records of processing. 

Data minimisation; synthetic and anonymised data.

Strengthening earlier guidance, the EDPS requires EUIs to verify, before using personal data, whether the intended purposes can be achieved with synthetic or anonymised data. The Orientations underscore the need for high quality, curated datasets, proper documentation, and periodic review, reinforcing privacy by design at the outset.

Relevance for organisations that are not EUIs

Although aimed at EUIs, the Orientations articulate governance practices relevant to any organisation deploying generative AI. Such practices include defining explicit purposes at each lifecycle phase; prioritising minimisation through curated, high quality datasets and the use of synthetic or anonymised data where feasible and maintaining clear transparency for individuals when interactive systems are used. The EDPS highlights the need for safeguards around automated decision making, risk assessments and DPIAs where high risk is likely, rigorous accountability through accurate records of processing, and robust information security tailored to generative AI vulnerabilities. Vendor due diligence, controls for data transfers, and caution in web scraping (with assessments of lawfulness, transparency, minimisation, and accuracy) are identified as key elements of responsible and compliant deployment. 

The 2024 orientations are available here; the revised 2025 Orientations are available here; and the press release is available here.