October 29, 2025 — In a significant move toward harmonizing artificial intelligence with data protection principles, the European Data Protection Supervisor (EDPS) has released updated guidelines aimed at ensuring the lawful use of generative AI across EU institutions. These revisions come at a time when AI technologies are rapidly evolving, and regulatory clarity is more critical than ever.
🔍 What’s New in the Guidelines?
The revised guidelines offer a comprehensive framework for EU institutions, bodies, and agencies to align their use of generative AI with Regulation (EU) 2018/1725, which governs personal data processing within EU institutions.
Key Enhancements:
• Clearer Definitions: The EDPS now provides refined terminology to distinguish generative AI from other AI systems, including large language models (LLMs), deep learning, and machine learning.
• Compliance Checklist: A practical tool for assessing the legality of AI deployments, helping institutions navigate complex regulatory terrain.
• Role Clarification: Guidance on identifying whether an entity acts as a controller, joint controller, or processor in AI-related data processing.
• Lawful Basis & Purpose Limitation: Institutions are urged to define clear legal grounds for data processing and ensure that data is used strictly for its intended purpose.
• Data Minimization & Accuracy: Emphasis on collecting only necessary data and maintaining its accuracy throughout the AI lifecycle.
• Transparency & Rights: Institutions must inform individuals about how their data is used and uphold their rights under EU law.
• Security & Accountability: Stronger requirements for documenting responsibilities and implementing robust security measures.
• DPO Involvement: Data Protection Officers are positioned as central figures in AI governance, from design to deployment.
🧭 A Human-Centric Vision
EDPS Supervisor Wojciech Wiewiórowski described the update as a “reaffirmation of our dual mission: enabling human-centric innovation within the EU while rigorously safeguarding individuals’ personal data.”1
This statement underscores the EDPS’s commitment to balancing technological advancement with ethical responsibility—a theme increasingly echoed across global regulatory landscapes.
📌 Why This Matters
As generative AI becomes embedded in public services and decision-making, the risk of privacy violations, algorithmic bias, and opaque data practices grows. These guidelines serve as a proactive measure to mitigate such risks and ensure that innovation does not come at the expense of fundamental rights.
🧭 What Should Institutions Do?
• Review and integrate the EDPS compliance checklist into AI project planning.
• Engage Data Protection Officers early in the AI development lifecycle.
• Audit existing AI systems for alignment with the updated guidelines.
• Educate teams on the distinctions between AI types and their respective legal implications.
🔗 Further Reading
• Full EDPS Guidelines on Generative AI (PDF)
