Germany: Data Protection Supervisory Authorities of Federal and State Governments adopted guidance on data protection for generative AI systems using retrieval augmented generation methodology

On 17 October 2025, the Conference of the Independent Data Protection Supervisory Authorities of the Federal and State Governments (DSK) adopted guidance on data protection for generative Artificial Intelligence (AI) systems using Retrieval Augmented Generation (RAG) methodology. The guidance applies to all organisations processing personal data through RAG systems, including those using embedded models and vector databases. The guidance stresses that controllers must ensure reference documents are accurate and current and implement tenant separation and access controls to protect personal data. It also states that data in vector databases must be deletable and tied to specific purposes, and that personal data cannot be unnecessarily stored. Data subject rights to access, rectify, and delete data must be maintained, and system prompts must instruct AI to answer only from referenced sources.