European Union: European Data Protection Supervisor published orientations for ensuring data protection compliance when using Generative AI systems (Version 2)

On 28 October 2025, the European Data Protection Supervisor (EDPS) published the revised orientations for ensuring data protection compliance when using Generative AI systems (Version 2). The guidance addresses the use of generative Artificial Intelligence (AI) and the processing of personal data by European Union institutions, bodies, offices, and agencies (EUIs). The update aims to provide practical advice and instructions to EUIs, facilitating their compliance with data protection obligations outlined in Regulation (EU) 2018/1725, amidst rapid technological advancements and emerging challenges presented by generative AI systems. Building on feedback from EUIs, the revised guidance introduces several updates. It provides a refined definition of generative AI for enhanced clarity and consistency. A new, action-oriented compliance checklist has been included to assist EUIs in assessing and ensuring the lawfulness of their data processing activities. The document also clarifies roles and responsibilities, helping EUIs determine whether they function as controllers, joint controllers, or processors within generative AI systems. Furthermore, the guidance offers detailed advice on establishing lawful bases for processing, adhering to purpose limitation principles, and managing data subjects' rights in the context of generative AI. The EDPS issues these guidelines within its capacity as the independent data protection supervisory authority for EUIs, explicitly stating that they are not issued in its role as a market surveillance authority under the European Union's Artificial Intelligence Act.