Revised EDPS Opinion on Generative AI

The rapid rise of generative artificial intelligence (GenAI) poses new challenges for the protection of personal data, particularly in the context of the European institutions subject to EU Regulation 2018/1725. Aware of these challenges, the European Data Protection Supervisor (EDPS) published, at the end of October 2025, a revised version of its guidelines to support the European Union’s institutions, bodies, offices and agencies in their responsible and compliant implementation of generative AI systems in line with data protection standards.

This opinion complements Opinion 28/2024 issued on 17 December 2024 by the European Data Protection Board (EDPB) on certain aspects of the protection of personal data in the context of artificial intelligence (AI) models.

Key takeaways from the October 2025 EDPS Notice on Generative AI

The European opinion (of about forty pages and provided with many examples) addresses in particular the fact that:

1. the development and use of generative AI systems must comply with the entire EU Regulation 2018/1725 on the protection of personal data, applicable to the European institutions. Indeed, the Regulation (like the GDPR) is technologically neutral ;
2. the roles of the various stakeholders must be clearly defined. Will the European institution be (co-)controller in relation to the use of the AI tool? Is it a simple data processor? Defining the role must consider who decides on the purposes and means of processing and is very important to know the obligations to be respected concomitantly;
3. the European institutions have/will be required to carry out a Data Protection Impact Assessment (DPIA) before the deployment of a high-risk system, with the involvement of the Data Protection Officer (DPO) ;
4. it will be impossible to rely on consent as a legal basis in the context of generative AI due to the number, nature and complexity of the data processed;
5. institutions must clearly inform data subjects about the use of AI, the data processed, the purposes and the rights exercised, in particular in the case of automated decisions.

Conclusion

The EDPS opinion underlines the crucial importance of a careful, responsible and rigorous approach in the deployment of generative artificial intelligence systems within the European institutions. In the face of the complexity and potential risks associated with the processing of personal data, the EDPS guidance provides a clear framework to ensure that technological innovations respect fundamental rights, transparency and citizens’ trust. The EDPS therefore calls for constant vigilance, proactive risk management and governance based on data protection by design principles, so that generative AI can be operated ethically, reliably and in accordance with European law.

This approach ensures not only legal compliance, but also the social and democratic acceptability of these innovative technologies in the public sector.