UPDATE – MARCH 2026:
Since the original release of the European Data Protection Supervisor’s (EDPS) guidance on generative AI, the regulator has continued refining its recommendations as AI adoption expands across European institutions. In October 2025, the EDPS published a revised and expanded version of the guidelines, incorporating feedback from EU institutions, bodies, offices, and agencies (EUIs) that had begun evaluating generative AI systems in real-world environments.
The updated guidance provides more detailed clarification on how Regulation (EU) 2018/1725 applies to generative AI systems used by EU institutions. It includes a refined definition of generative AI, clearer explanations of institutional responsibilities, and more practical recommendations for maintaining compliance throughout the AI lifecycle. The EDPS placed additional emphasis on core privacy principles such as data minimization, transparency, and accuracy of personal data used in AI systems.
The revised guidelines also strengthen the role of Data Protection Officers (DPOs), highlighting their importance in overseeing AI deployments from the earliest design stages through ongoing monitoring. EU institutions are encouraged to ensure that DPOs are closely involved in impact assessments, vendor evaluations, and governance processes surrounding generative AI use.
Another key focus of the updated guidance is accountability. The EDPS emphasizes that institutions must maintain clear documentation of how generative AI systems are trained, deployed, and monitored. This includes detailed explanations of dataset sources, safeguards against misuse, and procedures for handling risks related to bias, automated decision-making, and data protection violations.
In February 2026, the EDPS also joined other international data protection authorities in issuing a joint statement addressing privacy risks related to AI-generated imagery and synthetic media. While the statement did not introduce new rules specific to the EDPS guidance, it highlighted the growing global concern about how generative AI systems can affect privacy, identity protection, and misinformation.
The EDPS has indicated it will continue monitoring the rapid development of generative AI technologies and may issue additional updates as regulatory expectations and technical practices evolve.
ORIGINAL NEWS STORY:
European Data Protection Supervisor Issues New Guidelines for Generative AI Compliance
In a significant move to ensure data protection in the rapidly evolving field of artificial intelligence, the European Data Protection Supervisor (EDPS) has released comprehensive guidelines aimed at EU institutions, bodies, offices, and agencies (EUIs) for the use of generative AI systems. These guidelines are designed to help EUIs navigate the complex landscape of data protection while leveraging generative AI technologies.
What Is Generative AI?
Generative AI refers to machine learning models that produce text, images, or audio. These systems often rely on large foundation models trained on vast datasets. While they enable powerful applications, they also raise concerns about privacy and data protection.
Core Principles in the EDPS Guidelines
The EDPS structured the guidelines around several key themes:
Data Minimization
EUIs should collect and process only the personal data necessary for a specific purpose. This principle applies throughout the AI lifecycle, from training to deployment. By limiting data use, organizations reduce risks and demonstrate responsible handling.
Data Protection Impact Assessments (DPIAs)
Before deploying generative AI systems, EUIs must conduct DPIAs. These assessments help identify risks tied to personal data processing. Moreover, EDPS guidance stresses that Data Protection Officers (DPOs) should be involved from the outset.
Role of Data Protection Officers
DPOs play a central role in compliance. They advise on obligations, monitor AI deployments, and act as contact points for individuals and the EDPS. Their oversight ensures that systems align with European privacy standards and safeguard individual rights.
Transparency Requirements
The EDPS calls for full transparency in AI deployments. EUIs must explain:
-
What personal data is processed.
-
How datasets are curated, tagged, and used.
-
Why the data is necessary.
By doing so, EUIs build trust and give individuals clear insight into how their data is handled.
Safeguards Against Automated Decision-Making
The guidelines stress that AI must not undermine human rights. Therefore, EUIs should ensure that any automated decision includes the possibility of human review. Individuals must have the right to contest decisions and provide their perspective.
Ongoing Monitoring and Oversight
Compliance does not end at deployment. The EDPS requires continuous monitoring of:
-
Data accuracy.
-
Security measures.
-
Potential biases.
EUIs should adopt bias detection and minimization practices and make sure systems remain traceable and auditable. Regular evaluations help maintain fairness and accountability.
Why the Guidelines Matter
The EDPS’s proactive stance shows how European regulators view AI: as a technology with both promise and risk. These guidelines aim to help EUIs use generative AI responsibly while protecting privacy and fundamental rights.
Need Help?
If you have questions about European AI data protection rules, reach out to BABL AI. Their Audit Experts can help you interpret regulations and ensure your organization stays compliant.
