EDPS has refreshed its generative AI guidance for EU institutions, with a clearer definition of GenAI and a practical compliance checklist. The message for builders is operational: document lawful bases and make data subject rights executable, not aspirational.
EDPS revises GenAI guidelines: definition, checklist, and clearer controller/processor roles
The European Data Protection Supervisor (EDPS) released revised guidelines on generative AI and the processing of personal data by EU institutions on October 27, 2025. The update emphasizes lawful processing and data subject rights in the context of rapidly evolving AI systems, positioning the guidance as a practical framework for compliance rather than a high-level statement of principles.
Key additions include a refined definition of generative AI, an actionable compliance checklist to assess whether AI-related processing is lawful, and more explicit delineation of roles and responsibilities for data controllers and processors. While the guidelines are directed at EU institutions, the operational expectations—especially around documentation and rights handling—are directly relevant to vendors and partners building or supplying GenAI capabilities into European environments. Synthetic data startups are singled out by implication: teams that train or fine-tune generative models on real datasets (even when outputs are “synthetic”) should expect heightened governance and audit scrutiny across Europe.
- Lawful basis must be provable, not assumed. Data teams should be prepared to document the lawful bases for AI training and related processing activities in a way that stands up to regulator review and procurement due diligence.
- Rights workflows become a product requirement. The guidance reinforces the need to operationalize data subject rights (including access, erasure, and transparency) with clear internal processes—not just policy language.
- Controller/processor clarity raises contracting expectations. More explicit role definitions typically translate into tighter DPAs, clearer allocation of responsibilities, and more demanding audit and assurance requests for GenAI suppliers.
- “Synthetic” is not a compliance shield. If synthetic data generation relies on real personal data at any stage, governance, documentation, and accountability expectations increase—especially in European deployments.