On 3 June 2024, the EDPS published guidelines on generative Artificial Intelligence and personal data for EU institutions, bodies, offices and agencies (EUIs). When using or developing generative AI tools, the guidelines will help EUIs comply with the data protection obligations set out in Regulation (EU) 2018/1725 on the protection of natural persons with regard to the processing of personal data by the Union institutions, bodies, offices and agencies and on the free movement of such data (EUDPR). The guidelines address the following questions:

• What is generative AI?
• Can generative AI be used by EUIs?
• What is the role of DPOs in the process of developing or deploying a generative AI system?
• Is there a need to conduct a data protection impact assessment (DPIA)?
• What constitutes the lawfulness of processing personal data during the design, development, and validation of generative AI systems and automated decision-making?
• How can the principles of data minimalism, data accuracy, fair processing, data security, information and transparency policies be ensured?
• How can individual rights be exercised in the use of generative AI systems?

Overall, the EDPS does not oppose the use of generative AI technologies by EUIs but emphasises the need to carefully consider when and how generative AI can be used responsibly and beneficially for the public good:

• All stages of the generative AI solution lifecycle should operate in accordance with the applicable legal frameworks, including the GDPR, when the system involves the processing of personal data;
• The development and deployment of a generative AI system should involve all stakeholders throughout its lifecycle;
• Regular, systematic, and continuous monitoring are crucial for the use of generative AI systems;
• Throughout the lifecycle of the generative AI systems, EUIs should carefully assess the accuracy of the data and reconsider the use of such systems if the accuracy cannot be maintained.

The processing of personal data in the context of generative AI systems requires a solid legal basis in line with the EUDPR. Regular monitoring and the implementation of controls at all stages can help verify that there is no processing of personal data where it is not intended by the model. When using generative AI systems that process personal data, EUIs must provide individuals with all the information required by the EUDPR and GDPR. The information made available to individuals must be updated as necessary to ensure that the data subjects are properly informed and remain in control of their own data. Ultimately, where generative AI systems are to support decision-making processes, EUIs will need to carefully consider whether to deploy them - in respect of both their legality and their potential to produce unfair, unethical, or discriminatory decisions.