AEPD policy for the use of generative AI in administrative processes

General Policy for the Use of Generative AI in AEPD Administrative Processes

I. Regulatory Summary

Requires an internal GenAI governance framework: inventorying systems, use-case approval with risk assessment, staff rules for disclosure and mandatory review, and strengthened procurement/cybersecurity controls. Operational teams must implement traceability, logging, and incident handling tailored to GenAI deployments.

II. Full Description

**Context and purpose** The AEPD’s strategic planning (2025–2030) promotes safe and responsible GenAI adoption in public administration. This first version establishes an internal policy framework for deploying GenAI in AEPD administrative processes. **Scope** Applies exclusively within the AEPD. The document states it is not an interpretive or compliance instrument for the EU AI Act. **Governance** Defines organisational, functional, technical, DPO, information-security and GenAI-lead responsibilities. **Policies and procedures** Includes policies on selecting system type/integration level; handling personal/sensitive/confidential information; design of use cases; availability/resilience; organisational transparency/traceability; explainability; automated decision oversight; fundamental-rights and GDPR safeguards; cybersecurity; procurement; HR; staff use; supervision; and incident management. **Source file**: ES - 20251127 - AEPD - politica-iag-aepd.pdf

III. Scope & Application

Internal policy applicable exclusively to the AEPD’s administrative processes. Sets governance roles and operating policies for selecting, deploying and supervising generative AI (GenAI) systems, including data protection, confidentiality, transparency, explainability, cybersecurity, procurement, HR and staff-use rules. Explicitly states it does not interpret or implement the EU AI Act; its scope is internal organisational governance.

IV. Policy Impact Assessment

Primary Focus: public sector generative ai governance