Skip to main content
Try Lexiel for freeTry now →
CJEU and Personal Data in Generative AI: Case Law and European DPA Guidelines 2024-2025
Case Law9 minEquipo Lexiel

CJEU and Personal Data in Generative AI: Case Law and European DPA Guidelines 2024-2025

Analysis of CJEU case law and European Data Protection Authority resolutions on personal data processing by generative AI models: training, inference and right to erasure.

CJEU generative AIpersonal data AI modelsGDPR artificial intelligenceright to erasure AIDPA ChatGPT EuropeEDPB generative AI

# CJEU and Personal Data in Generative AI: Status in 2025

The impact of GDPR on large language models (LLMs) and generative AI is one of the most active legal debates of 2024-2025. European DPAs and the CJEU have been shaping the new regulatory landscape.

Key developments 2024-2025

CNIL (France): Identified lack of legal basis for training data, data inaccuracy (hallucinations about real people), and frustrated right of access in ChatGPT investigation.

EDPB Opinion 02/2024: Training on personal data requires a legal basis under Art. 6 GDPR. Legitimate interest is not automatically valid; requires a legitimate interest assessment (LIA test). For inference phase: the company deploying the model is responsible for outputs containing personal data.

Right to erasure and LLMs: EDPB acknowledged the tension; LLMs do not store data in deletable form. Machine unlearning techniques may become a future technical obligation. Absent effective unlearning, the controller must assess whether retraining without the data subject's data is required.

Italian Garante: Suspended ChatGPT in Italy in 2023. Lifted suspensión with conditions. Published criteria in 2025 on valid legal basis for AI training with European data.

AEPD (Spain) 2025: Published AI and data protection guide. Key points: legitimate interest valid for training on public data subject to LIA; anonymisation vs pseudonymisation distinction; mandatory DPIA for large-scale AI processing; training data in raw form must be deleted after training.

CJEU C-461/22 (2025): Companies deploying AI chatbots are co-controllers for the personal data in the outputs generated, even if the model was trained by third parties.

Implications for law firms using AI

  1. Do not input client personal data into AI tools without contractual confidentiality guarantees (Art. 28 GDPR DPA)

  2. Verify data processing location, non-EEA servers require standard contractual clauses
  3. Inform clients if their data is processed by AI tools
  4. Maintain human oversight for outputs containing third-party personal data

Research GDPR and AI case law with Lexiel →

Try Lexiel free · 28 days

Use code LEX-BLOG for double the standard trial period. Cancel anytime, no commitment.

LEX-BLOG
Get started free

Weekly legal updates

Legislative changes, relevant case law, and Lexiel news. No spam. Unsubscribe anytime.

GDPR compliant. We never share your email with third parties.