FOR PREVIEWING & TESTING PURPOSES ONLY.
This notification will disappear once the page will be published.
This link is available for less than 30 minutes.
  • Easy to read
  • Text size

You have a complaint against an EU institution or body?

Current language: 
  • English
Available languages: 

Use of the GPT@EC from the European Commission in the EO Office (Pilot Project)

1. Last update of this record: 20/11/25

2. Reference number: 07/2025

Ref. Ares(2025)10889478

3. Name and contact details of the controller(s)

· European Ombudsman, 1 avenue du Président Robert Schuman, CS 30403, F-67001 Strasbourg Cedex -

Contact: Directorate for Administration- Process & documents management, business continuity Team - contact: https://www.ombudsman.europa.eu/en/contacts

Responsible departments: Process & documents management, business continuity Team- ICT staff members and SG

Email : icteo-personaldataprotection@ombudsman.europa.eu

4. Name and contact details of the Data Protection Officer:

Ms Francesca Pavesi-

Deputy DPO: Mr Nicholas Hernanz

Functional mailbox: Dpo-Euro-Ombudsman@ombudsman.europa.eu

5. Name and contact details of the processors:

- The European Commission-DG DIGIT according to Annex I and VII of the SLA[1].

Email : DIGIT-B1-DATA-PROTECTION@ec.europa.eu

In addition, the controller has authorised the use of the following sub-processor:

Name: Microsoft Azure OpenAI (Azure)

Description of the processing: public cloud provider Microsoft Azure OpenAI (Azure) is used to call the OpenAI LLM services hosted in their infrastructure.

6. Name and contact details of the joint controller(s) N/A

7. Purpose(s) of the processing:

Short description of the processing:

The information below relates to the GPT@EC pilot project, whose primary objective is to establish a platform that embeds a fully operational, general-purpose conversational system. The platform is designed to ensure proper access control via EU Login and relies on secure infrastructure so that all processed information remains under the control of the European Commission.

The primary aim of the GPT@EC Pilot project is to develop a beta version that integrates a fully operational, general-purpose generative AI solution. This pilot version of GPT@EC will support the use of Large Language Models (LLMs) hosted either on-premises or by public cloud providers.

The purposes of the processing operation are as follows:

  • 1. Authorising the secure access of the users to the system through registration and EU Login.
  • 2. Enabling the corporate use of the LLMs by the authenticated users by means of their input (text prompts and the use of retrieval augmented generation (RAG) tools for attachments, such as PDFs) and the use of the generated responses by the LLMs (output) based on the input of the users.
  • 3. Ensuring logging and monitoring for cybersecurity purposes.
  • 4. Ensuring logging and monitoring for billing purposes to keep track of the service consumption by individual users and groups of users, to allow cross-charging.
  • 5. Setting up an abuse monitoring component to detect and mitigate abusive or inappropriate use of the GPT@EC. The component monitors both ingress and egress flows to the LLMs.
  • 6. Handling the prompts library to manage and access favourite prompts and to use the corporate prompt templates.

Personal data will not be used for an automated decision-making including profiling.

Personal data may be processed as part of the prompts and may also appear in the outputs. Although the tool is not intended to process personal data, such data may be incidentally handled in the context of the uses described below.

The purpose of the deployment of GPT@EC within the Ombudsman’s Office is to improve the quality and efficiency in the handling of inquiries, administration-related and communication-related tasks by the EO thanks to GPT@EC. The project is likely to benefit the complainants and the public at large, as GPT@EC is likely to help the EO to complete its tasks in a shorter timeframe and with less resources, as well as to further improve the quality of its outputs. The processing of personal data is merely incidental to the use of GPT@EC, in that the tool may need to access limited personal data contained in documents or prompts submitted by users to generate meaningful outputs. Such processing does not constitute an end in itself but is instrumental to achieving the objectives of the pilot project. In addition, data processed by the Ombudsman’s Office are not used to train or improve AI models.

GPT@EC will be authorised for the following uses at the EO office:

  • Assisting in editing the drafts of EO’s letters, solution proposals, recommendations, decisions etc., as well as any administrative documents, IT code and communication materials, in particular by helping to ensure clear and simple language and logical structure. Additionally, providing coding support for IT and web development projects.
  • Assisting in researching basic information, for instance applicable laws, case law, available complaint mechanisms at the national level; IT code, however, this use may be limited due to the well-known inaccuracies produced by LLMs and the risk of errors.
  • Assisting in summarising and analysing large documents or large amounts of statistical or financial data.

The tool is not used to take decisions, make recommendations, assess admissibility, determine outcomes, or prioritise complaints. These activities remain exclusively within the responsibility of human staff members.

The Ombudsman staff remain fully responsible for the outcomes produced with GPT@EC support. AI assists with specific tasks but does not replace human judgment or decision-making in complaint handling and conducting inquiries.

The LLMs under the scope of the project are: LLMs on (Microsoft Azure) cloud: GPT4o.

The use is restricted only to in-house LLMs. The information is only processed in memory of the respective application with no data whatsoever in the processor entity. As such the information is not accessible to the entities described above for their individual use

8. Description of the categories of data subjects and of the categories of personal data:

- Data subjects:

- The use of GPT@EC will involve:

• the transfer and processing by the EC of personal data of EO staff - the EO staff will share their personal data while using GPT@EC and while uploading information containing personal data of their colleagues (ex: administration-related documents),

• the transfer and processing by the EC of personal data of third parties contained in inquiry-related documents.

- Categories of personal data:

In order to carry out this processing operation, the EO collects the following categories of personal data:

1. Personal data related with the user of the system:

a) User registration information: Identity information (name, surname, email address, Directorate, role within the unit, topics/policy of work).

b) EU Login personal data used for authentication

c) Personal data contained in the logs files for functional cybersecurity and security monitoring.

d) Personal data contained in the logs files for billing purposes to keep track of the service consumption.

e) User interactions with the systems, prompts and responses, including the processing carry out to prevent abusive use of the systems by means of an abuse monitoring functionality.

f) Handling the prompts library to manage and access favourite prompts and to use the corporate prompt templates.

Users will be expressly instructed to refrain from using inputs which include special categories of data, or data relating to criminal convictions and offences when using the tool. Users are also instructed to critically evaluate outputs based on inadvertent use of special categories of data which could not reasonably be foreseen when uploading the relevant documents. The users have also been instructed to duly fill a form on instances where they have identified documents that contain such data and therefore should be avoided.

2. Personal data related with the datasets used as part of the input: This may include any personal data included in the documents/datasets that the user attaches to its prompts with the purpose to contextualize its prompts by means of the retrieval augmented generation (RAG) functionality.

3. Personal data related with the output. This might include personal data in the response of the LLM based on the user input and/or, if applicable and hypothetically, on the datasets used to pre-train the LLM by the LLM’s provider.

9. Time limit for keeping the data and, where possible, for erasure:

The system has its own retention periods, please check the EC record to know more

https://ec.europa.eu/dpo-register/detail/DPR-EC-25348.1

10. Recipients of the data:

Access to users’ personal data is provided to the Commission staff responsible for carrying out this processing operation and to authorised staff according to the “need to know” principle. Such staff abide by statutory, and when required, additional confidentiality agreements.

Users’ personal data is only accessible by authorised DG DIGIT staff from, who are involved in the pilot project.

In the context of investigations of security incidents, the data could be transferred and further processed following DIGIT record DPR-EC-02886 on DIGIT IT security operations and services. Access is provided according to the “need to know” principle.

As far as the personal data included in the prompts, the content of the prompts is immediately encrypted. As mentioned in the DPIA on the European Ombudsman’s pilot use of GPT@EC, the technical and organisational measures implemented by the Commission include encryption at application level, strict encryption key management procedures, detailed logging of access to encryption keys, and 90-day retention of users’ interactions.

11. Are there any transfers of personal data to third countries and/or to International Organisations?

The processing of personal data by Microsoft Azure and AWS (data processors) will take place in their datacentres in Europe. For on-premises models, the processing activities will take place in the Joint Research Centre and DG DIGIT servers in the EU.

International transfers might only occur in case of use of LLMs relying on Microsoft Azure. As mentioned in the DPIA on the European Ombudsman’s pilot use of GPT@EC, the Commission has already put in place adequate safeguards.

12. General description of security measures:

All personal data in electronic format (e-mails, documents, databases, uploaded batches of data, etc.) are stored on the servers of the European Commission. All processing operations are carried out pursuant to the Commission Decision (EU, Euratom) 2017/46 of 10 January 2017 on the security of communication and information systems in the European Commission.

The Commission's contractors are bound by a specific contractual clause for any processing operations of your data on behalf of the Commission, and by the confidentiality obligations deriving from the General Data Protection Regulation in the EU Member States ('GDPR' Regulation (EU) 2016/679).

In order to protect users’ personal data, the Commission has put in place a number of technical and organisational measures in place. Technical measures include appropriate actions to address online security, risk of data loss, alteration of data or unauthorised access, taking into consideration the risk presented by the processing and the nature of the personal data being processed. Organisational measures include restricting access to the personal data solely to authorised persons with a legitimate need to know for the purposes of this processing operation.

13. Information on how data subjects can exercise their rights of access and rectification, and where applicable, of erasure, restriction and data portability:

The data subjects have the right of access to their own personal data and to relevant information concerning how the EO uses them. They have also a right to request rectification of any incomplete or inaccurate data concerning them. They can rectify identification data at any time during the procedure. They have a right to object to the use of their data by the EO on grounds relating to their particular situation, at any time. Under certain conditions, they have the right to ask that the EO deletes their personal data or restricts its use.

At any time, they may ask the EO information concerning its processing of their personal data by using the contact form: https://www.ombudsman.europa.eu/en/contacts.

Data subjects may also contact the European Commission by email: DIGIT-B1-DATA-PROTECTION@ec.europa.eu

The EO will reply to their requests as soon as possible and within one month at the latest.

They may also contact the EO Data Protection Officer at: dpo-euro-ombudsman@ombudsman.europa.eu If they wish to complain about the Ombudsman’s handling of their personal data, they may contact the European Data Protection Supervisor (www.edps.europa.eu)

Privacy Statement relating to the use of the GPT@EC from the European Commission in the European Ombudsman’s Office

Ref. Ares(2025)10889478

This privacy statement explains the reason for the processing, the way the European Ombudsman (EO) collects, handles and ensures protection of all personal data provided, how that information is used and what rights the data subjects may exercise in relation to their data.

The controller is the EO. The processor is the European Commission- Directorate General DIGIT which manages the GPT@EC information system[2]. Sub-processor is the cloud provider Microsoft Azure OpenAI (Azure) which is used to call the Large Language Models (LLMs) services hosted in their infrastructure.

1. What personal data will the European Ombudsman process?

Staff members of the EO may use the GPT@EC services provided by the European Commission to carry out their duties.

In order to carry out this processing operation, the EO collects the following categories of personal data:

  1. Personal data related with the user of the system:

a) User registration information: Identity information (name, surname, email address, Directorate, role within the unit, topics/policy of work).

b) EU Login personal data used for authentication

c) Personal data contained in the logs files for functional cybersecurity and security monitoring.

d) Personal data contained in the logs files for billing purposes to keep track of the service consumption.

e) User interactions with the systems, prompts and responses, including the processing carry out to prevent abusive use of the systems by means of an abuse monitoring functionality.

f) Handling the prompts library to manage and access favourite prompts and to use the corporate prompt templates.

Users will be expressly asked not to input special categories of data, or data relating to criminal convictions and offences when using the tool.

  1. Personal data related with the datasets used as part of the input: This may include any personal data included in the documents/datasets that the user attaches to its prompts with the purpose to contextualize its prompts by means of the retrieval augmented generation (RAG) functionality.
  2. Personal data related with the output. This might include personal data in the response of the LLM based on the user input and/or, if applicable and hypothetically, on the datasets used to pre-train the LLM by the LLM’s provider.

2. Why does the European Ombudsman process these personal data?

The purpose of the use of the GPT@EC Pilot project is to develop a beta version that integrates a fully operational, general-purpose generative AI solution. This pilot version of GPT@EC will support the use of Large Language Models (LLMs) hosted either on-premises or by public cloud providers.

The purposes of the processing operation are as follows:

  • 1. Authorising the secure access of the users to the system through registration and EU Login.
  • 2. Enabling the corporate use of the LLMs by the authenticated users by means of their input (text prompts and the use of retrieval augmented generation (RAG) tools for attachments, such as PDFs) and the use of the generated responses by the LLMs (output) based on the input of the users.
  • 3. Ensuring logging and monitoring for cybersecurity purposes.
  • 4. Ensuring logging and monitoring for billing purposes to keep track of the service consumption by individual users and groups of users, to allow cross-charging.
  • 5. Setting up an abuse monitoring component to detect and mitigate abusive or inappropriate use of the GPT@EC. The component monitors both ingress and egress flows to the LLMs.
  • 6. Handling the prompts library to manage and access favourite prompts and to use the corporate prompt templates.

Personal data will not be used for an automated decision-making including profiling.

Personal data may be processed as part of the prompts and may also appear in the outputs. Although the tool is not intended to process personal data, such data may be incidentally handled in the context of the uses described below. The purpose of the deployment of GPT@EC within the EO Office is to improve the quality and efficiency in the handling of inquiries, administration-related and communication-related tasks by the EO thanks to GPT@EC. The project is likely to benefit the complainants and the public at large, as GPT@EC is likely to help the EO to complete its tasks in a shorter timeframe and with less resources, as well as to further improve the quality of its outputs. The processing of personal data is merely incidental to the use of GPT@EC, in that the tool may need to access limited personal data contained in documents or prompts submitted by users to generate meaningful outputs. Such processing does not constitute an end in itself but is instrumental to achieving the objectives of the pilot project. In addition, data processed by the Ombudsman’s Office are not used to train or improve AI models.

GPT@EC will be authorised for the following uses at the EO office:

• Assisting in editing the drafts of EO’s letters, solution proposals, recommendations, decisions etc., as well as any administrative documents, IT code and communication materials, in particular by helping to ensure clear and simple language and logical structure. Additionally, providing coding support for IT and web development projects.

• Assisting in researching basic information, for instance applicable laws, case law, available complaint mechanisms at the national level; IT code, however, this use may be limited due to the well-known inaccuracies produced by LLMs and the risk of errors.

• Assisting in summarising and analysing large documents or large amounts of statistical or financial data.

The tool is not used to take decisions, make recommendations, assess admissibility, determine outcomes, or prioritise complaints. These activities remain exclusively within the responsibility of human staff members.

The Ombudsman staff remain fully responsible for the outcomes produced with GPT@EC support. AI assists with specific tasks but does not replace human judgment or decision-making in complaint handling and conducting inquiries.

The LLMs under the scope of the project are: LLMs on (Microsoft Azure) cloud: GPT4o.

The solution provides appropriate access control through EU Login and relies on secure infrastructure to ensure that all processed information remains under the Commission’s control.

The use is restricted only to in-house LLMs. The information is only processed in memory of the respective application with no data whatsoever in the processor entity. As such the information is not accessible to the entities described above for their individual use

3. What are the legal bases and necessity for processing this data?

We process your personal data on the basis of Article 5(1)(a) of Regulation 2018/1725 (“processing is necessary for the performance of a task carried out in the public interest or in the exercise of official authority vested in the Union institution or body”).

The legal bases are the following:

  • The Statute of the European Ombudsman[3]
  • the EO’s Information and Communication Technologies Security Policy of 21 July 2025.
  • Level Agreement (SLA) DIGIT-061-00 signed on 29 October 25 between the European Ombudsman and the DG DIGIT of the European Commission (DG Digital Services) ref. [SLA DIGIT-061-04], in particular the Data Processing Agreement to the Appendix 08.

4. Who is responsible for processing the data?

The Ombudsman’s Directorate for Administration - Process & documents management, business continuity Team and a staff member in the Secretariat General.

5. Who will be recipients of the data?

Access to your personal data is provided to the EC staff responsible for carrying out this processing operation and to authorised staff according to the “need to know” principle. Such staff abide by statutory, and when required, additional confidentiality agreements.

Your personal data is only accessible by authorised DG DIGIT staff from the EC, who are involved in the pilot project.

In the context of investigations of security incidents, the data could be transferred and further processed following DIGIT record DPR-EC-02886 on DIGIT IT security operations and services. Access is provided according to the “need to know” principle.

6. How long will the data be kept?

The system has its own retention periods[4].

7. How do we protect your data?

All personal data in electronic format (e-mails, documents, databases, uploaded batches of data, etc.) are stored on the servers of the European Commission. All processing operations are carried out pursuant to the Commission Decision (EU, Euratom) 2017/46 of 10 January 2017 on the security of communication and information systems in the European Commission.

The EC's contractors are bound by a specific contractual clause for any processing operations of your data on behalf of the EC, and by the confidentiality obligations deriving from the General Data Protection Regulation in the EU Member States ('GDPR' Regulation (EU) 2016/679).

In order to protect your personal data, the EC has put in place a number of technical and organisational measures in place. Technical measures include appropriate actions to address online security, risk of data loss, alteration of data or unauthorised access, taking into consideration the risk presented by the processing and the nature of the personal data being processed. Organisational measures include restricting access to the personal data solely to authorised persons with a legitimate need to know for the purposes of this processing operation.

As far as the personal data included in the prompts, the content of the prompts is immediately encrypted. As mentioned in the DPIA on the European Ombudsman’s pilot use of GPT@EC, the technical and organisational measures implemented by the Commission include encryption at application level, strict encryption key management procedures, detailed logging of access to encryption keys, and 90-day retention of users’ interactions.

8. What are your rights and how can you exercise them?

You have the right of access to your own personal data and to relevant information concerning how the EO uses it.

You have also a right to request rectification of any incomplete or inaccurate data concerning you. You can rectify identification data at any time. You have a right to object to the use of your data by the EO on grounds relating to your particular situation, at any time. Under certain conditions, you have the right to ask that the EO deletes your personal data or restrict its use.

The EO will reply to your requests as soon as possible and within one month at the latest.

9. Who to contact in case of queries or complaints concerning data protection issues?

At any time, you may send data protection related questions concerning the use of the GPT@EC from the EC in the EO Office, at the following address:

European Ombudsman
1 avenue du Président Robert Schuman
CS 30403
F-67001 Strasbourg Cedex
https://www.ombudsman.europa.eu/en/contacts

You also may contact the EC at the following email: DIGIT-B1-DATA-PROTECTION@ec.europa.eu

You also may contact the Data Protection Officer of the EO office at the following address: DPO-Euro-Ombudsman@ombudsman.europa.eu

You may lodge a complaint with the European Data Protection Supervisor at any time at the following address: www.edps.europa.eu

 

[1] See the Service Level Agreement (SLA) concerning the use of GPT@EC signed between the EO and the EC on 29/10/2025.

[2] See the Service Level Agreement (SLA) concerning the use of GPT@EC signed between the EO and the EC on 29/10/2025.

[3] Regulation (EU, Euratom) 2021/1163 of The European Parliament of 24 June 2021 laying down the Regulations and general Conditions governing the performance of the Ombudsman’s duties (Statute of the European Ombudsman) and repealing Decision 94/262/ECSC, EC, Euratom): https://www.ombudsman.europa.eu/en/legal-basis/statute/en

[4] Please consult the EC record on GPT@EC at: https://ec.europa.eu/dpo-register/detail/DPR-EC-25348.1