This Checklist deals with areas of diligence and contractual terms relevant to personal data sharing by a customer with a vendor that is using generative AI (artificial intelligence that can create outputs such as text, images, video, or sound, referred to as Gen AI below) to provide services to the customer. We will refer both to the underlying Gen AI model and the AI system in which it operates as applicable, and will refer simply to Gen AI where vendors may be utilising either a Gen AI model or an AI system incorporating it.This Checklist only covers data protection issues under UK law (in particular, the United Kingdom General Data Protection Regulation, Assimilated Regulation (EU) 2016/679 (UK GDPR)). It focuses on the salient points for Gen AI purposes when contracting in a data processing relationship, and should be read in conjunction with: Audit of a new or existing personal data processor—checklist and Stand-alone data processing