Art. 26.7 EU AI Act: transparency obligations towards individuals

Updated: June 2026

Introduction: transparency as a fundamental rights requirement

Art. 26.7 provides individuals affected by high-riskriskIn the EU AI Act's terms, the combination of the probability that a harm occurs and the severity of it if it does. The link between a principle (via the harm that would breach it) and a control (the measure that reduces it). Naming the harm and assessing its risk is required by Art. 9 before any mitigation measure is chosen. See harm, control, residual risk.Open full entry → AI systems with a right to know. Deployers must "inform the natural persons on whom the high-risk AI systemAI systemA machine-based system that, for explicit or implicit objectives, infers from input how to generate outputs — predictions, content, recommendations or decisions — that can influence physical or virtual environments. The OECD-style definition followed by the EU AI Act.Open full entry → is intended to operate that they are subject to the use of the high-risk AI system." This obligation reflects the fundamental rights principleprincipleOne of the seven responsible-AI values a governed system should live up to (fairness, safety and reliability, privacy, security and robustness, transparency and explainability, accountability, human oversight). A principle is abstract: it states an outcome, not a lever you can pull. It becomes governable by naming the harm that would breach it, assessing the risk that harm carries, and placing controls against that risk. When GovCompass holds a principle this way it calls it a pillar. See pillar, harm, risk.Open full entry → that people should not be subject to significant AI-driven decisions without their knowledge.

Art. 26.7 is distinct from, but overlapping with, GDPR transparencytransparencyOpenness about the fact that AI is used and how it operates in general: disclosures, documentation, notices. Pairs with explainability, which addresses individual outcomes.Open full entry → requirements. Where GDPR requires transparency about data processing, Art. 26.7 requires transparency about AI decision-making. For high-risk AI systems that also process personal data, both frameworks apply.

When does the obligation apply?

Art. 26.7 applies when a natural personnatural personA living human individual, as distinct from a legal person such as a company; the holder of data-protection and AI-Act rights.Open full entry → is "subject to" a high-risk AI system's operation. This includes:

• Job applicants whose CVs are screened by AI
• Customers whose credit applications are assessed by AI
• Students whose academic performance is evaluated by AI
• Benefit applicants whose eligibility is assessed by AI
• Patients whose medical imaging is analysed by AI

The obligation applies before or at the point of the AI interaction, not retroactively after a decision has been made.

What must be communicated?

The minimum required information:

1. That an AI system is being used in the process that affects them
2. The purpose of the AI system
3. The deployerdeployerAn organization using an AI system under its own authority in its activities — carrying operator duties: use per instructions, oversight, input relevance, monitoring, notices.Open full entry →'s contact details for further information or objection

Best practice (aligning with GDPR transparency standards) includes additionally:

• The type of AI system (classification, recommendation, prediction)
• The role of the AI in the overall decision (sole basis, supporting input, one factor among many)
• The individual's rights, including the right to request human review under GDPR Art. 22 where applicable

Exception: security and sensitive contexts

Art. 26.7 provides a limited exception: where notifying the individual would compromise the purpose of the AI system. The clearest example is law enforcement contexts where advance notification would enable suspects to evade detection. However, this exception is narrow and must be proportionate, it cannot be used as a blanket exclusion for commercial contexts.

Notification template

Example for HR context (CV screening):

"[Organization name] uses an AI-assisted screening system to review applications. This system analyses your application against the role requirements and produces a preliminary assessment. All AI assessments are reviewed by a human recruiter before any decision is made. For more information about how this system works or to raise a concern, contact [contact details]."

Compliance checklist

1. Have you mapped every point in your processes where individuals are subject to high-risk AI?
2. Is a notification in place for each such touchpoint?
3. Is the notification provided before or at the point of the AI interaction?
4. Does the notification cover at minimum: AI use, purpose, and contact details?
5. Is the exception for sensitive contexts documented with a legal justification if you rely on it?
6. Is the Art. 26.7 notification coordinated with your GDPR privacy notice?