Art. 26.7 EU AI Act: Transparency Obligations Towards Individuals

Updated: June 2026 — full revision to Validai quality standard

Introduction: Transparency as a Fundamental Rights Requirement

Art. 26.7 provides individuals affected by high-risk AI systems with a right to know. Deployers must "inform the natural persons on whom the high-risk AI system is intended to operate that they are subject to the use of the high-risk AI system." This obligation reflects the fundamental rights principle that people should not be subject to significant AI-driven decisions without their knowledge.

Art. 26.7 is distinct from — but overlapping with — GDPR transparency requirements. Where GDPR requires transparency about data processing, Art. 26.7 requires transparency about AI decision-making. For high-risk AI systems that also process personal data, both frameworks apply.

When Does the Obligation Apply?

Art. 26.7 applies when a natural person is "subject to" a high-risk AI system's operation. This includes:

• Job applicants whose CVs are screened by AI
• Customers whose credit applications are assessed by AI
• Students whose academic performance is evaluated by AI
• Benefit applicants whose eligibility is assessed by AI
• Patients whose medical imaging is analysed by AI

The obligation applies before or at the point of the AI interaction — not retroactively after a decision has been made.

What Must Be Communicated?

The minimum required information:

1. That an AI system is being used in the process that affects them
2. The purpose of the AI system
3. The deployer's contact details for further information or objection

Best practice (aligning with GDPR transparency standards) includes additionally:

• The type of AI system (classification, recommendation, prediction)
• The role of the AI in the overall decision (sole basis, supporting input, one factor among many)
• The individual's rights — including the right to request human review under GDPR Art. 22 where applicable

Exception: Security and Sensitive Contexts

Art. 26.7 provides a limited exception: where notifying the individual would compromise the purpose of the AI system. The clearest example is law enforcement contexts where advance notification would enable suspects to evade detection. However, this exception is narrow and must be proportionate — it cannot be used as a blanket exclusion for commercial contexts.

Notification Template

Example for HR context (CV screening):

"[Organisation name] uses an AI-assisted screening system to review applications. This system analyses your application against the role requirements and produces a preliminary assessment. All AI assessments are reviewed by a human recruiter before any decision is made. For more information about how this system works or to raise a concern, contact [contact details]."

Compliance Checklist

1. Have you mapped every point in your processes where individuals are subject to high-risk AI?
2. Is a notification in place for each such touchpoint?
3. Is the notification provided before or at the point of the AI interaction?
4. Does the notification cover at minimum: AI use, purpose, and contact details?
5. Is the exception for sensitive contexts documented with a legal justification if you rely on it?
6. Is the Art. 26.7 notification coordinated with your GDPR privacy notice?