Take data protection principles into account

Personal data must be processed transparently and in a manner appropriate for the purpose for which the data was collected. Data subjects must be informed transparently and clearly about the personal data processing and the information provided must not be misleading. Information must also not be processed in a manner that is unpredictable or unexpected from the perspective of the data subject.

Read more about data protection principles

Communicate about personal data processing transparently

Personal data must be processed transparently and in a manner appropriate for the purpose for which the data was collected. Data subjects must be informed transparently and clearly about the personal data processing and the information provided must not be misleading. Information must also not be processed in a manner that is unpredictable or unexpected from the perspective of the data subject.

When processing personal data in the development or use of an AI system, the data subjects must be informed of the following at the least:

  • What data is collected
  • The purpose for which the data is processed
  • How long the data collected will be retained
  • Whether the data is disclosed or sold to third parties
  • How the data is processed
  • What data protection rights the data subject has and how they can be exercised

The AI Act requires that organisations communicate transparently on the system to its users. For example, users must be informed when they interact with an AI system. In addition, organisations are obliged to provide a description of the mechanism behind any automated decision making.

When is there no obligation to inform?

There are certain extraordinary situations where the obligation to inform does not apply. These special bases must be interpreted in conservatively. Providing sufficiently extensive information to data subjects is a requirement for ensuring that the data subjects can be certain that their data is processed appropriately.

If, for the development of an AI system, personal data will be collected from public sources or by some other manner in which the data is not directly received from the data subjects themselves, the obligation to inform may not apply if the data collection or disclosure is regulated by law or if the data cannot be disclosed because of a statutory non-disclosure obligation. Information that a data subject has already received does not need to be delivered to them again.

The obligation to inform also does not apply under certain conditions when personal data is processed for archiving purposes that are in the public interest, purposes of scientific or historical research, or statistical purposes if the delivering the data is impossible or it would require disproportionate effort. In this case too, the controller must make the information publicly available.

Determine the purpose of the personal data and use the data in line with the purpose

Before personal data processing is started, the purpose for which the data is used must be clearly planned and determined. The personal data must be collected for this specific purpose. The purpose must be legal.

The organisation developing or using an AI system is responsible for determining the purpose of the personal data. Several organisations may contribute to the development or use of the AI system at different stages. This is a case of joint controllership, meaning that the organisations are jointly responsible for determining the purpose and the personal data processing.