Article 50
Transparantieverplichtingen voor aanbieders en gebruiksverantwoordelijken van bepaalde AI-systemen
AI Transparency
This new topic is needed to specifically capture the transparency obligations framework for AI systems providers and deployers, which is a distinct and comprehensive requirement under the AI Act that encompasses disclosure of system characteristics, performance metrics, limitations, and intended use to end-users and relevant stakeholders.
transparency obligations transparency requirements provider transparency deployer transparency system transparency disclosure requirements information disclosure transparency duties
Overview
Legal Framework
Article 50 of the AI Act establishes the core transparency obligations for providers and deployers of certain AI systems. It mandates that providers of AI systems intended to interact with natural persons, emotion recognition systems, biometric categorization systems, and AI systems that generate or manipulate image, audio, or video content ("deepfakes") must ensure transparency to end-users. The required disclosures, detailed in Article 50(1) and (2), include informing individuals that they are interacting with an AI system, the system's intended purpose, and its capabilities and limitations. For generated content, the provider must ensure the output is marked as artificially generated or manipulated. Deployers of these systems, as per Article 50(3), must notify a natural person when they are exposed to an emotion recognition or biometric categorization system. Furthermore, Article 50(5) requires deployers of AI systems that generate deepfake content to disclose the artificial nature of that content, unless use is authorized for law enforcement or the content is part of an obvious artistic or creative work.
Practical Application
The provision creates a distinct, purpose-built transparency regime for specific AI applications where a lack of clarity could deceive or manipulate individuals, undermining their autonomy. While the authoritative Tekst & Commentaar on the GDPR clarifies transparency as a fundamental principle for data processing, the AI Act's framework is tailored to the unique risks of AI interaction and content generation, operating alongside but separately from GDPR obligations. The practical burden differs: providers must design systems with transparency in mind (e.g., building in disclosure mechanisms), while deployers have operational duties to activate these disclosures or provide their own notifications. Enforcement will focus on whether the required information is communicated in a clear, timely, and meaningful way to the affected individual.
Key Considerations
- Mapping Obligations by Role: Organizations must first determine if they act as a "provider" or "deployer" under the AI Act for their AI systems and then apply the specific transparency duties attached to that role and system type (e.g., interaction, emotion recognition, deepfake generation).
- Integrating with GDPR: For AI systems that also involve personal data processing, the transparency requirements under Article 13 GDPR (providing information to data subjects) continue to apply and must be coordinated with, not replaced by, the AI Act's Article 50 disclosures.
- Technical Implementation for Providers: Providers of in-scope systems must design technical solutions to embed disclosures (e.g., real-time notifications for AI interaction) or output markings (e.g., watermarking for generated content) directly into the system or its outputs to enable compliance by deployers.
Laws (24)
View all 24Recital 132
Recital 26
Recital 135
Recital 137
Recital 157
Recital 174
Article 50
Transparency obligations for providers and deployers of certain AI systems
Recital 26
Recital 104
Recital 132
Recital 134
TRANSPARENCY OBLIGATIONS FOR PROVIDERS AND DEPLOYERS OF CERTAIN AI SYSTEMS
Recital 135
Recital 137
Recital 157
Recital 174
Recital 107
Recital 94
Recital 100
Case Law (1)
Guidance (25)
View all 25VERSIEGESCHIEDENIS
binding corporate rules voor verwerkingsverantwoordelijken
Guidelines 06/2020 on the interplay of the Second Payment Services Directive and the GDPR
Guidelines on the Interplay between the application of Article 3 and the provisions on international transfers as per Chapter V of the GDPR
Versiegeschiedenis
guidelines wisselwerking toepassing artikel 3 en hoofdstuk V AVG
De AVG bevat geen juridische definitie van het begrip 'doorgifte van persoonsgegevens aan een derde land of aan een internationale organisatie'. Daarom verstrekt de EDPB deze richtsnoeren om te verduidelijken op welke scenario's de voorschriften van hoofdstuk V volgens hem moeten worden toegepast en heeft hij daartoe drie cumulatieve criteria vastgesteld waaraan een verwerkingsactiviteit moet voldoen om als een doorgifte te worden aangemerkt: - 1) Een verwerkingsverantwoord...
Version history
Version history
Guidelines on articles 46 (2) (a) and 46 (3) (b) of Regulation 2016/679 for transfers of personal data between EEA and non-EEA public authorities and bodies
Guidelines 01/2022 on data subject rights - Right of access
Guidelines on data subject rights - Right of access
The right of access of data subjects is enshrined in Art. 8 of the EU Charter of Fundamental Rights. It has been a part of the European data protection legal framework since its beginning and is now further developed by more specified and precise rules in Art. 15 GDPR.
Guidelines 03/2022 on Deceptive design patterns in social media platform interfaces: how to recognise and avoid them
Guidelines on deceptive design patterns in social media platform interfaces: how to recognise and avoid them
These Guidelines offer practical recommendations to social media providers as controllers of social media, designers and users of social media platforms on how to assess and avoid so-called 'deceptive design patterns' in social media interfaces that infringe on GDPR requirements. To this end, the EDPB recommends that controllers make use of interdisciplinary teams, consisting, among others, of designers, data protection officers and decision-makers. It is important to note ...
Guidelines 2/2018 on derogations of Article 49 under Regulation 2016/679
Guidelines on derogations of Article 49
Version history
Guidelines on the Interplay between the application of Article 3 and the provisions on international transfers as per Chapter V of the GDPR
The GDPR does not provide for a legal definition of the notion 'transfer of personal data to a third country or to an international organisation'. Therefore, the EDPB provides these guidelines to clarify the scenarios to which it considers that the requirements of Chapter V should be applied and, to that end, it has identified three cumulative criteria to qualify a processing operation as a transfer: - 1) A controller or a processor ('exporter') is subject to the GDPR for the given processing. -...
Guidelines 04/2022 on the calculation of administrative fines under the GDPR
Guidelines on the calculation of administrative fines under the GDPR
The European Data Protection Board (EDPB) has adopted these guidelines to harmonise the methodology supervisory authorities use when calculating of the amount of the fine. These Guidelines complement the previously adopted Guidelines on the application and setting of administrative fines for the purpose of the Regulation 2016/679 (WP253), which focus on the circumstances in which to impose a fine. The calculation of the amount of the fine is at the discretion of the supervisory authority, ...
Guidelines 8/2020 on the targeting of social media users
Guidelines on the targeting of social media users
Guidelines 3/2018 on the territorial scope of the GDPR (Article 3)
Guidelines on the territorial scope of the GDPR
ARTICLE 29 DATA PROTECTION WORKING PARTY
Guidelines on transparency
Guidelines 02/2021 on virtual voice assistants
Guidelines on virtual voice assistants
A virtual voice assistant (VVA) is a service that understands voice commands and executes them or mediates with other IT systems if needed. VVAs are currently available on most smartphones and tablets, traditional computers, and, in the latest years, even standalone devices like smart speakers. VVAs act as interface between users and their computing devices and online services such as search engines or online shops. Due to their role, VVAs have access to a huge amount of personal...
Richtsnoeren 2/2018 inzake afwijkingen op grond van artikel 49 van Verordening 2016/679
guidelines afwijkingen van artikel 49
Richtsnoeren 04/2022 voor de berekening van administratieve geldboeten krachtens de AVG
guidelines berekenen administratieve boetes
Het Europees Comité voor gegevensbescherming (EDPB) heeft deze richtsnoeren vastgesteld met het oog op de harmonisatie van de methode die de toezichthoudende autoriteiten gebruiken om het bedrag van de geldboete te berekenen. Deze richtsnoeren vormen een aanvulling op de eerder vastgestelde Richtsnoeren voor de toepassing en vaststelling van administratieve geldboeten in de zin van Verordening (EU) 2016/679 (WP 253), die betrekking hebben op de omstandigheden waarin een geldboete moet worden opg...
Versiegeschiedenis
guidelines doorgifte van persoonsgegevens tussen overheidsinstanties en -organen binnen en buiten de EER
Richtsnoeren 3/2022 betreffende het herkennen en vermijden van misleidende ontwerppatronen in de interfaces van socialemediaplatforms
guidelines misleidende ontwerppatronen
Deze richtsnoeren bieden praktische aanbevelingen aan aanbieders van sociale media als verwerkingsverantwoordelijken van sociale media, ontwerpers en gebruikers van socialemediaplatforms, over het beoordelen en vermijden van zogenaamde 'misleidende ontwerp patronen' in de interfaces van sociale media die inbreuk maken op de vereisten van de AVG. Daartoe beveelt de EDPB aan dat verwerkingsverantwoordelijken gebruikmaken van interdisciplinaire teams, bestaande uit onder meer ontwerpers, func...
Richtsnoeren 02/2021 inzake virtuele spraakassistenten
guidelines over virtuele spraakassistenten
Een virtuele spraakassistent ( virtual voice assistant , of VVA) betreft een dienst die spraakgestuurde opdrachten begrijpt en uitvoert, of indien nodig als tussenschakel optreedt naar andere IT-systemen. Tegenwoordig is een VVA als optie beschikbaar op de meeste smartphones, tablets en reguliere computers en sinds enkele jaren zelfs op losse apparaten zoals smartspeakers. Een VVA functioneert als schakel tussen de gebruiker en zijn apparaat of een online dienst zoals een zoekmachine...
Richtsnoeren 01/2022 over de rechten van betrokkenen Recht van inzage
guidelines recht op inzage
Het recht van inzage van betrokkenen is vastgelegd in artikel 8 van het Handvest van de grondrechten van de Europese Unie. Het maakt al sinds het begin deel uit van het Europese wettelijke kader voor gegevensbescherming en wordt nu verder ontwikkeld met specifiekere, preciezere regels in artikel 15 AVG.
Enforcement (6)
Telecommunications operator (operator of electronic communications networks and services): Non-compliance with general data processing principles
€4,500,000 fine - Croatian Data Protection Authority (azop)
Following an ex officio investigation, AZOP imposed a EUR 4.5 million fine on a telecommunications operator for multiple GDPR infringements. The controller transferred customer personal data to a processor in the Republic of Serbia (a group company maintaining software). Transfers had been based on Standard Contractual Clauses (SCCs) from 16 April 2020 until at the latest 27 December 2022; after that date, transfers continued without SCCs or equivalent safeguards, despite Serbia lacking an adequ
WhatsApp Ireland Ltd.: Insufficient legal basis for data processing
€5,500,000 fine - Data Protection Authority of Ireland
The Irish DPA (DPC) has fined WhatsApp Ireland Ltd. EUR 5.5 million. The Austrian organization 'None of Your Business' (NOYB) had filed a complaint with the DPA on behalf of an individual. WhatsApp had updated its terms of service shortly before the GDPR came into force. In its new terms of service, WhatsApp informed its users to click 'Agree and Continue' to indicate their agreement with the new terms of service. This was required for further access to the services. WhatsApp assumed that the ac
Meta Platforms Ireland Limited: Non-compliance with general data processing principles
€390,000,000 fine - Data Protection Authority of Ireland
The Irish DPA (DPC) has fined Meta Platforms Ireland Limited EUR 390 million. The DPA has imposed a fine of EUR 210 million for violations related to the provision of its Facebook service and EUR 180 million for violations related to the provision of its Instagram service. The Austrian organization 'None of Your Business' (NOYB) had filed a complaint with the DPA on behalf of two individuals. Meta had updated its terms of service shortly before the GDPR came into force. In its new terms of servi
WhatsApp Ireland Ltd.: Insufficient fulfilment of information obligations
€225,000,000 fine - Data Protection Authority of Ireland
The Irish DPA (DPC) has imposed a fine of EUR 225,000,000 on WhatsApp Ireland Ltd. The DPA had started extensive investigations into the messaging service's compliance with transparency obligations back in December 2018. In this context, the DPC investigated whether WhatsApp complied with its obligations under the GDPR regarding the provision of information and the transparency of this information to users and non-users of WhatsApp. In the course of the investigation, the DPC found that WhatsApp
MALTA DPA: Insufficient fulfilment of data subjects rights
€20,000 fine - Data Protection Commissioner of Malta
The controller failed to comply with a data subject's right to information. In addition, the data protection policy did not meet the transparency requirements.
MALTA DPA: Insufficient fulfilment of data subjects rights
€4,000 fine - Data Protection Commissioner of Malta
The controller had sent unsolicited commercial messages. In addition, the privacy policy did not comply with transparency requirements and the controller failed to comply with requests for information from data subjects.
News (5)
AI Omnibus: Reject the proposals to undermine transparency in the AI Act
The European Commission’s dangerous and misguided Digital Omnibus proposal includes a dangerous rollback of transparency requirements in the AI Act. 60 civil society organisations, independent public authorities and individuals, including EDRi, urge EU lawmakers to reject a change that would risk weakening enforcement, legal certainty, and the protection of fundamental rights, while offering negligible benefits for companies. The post AI Omnibus: Reject the proposals to undermine transparency in
VDAI (Lithuania) - Decision No. 3R-1700
Facts }}}} The DPA held that a gambling operator lawfully transferred data to a processor for sending invitations to sporting events, but found that the controller breached transparency obligations by not informing the data subject about the categories of data recipients.The DPA held that the operator of a gambling site lawfully transferred data to a processor for sending invitations to sporting events since the engagement of a processor does not require a separate legal basis. However, the cour
VDAI (Lithuania) - Decision No. 3R-1700.
Facts: The data protection authority (DPA) ruled that a gambling operator had lawfully transferred data to a processor for the purpose of sending invitations to sporting events, but found that the responsible party had violated its transparency obligations by failing to inform the data subject about the categories of recipients of the data. The DPA also ruled that the operator of a gambling website had lawfully transferred data to a processor for the purpose of sending invitations to sporting events, as the engagement of a processor does not require a separate legal basis. However, the court...
Is the AI Act caging ChatGPT and other General Purpose Artificial Intelligence systems?
> The growth of generative artificial intelligence systems has led EU lawmakers to focus on General Purpose AI in drafting the AI Act, which will set the framework governing artificial intelligence in the European Union. As previously reported, the EU Parliament has already broadened the definition of artificial intelligence for the purposes of the AI Act… The post Is the AI Act caging ChatGPT and other General Purpose Artificial Intelligence systems? appeared first on GamingTechLaw.
Overview of EU Strategy for Data: Digital Services Act
> The Digital Services Act was published in the Official Journal of the European Union Oct. 27. The DSA, which harmonizes conditions for the provision of intermediary services and increases transparency requirements for online intermediaries, will enter into force Nov. 16. In the latest installment of a multipart series, the IAPP Research and Insights team provides privacy professionals with an overview of the DSA, including the law's objectives, key requirements and enforcement.