Artificial intelligence

What are the potential obligations when marketing applications with third-party AI systems in Spain?

Published on 26th Oct 2023

When integrating AI systems into products or services, it is essential to determine the applicable legal framework

Close up view of laptop screen and keyboard, screen is showing code

With the growing ease of integration provided by artificial intelligence (AI) system providers, it is essential for companies that incorporate these technologies into their products to ensure compliance not only with the future EU Artificial Intelligence Regulation but also with all the other regulations currently in effect.

The gradual simplification of AI system integration into third-party applications has led to an increase in the number of commercially viable use cases. However, this trend comes with responsibilities regarding such integration.

Integration responsibility

When integrating AI systems developed by external providers into products or services, it is crucial to recall that responsibility will not solely rest with the original AI provider. The entity incorporating AI functionalities in its product or service – whether by itself or through third parties – will also be responsible for ensuring compliance with the applicable current regulations governing its operation.

The incorporation of AI systems into applications may have an impact on multiple areas, with intellectual property (IP), security, privacy, and consumer protection regulations the most prominent ones. In this context, it is vital for the entity incorporating an AI system into their product or service to ensure compliance with the laws governing these areas not only when marketing but also in relation to the contract executed between the entity and the AI system provider. In this regard, by way of example, we list some issues to be taken into account in each of the above areas.

Intellectual property

It will be necessary to verify whether the AI system provider requires the assignment of IP rights, or whether the provider will impose limitations on commercial uses. Additionally, in case end users are allowed to input content, the application should have appropriate safeguards to avoid potential IP infringements by end users.

Information security

Non-compliance with information security standards by any of the parties involved in creating the product/service could jeopardize sensitive user information. This could also put the business' assets at risk.


It is essential to ensure that systems trained with personal data or enabling task automation comply with the established limits in applicable data protection regulations. Also, it would be key to determine the role of the parties taking part in the data processing, including the processing generally carried out by the AI system provider.

Consumer protection

When offering the product or service, it is crucial to provide consumers with sufficient information about the availability and capabilities of the offered application.

Other areas

It is essential during the early stages of design of the product or service with AI capabilities to verify if the integration of an AI system enters regulated environments, such as medical devices, payment services or infrastructure; for example, health assistants, customer authentication systems or incident detection systems, respectively.

Osborne Clarke comment

When integrating AI systems into products or services, it is essential not only to ensure compliance with the applicable regulations currently in force, but to maximise compatibility with the future EU Artificial Intelligence Regulation. Otherwise, it may be necessary to partially or completely redo the integration.


* This article is current as of the date of its publication and does not necessarily reflect the present state of the law or relevant regulation.

Interested in hearing more from Osborne Clarke?