This article summarises publicly available guidance from regulators and official sources. It is general educational information only and does not constitute legal or professional advice. Requirements vary by jurisdiction. Consult your regional authority or a qualified professional for advice specific to your situation.
If your HR team is using software to rank candidates, recommend shortlists or assess staff performance, it is normal to be unsure where ordinary automation ends and regulated AI begins. This guide explains the main EU frameworks in plain language, shows where the higher-risk uses appear, and gives you a practical review process before the technology influences an employment decision.
In short: AI used to recruit, select, allocate work, monitor workers or evaluate performance can attract close scrutiny under the EU AI Act and the GDPR. A smaller employer should not treat the software as a neutral shortcut. Identify what the system actually influences, keep a meaningful human decision-maker involved, explain relevant data processing to applicants and staff, and document the checks made before and during use.
The practical problem for an HR team
The risk is not simply that an AI tool makes a mistake. The larger problem is that a score, recommendation or warning can quietly become the real decision, even where the final click is made by a person.
Consider Alex, an HR manager at a 45-person logistics company in Germany. Before reviewing the process, recruiters allowed a CV-screening tool to reject every applicant below a set score, and nobody checked why the score was low. After the review, Alex maps the tool against the EU AI Act's recruitment category, adds a documented human review before any rejection, and updates the applicant privacy notice to describe the automated screening and its role.
This change does not assume that a human rubber stamp fixes every issue. It creates a point where someone with authority, context and enough information can question the output, consider information the model may have missed, and record a different decision.
For a smaller business, the most useful first step is therefore not buying a compliance platform. It is drawing the decision path from the application or employee data entering the system through to the action taken by the business.
Which HR uses receive the most attention
The EU AI Act uses a risk-based structure. Annex III identifies certain employment and worker-management uses as high-risk, including systems intended for recruitment or selection, placing targeted job advertisements, analysing and filtering applications, evaluating candidates, making decisions that affect work relationships, allocating tasks based on personal characteristics or behaviour, and monitoring or evaluating workers.
The formal text is available in the EU Artificial Intelligence Act, Regulation (EU) 2024/1689. The classification depends on the intended purpose and real use of the system, not merely the product label chosen by its vendor.
Common HR AI uses and the questions they raise
| Example use | Main practical question | |
|---|---|---|
| CV screening | Ranks or filters applicants | Does the score determine who is considered or rejected? |
| Interview analysis | Assesses words, voice or video | What traits are inferred, and is the method appropriate and explainable? |
| Job advertising | Targets vacancies to selected audiences | Could the targeting reduce access for particular groups? |
| Task allocation | Assigns shifts, routes or workloads | Is the allocation based on personal characteristics, behaviour or inferred performance? |
| Performance monitoring | Scores productivity, quality or conduct | Does the output affect pay, promotion, discipline or continued employment? |
Some tools used by HR may fall outside the high-risk category because they perform a narrow procedural task or do not materially influence the outcome. A calendar assistant that proposes interview times is different from a system that decides which candidates deserve an interview.
Do not rely on a broad statement such as "AI is only assisting". Write down the exact decision, the weight given to the output, who can override it, and what happens when the system is wrong.
The AI Act and GDPR cover different parts of the problem
The AI Act focuses on the design, supply and use of AI systems, with additional controls for higher-risk applications. The GDPR focuses on personal-data processing and the rights of the people whose data is used.
An HR workflow may engage both frameworks at the same time. Buying a system from a vendor that discusses AI Act readiness does not answer whether your business has a lawful, fair and transparent basis for processing applicant or employee data.
What the AI Act says in plain English
For high-risk systems, the AI Act sets a structured set of controls around areas such as risk management, data governance, technical documentation, records, transparency, human oversight, accuracy, robustness and cybersecurity. Providers carry many of the product-level responsibilities, while organisations using the system have deployer responsibilities that depend on the circumstances.
Article 26 includes duties for deployers of high-risk systems, such as following instructions for use, assigning human oversight to people with suitable competence and authority, monitoring operation, keeping relevant logs under their control, and taking action where use may present a risk. Employers should read the formal wording and obtain advice for their circumstances rather than treating a short checklist as a legal conclusion.
The Act also prohibits certain practices. One employment-relevant example is using AI to infer a person's emotions in the workplace, except for specified medical or safety reasons. The relevant prohibition is set out in Article 5 of the AI Act.
AI literacy requirements have applied since 2 February 2025. The European Commission's AI literacy questions and answers explains that providers and deployers should take measures to ensure a sufficient level of AI literacy among relevant staff, taking account of their knowledge, experience and the context of use.
Timing note, verified 14 July 2026: the original AI Act schedule made most high-risk rules applicable from 2 August 2026. EU institutions announced a political agreement in May 2026 that would move Annex III high-risk rules, including employment uses, to 2 December 2027. Because legislative steps and final published text matter, check the European Commission AI Act page and the Official Journal before relying on a date.
What the GDPR adds
The GDPR is already in force and remains relevant regardless of the AI Act timetable. HR data can include identity details, work history, qualifications, assessments, attendance, location, communications and inferred characteristics, all of which require a defined purpose and an appropriate legal basis.
The GDPR's transparency rules can require information about the purposes of processing, data categories, recipients, retention and relevant rights. Articles 13 and 14 also address information about automated decision-making in the circumstances covered by Article 22, including meaningful information about the logic involved and the significance and envisaged consequences.
Article 22 addresses decisions based solely on automated processing, including profiling, that produce legal effects or similarly significantly affect a person, subject to limited exceptions and safeguards. In employment, rejecting an applicant or taking a serious action against a worker can plainly have a substantial effect, but the detailed application depends on the facts.
The European Data Protection Board guidance on automated decision-making and profiling is a useful primary reference. It explains that nominal human involvement is not enough where the person does not have authority or does not genuinely assess the available information.
A data protection impact assessment, commonly called a DPIA, may be relevant where processing is likely to result in a high risk to people's rights and freedoms. The GDPR names systematic and extensive evaluation based on automated processing, including profiling, where decisions have legal or similarly significant effects, as one trigger requiring an assessment.
A DPIA is not just a form to complete after purchasing software. It is a process for describing the operation, testing necessity and proportionality, identifying risks to people, and recording measures designed to address those risks.
What meaningful human oversight looks like
Meaningful oversight requires more than placing a recruiter's name beside an automated recommendation. The reviewer needs enough information, time and authority to challenge the system and reach a different outcome.
In practice, that can mean showing the evidence behind a score, flagging missing or uncertain data, preventing automatic rejection, and requiring the reviewer to record a reason where the AI output is followed or overridden. Staff should understand common failure modes, including biased training data, proxy variables, poor performance for particular languages or disabilities, and changes in candidate behaviour over time.
A useful control is to test whether the human decision would change if the score were hidden. Where reviewers simply accept the recommendation because it appears objective, the workflow may still function as an automated decision in substance.
Oversight should also continue after launch. Compare recommendations with final outcomes, investigate complaints and unusual rejection patterns, and stop the workflow if the system behaves outside its intended purpose.
A practical review process for an EU employer
The following sequence helps a smaller HR team organise the issue before it becomes a legal or employee-relations problem. It is a planning framework, not a finding that a particular workflow is compliant.
- Inventory the tools. Include features inside applicant tracking, payroll, productivity, scheduling and communications systems. Ask managers which spreadsheets, browser tools and unofficial services they use.
- Map the decision. Record what data enters the system, what output it creates, how much weight the output receives and what action follows.
- Classify the use. Compare the intended purpose with the AI Act's employment categories and identify any prohibited practice concerns.
- Review personal-data processing. Document purpose, legal basis, data sources, recipients, retention, international transfers and relevant worker or applicant rights.
- Assess impact and discrimination risk. Examine whether the workflow may disadvantage groups through direct variables, proxies, inaccessible processes or lower accuracy.
- Design human oversight. Name the reviewer, define their authority, provide enough information to challenge the output and prohibit automatic adverse action where appropriate.
- Check the vendor. Request system purpose, limitations, performance information, data-processing terms, security controls, logging capability and evidence supporting AI Act claims.
- Update notices and internal records. Explain the processing in language an applicant or worker can understand, and keep a versioned record of the approved workflow.
- Train relevant staff. Cover what the tool can and cannot do, when escalation is required, and how to report a suspected error or unfair outcome.
- Monitor and review. Set review dates, audit samples, track overrides and complaints, and pause use when risks cannot be controlled.
Keep the first review simple: choose one live workflow and draw it on a single page. Mark every point where data is collected, transformed, scored, disclosed or used to make a decision. This usually reveals more than starting with a generic AI policy.
Questions to ask an HR AI vendor
Vendor documentation should help you understand the system, not replace your own assessment. Ask for clear answers that can be checked against the contract and technical material.
- What is the system's intended purpose, and which uses are excluded?
- Does the vendor classify it as high-risk under the EU AI Act, and what is the basis for that view?
- Which data trains, tunes or evaluates the system?
- What characteristics, behaviours or proxies influence scores?
- How is performance measured across languages, disabilities and demographic groups?
- Can the employer disable automatic rejection or adverse action?
- What explanation, logs and supporting evidence are available to human reviewers?
- Where is personal data stored, which subprocessors receive it, and what international-transfer mechanism is used?
- How long are applicant and worker records retained?
- How will the vendor notify customers about material model, purpose or performance changes?
A weak answer such as "the algorithm is proprietary" does not remove the business risk. Your organisation still needs enough information to assess the workflow, communicate with affected people and supervise the decision process.
Contract terms should also reflect practical controls. Consider instructions, permitted purposes, data use, audit support, incident handling, change notification, deletion, return of data and cooperation with rights requests.
Performance management and worker monitoring
AI used after hiring can be just as consequential as recruitment software. Productivity scores, route efficiency, call analysis, attendance predictions and conduct flags may affect task allocation, pay, promotion, discipline or dismissal.
These systems can create misleading precision. A warehouse picker who receives a lower score may have handled damaged stock, helped a new colleague or worked in an area with longer travel distances, none of which may be visible to the model.
Employee monitoring also raises questions under national labour law, collective agreements and workplace consultation rules, which differ across EU Member States. The AI Act does not replace those rules, and the GDPR does not provide the entire employment-law answer.
Before deployment, involve the right internal functions and check national requirements. Depending on the workplace, this may include data protection, legal, information security, management, employee representatives or a works council.
Industry-specific implications
Healthcare and care services: recruitment data may reveal health or disability information, while staff-monitoring outputs can affect professional duties and patient safety. Separate legitimate safety controls from broad behavioural inference.
Education: AI may be used to shortlist teachers, allocate workloads or analyse classroom performance. Employers should consider professional context and whether simple metrics misrepresent work that depends heavily on judgement and relationships.
Legal and accounting firms: confidentiality and professional obligations increase the impact of sending CVs, interview notes or employee records to an external service. Review subprocessors, retention and model-training terms before uploading sensitive files.
Logistics, retail and manufacturing: automated scheduling and performance scoring can operate at high volume, which makes individual errors easy to miss. Test whether the system treats temporary disruptions, disability adjustments, different sites and changing demand fairly.
HR AI review checklist
Use this checklist to organise an internal review. It does not determine whether a system or business meets every applicable requirement.
- The business has a current inventory of AI and automated decision tools used by HR and managers.
- Each workflow has a documented intended purpose and prohibited uses.
- The team has checked whether the use appears in the AI Act's employment high-risk categories.
- No prohibited workplace emotion-inference use has been identified.
- The personal-data purpose, legal basis, sources, recipients, retention and transfer arrangements are documented.
- The need for a DPIA has been assessed and recorded.
- Applicants and workers receive clear, relevant information about the processing.
- Adverse decisions are not automatically implemented without an appropriate review process.
- Human reviewers have training, time, evidence and authority to challenge the output.
- Bias, accessibility and performance testing covers the people and conditions relevant to the organisation.
- Vendor claims are supported by documentation and contract terms.
- Logs, overrides, complaints and unusual outcome patterns are monitored.
- The workflow has an owner, review date and stop-use trigger.
Frequently asked questions
Methodology (Real-World, Verified)
We test AI tools against real SMB workflows: the tasks a 20-person business actually uses AI for, not enterprise demos. Pricing is verified at the vendor's published rates, with local-currency conversions noted where relevant. Compliance notes reference the legislation and regulatory guidance relevant to each article's region. Every tool is judged on one question: could a business with no dedicated IT department actually pick this up and use it on Monday morning.
Related reading: our AI governance by region.
Free tools: AI Privacy Risk Scorer to score your current AI tool setup against data-privacy best practice | AI Compliance Checker to check whether your AI tools meet your compliance obligations.
Is every AI tool used by HR classed as high-risk in the EU?
No. The classification depends on the system's intended purpose and how it is used. Tools that materially influence recruitment, selection, task allocation, monitoring or performance evaluation deserve particular attention, while a simple administrative assistant may not fall into the same category.
Can a recruiter use an AI score if a human makes the final decision?
Possibly, but the human review needs to be genuine. The reviewer should understand the output, consider other information, have authority to disagree and avoid treating the score as automatically correct.
Does the GDPR ban automated recruitment decisions?
The GDPR does not create a simple blanket ban on all automation. Article 22 addresses decisions based solely on automated processing that have legal or similarly significant effects, with limited exceptions and safeguards, so the facts of the workflow matter.
Should applicants be told that AI screens their application?
Transparency is a central GDPR issue, and Articles 13 and 14 set information requirements for personal-data processing. Where Article 22 automated decision-making is involved, the GDPR also addresses information about the logic, significance and envisaged consequences.
Can an employer use AI to detect employee emotions?
The AI Act prohibits using AI to infer emotions in the workplace, subject to specified medical or safety exceptions. Check the exact Article 5 wording and the facts of the product rather than relying on a vendor description such as engagement analysis.
Does a small business need an AI policy before using HR software?
A policy can help, but a generic document is not a substitute for reviewing the actual workflow. Start with an inventory, decision map, vendor review, data assessment and named human oversight, then use the policy to set consistent internal rules.
The information in this article is general in nature. It reflects a summary of publicly available guidance and does not constitute legal, privacy, or professional advice. Your obligations will depend on your specific situation, jurisdiction, and business circumstances. Do not rely on this article as a substitute for qualified legal or professional advice.
Build a clearer internal record of the AI tools your business uses, what data they handle and which decisions they influence.
Get the Free AI Register Template