HR & Recruitment — EU AI Act Compliance

EU AI Act obligations for AI used in recruitment, employee monitoring, and performance assessment. Annex III category 4 covers all employment AI systems.

Why the EU AI Act Is Central to HR Technology

Artificial intelligence has become deeply embedded in employment practices across the EU — from automated resume parsing in applicant tracking systems to real-time performance dashboards and behavioural analytics in contact centres. The EU AI Act, in force since 1 August 2024 with obligations on high-risk AI systems applying from 2 August 2026, treats employment AI as an area of fundamental rights sensitivity warranting the highest level of regulatory scrutiny.

Annex III, category 4 of the Regulation identifies AI systems used in employment, workers management, and access to self-employment as high-risk across three distinct sub-categories: recruitment and selection (cat 4(a)), decisions on promotion, task allocation, and monitoring of contractual obligations (cat 4(b)), and real-time monitoring of emotional or behavioural states of workers (cat 4(c)). This classification is categorical — there is no materiality threshold, no carve-out for small deployments, and no distinction based on whether the tool is proprietary or acquired from a third-party vendor.

The sector sits at the intersection of three regulatory frameworks: the AI Act, GDPR (in particular Art. 22 on automated decision-making), and national labour law — including co-determination rights over workplace technology. Compliance requires a coordinated approach spanning legal, HR, IT, and works council engagement.

High-Risk Use Cases — All Annex III Category 4 Systems

Recruitment and Selection (Cat 4(a))

AI systems used in the recruitment lifecycle are high-risk without exception. This encompasses:

CV and resume screening tools integrated into ATS platforms (Workday, SAP SuccessFactors, Greenhouse, Lever, SmartRecruiters). Ranking, shortlisting, and rejection logic driven by AI falls squarely within cat 4(a).
Video interview analysis tools that assess facial expressions, voice tone, speech patterns, or micro-expressions to infer candidate suitability or personality traits (e.g., HireVue-type tools). These may also trigger Art. 50(2) transparency obligations if they incorporate emotion recognition.
Targeted job advertising algorithms that determine which individuals are shown job postings based on inferred characteristics — including age, gender, or geographic indicators — are explicitly enumerated in cat 4(a) and present particular risk of discriminatory targeting.

Workforce Management and Monitoring (Cat 4(b))

AI used to manage the employment relationship after hiring is equally high-risk:

Performance evaluation AI that generates scores, ratings, or ranking outputs used to inform promotion, bonus, or termination decisions.
Task allocation algorithms in gig economy platforms (Uber, Deliveroo, Amazon Flex) that assign work, set pay rates, and determine deactivation. These are high-risk under cat 4(b) regardless of the employment classification of the worker.
Productivity monitoring software that aggregates keyboard activity, application usage, communication metadata, or location data to produce performance metrics. Where outputs feed into contractual decisions, cat 4(b) applies.

Real-Time Emotional and Behavioural Monitoring (Cat 4(c))

Annex III cat 4(c) is targeted specifically at systems that monitor the emotional or behavioural state of workers in real time. Common deployments in scope:

Call centre emotion analytics that assess caller and agent sentiment during live calls and generate performance flags.
Biometric wellbeing platforms that infer stress, fatigue, or engagement levels from physiological or behavioural signals.
Attention and engagement monitoring during remote work using webcam-based inference.

These systems additionally trigger Art. 50(2): any deployer using emotion recognition on workers must notify those workers that they are subject to the system. This notification obligation applies irrespective of whether the broader high-risk compliance timeline has been met.

Provider vs Deployer Obligations — The Employer's Position

Under the AI Act, most employers occupy the deployer role — they procure high-risk AI systems from providers (software vendors) and deploy them in their HR processes. The provider/deployer distinction is legally significant because obligations differ.

Provider Obligations (Vendor Responsibilities)

Providers — HR software vendors — must, before placing high-risk systems on the EU market:

Establish and maintain a quality management system (Art. 9) covering risk management, data governance, technical documentation, and post-market monitoring.
Prepare technical documentation per Annex IV demonstrating the system's design, intended purpose, performance metrics, training data, and known limitations.
Conduct a conformity assessment under Art. 43 and register the system in the EU database (Art. 49).
Affix the CE marking and issue an EU declaration of conformity.
Provide deployers with instructions for use (Art. 13) including information on limitations, intended user profiles, and oversight requirements.

Deployer Obligations (Employer Responsibilities)

Employers must:

Verify provider compliance before deploying: check for CE marking, conformity declaration, and adequate instructions for use.
Implement in accordance with instructions: deployers may not use the system for purposes beyond its stated intended use (Art. 25(1)).
Ensure meaningful human oversight (Art. 25(2)): employees designated to supervise AI outputs must have the authority, technical competence, and time necessary to understand system outputs and override them when appropriate. Nominal human review — a checkbox sign-off without genuine evaluation — does not satisfy this requirement.
Conduct a fundamental rights impact assessment (FRIA) (Art. 27): mandatory for public-sector deployers; strongly recommended for private-sector employers deploying cat 4 systems, particularly where outputs affect protected characteristics.
Monitor for post-deployment risks: if a deployer identifies risks that the provider did not foresee, the deployer must notify the provider and, where relevant, the market surveillance authority.
Suspend use if serious incidents occur or if the system is found to be non-compliant in operation.

Interaction with GDPR Article 22 and Labour Law

GDPR Article 22 — Automated Decision-Making

GDPR Art. 22 remains fully operative alongside the AI Act and applies directly to HR AI. It prohibits decisions based solely on automated processing where those decisions produce legal effects or similarly significant effects on the data subject. In the employment context, the following decisions are unambiguously in scope: hiring and rejection, termination, promotion and demotion, pay determination, and disciplinary action.

Compliance requires:

Meaningful human intervention before any consequential decision — the reviewing human must have access to the underlying data and logic, not merely a summary recommendation.
Right to obtain human review of any automated decision upon request, with genuine reconsideration capacity.
A legal basis for processing under Art. 6 and, where special category data is involved (health, ethnicity, biometric data inferred from facial analysis), under Art. 9.

The AI Act and GDPR are complementary, not mutually exclusive. Art. 2(7) of the AI Act confirms that it applies without prejudice to GDPR. Employers must satisfy both regimes simultaneously.

National Labour Law — Works Councils and Co-Determination

In several EU member states, national labour law confers co-determination rights over workplace technology that apply to AI systems independently of the AI Act:

Germany — Betriebsverfassungsgesetz §87(1) no. 6: the works council has a binding co-determination right on the introduction of technical devices designed to monitor employee behaviour or performance. Deployment of AI monitoring or evaluation tools without prior works council agreement may be challenged before the labour court (Arbeitsgericht) and enjoined.
Netherlands — Wet op de ondernemingsraden (WOR) Art. 27: the ondernemingsraad has consent rights over personnel systems and monitoring arrangements.
Austria — Arbeitsverfassungsgesetz §96: binding co-determination on monitoring measures affecting personal dignity.
France — Code du Travail L. 2312-38: the Comité Social et Économique must be informed and consulted before deployment of automated tools affecting working conditions.

Works council rights typically require advance notice, documentation of the system's functioning, and in many cases formal agreement or a works agreement (Betriebsvereinbarung) before deployment. These obligations are triggered before the AI Act compliance timeline and cannot be deferred.

Directive 2002/14/EC on information and consultation of employees also provides a framework for European Works Councils of multinational groups deploying AI tools across member states.

Enforcement — DPAs, Equality Bodies, and Labour Inspectorates

Enforcement of AI Act obligations in the HR sector will involve multiple competent authorities:

Data Protection Authorities (DPAs): the primary market surveillance authority designation in many member states will sit with or alongside the DPA. DPAs have concurrent competence under GDPR Art. 22 for automated decision-making violations. The EDPB guidelines on AI and employment remain the authoritative interpretation at EU level.
National equality bodies: where AI systems produce discriminatory outcomes in recruitment or promotion — for example, disparate impact on women, ethnic minorities, or older workers — equality bodies (e.g., ECRI, Défenseur des droits, Equinet members) have investigative and enforcement powers under the Equal Treatment Directives (2000/43/EC, 2000/78/EC, 2006/54/EC).
Labour inspectorates: in member states with strong labour inspection regimes, inspectors may investigate AI-related breaches of working conditions, monitoring limitations, and works council rights. France (DREETS), Germany (Gewerbeaufsicht), and Spain (Inspección de Trabajo) are examples of active enforcement bodies.

Penalties under the AI Act reach €30 million or 6% of global annual turnover for prohibited practices, and €15 million or 3% of turnover for other high-risk violations. GDPR fines under Art. 83 apply cumulatively. Reputational risk and employee litigation under national labour law represent additional exposure.

Compliance Roadmap for HR Professionals

A structured compliance programme for employers deploying AI in HR should address the following in sequence:

1. AI system inventory: catalogue all AI tools used across the employment lifecycle — recruitment, onboarding, performance management, workforce planning, and exit. For each tool, identify the Annex III category and confirm high-risk classification.

2. Provider due diligence: before 2 August 2026 (or at next contract renewal), demand from each vendor: CE marking, EU declaration of conformity, technical documentation summary, and instructions for use. Vendors unable to provide these should be treated as non-compliant.

3. Works council consultation: initiate co-determination or consultation procedures under applicable national law for all AI systems not yet subject to formal agreement. Document outcomes in a works agreement or equivalent instrument.

4. GDPR Art. 22 audit: map all HR decisions with legal or significant effects and verify that no decision rests solely on automated output. Implement human oversight protocols with documented reviewer competence and intervention records.

5. Fundamental rights impact assessment: conduct FRIA under Art. 27 for all Annex III cat 4 deployments. For public-sector employers, this is mandatory; for private-sector employers, it is the expected standard of due diligence and a defence against enforcement action.

6. Transparency obligations: implement Art. 50(2) employee notification for any emotion recognition system. Ensure job applicants are informed of AI-assisted screening under GDPR transparency requirements (Arts. 13–14).

7. Human oversight capacity: verify that personnel designated to review AI outputs in HR have genuine authority to override recommendations, sufficient time to conduct meaningful review, and documented training appropriate to the complexity of the system.

8. Incident response procedures: establish procedures for logging, investigating, and reporting serious incidents involving HR AI systems, in line with Art. 73 provider obligations passed through to deployers via contractual arrangements.

Compliance in this sector is not a one-time project. The combination of AI Act obligations, evolving DPA guidance on GDPR Art. 22, and active works council engagement requires an ongoing governance structure with dedicated ownership within HR, legal, and data protection functions.

Official AI Act Compliance Deadline Calendar

Updated 2026-06-20 · Sources: Regulation (EU) 2024/1689 and the 2026 Digital Omnibus on AI.

Obligation	Applies to	Original date	New date	Status	Countdown	Legal basis
Prohibited Practices (Art. 5)	All providers and deployers	2 February 2025	2 February 2025	active	—	AI Act Art. 5
GPAI Rules (Chapter 5)	GPAI model providers	2 August 2025	2 August 2025	active	—	AI Act Art. 51-56
High-risk AI — Annex III (standalone)	Providers of standalone Annex III systems	2 August 2026	2 December 2027	deferred	—	AI Omnibus 2026 Art. 6(2)
High-risk AI — Annex I (embedded)	AI embedded in Annex I regulated products	2 August 2026	2 August 2028	deferred	—	AI Omnibus 2026 Art. 6(1)
AI-Generated Content Marking	Providers of generative GPAI systems	2 August 2025	2 August 2025	active	—	AI Act Art. 50(2)
Regulatory Sandboxes	National competent authorities	2 August 2026	2 August 2026	active	—	AI Act Art. 57

⬇ Download JSON · CC BY 4.0

AI Act meets DORA and NIS2

Is your organisation subject to both the AI Act and DORA? The two regulations intersect on the operational resilience of financial AI systems. Our sister site regulation-dora.eu covers DORA in depth.

Explore regulation-dora.eu ↗

Frequently Asked Questions

Is CV screening AI automatically high-risk under the EU AI Act?

Yes. **Annex III, category 4(a)** explicitly lists AI used for recruitment and selection — including CV screening, resume ranking, and targeted job advertising — as high-risk. There is no de minimis threshold. Any ATS-integrated screening tool deployed in the EU is subject to the full suite of high-risk obligations under **Art. 9–15** and **Art. 25–27**, regardless of the provider's size or the sophistication of the model.

Must employers consult works councils before deploying AI recruitment or monitoring tools?

In Germany, the **Betriebsverfassungsgesetz §87(1) no. 6** grants works councils binding co-determination rights over technical monitoring devices, which includes AI systems that monitor employee behaviour or performance. Equivalent consultation rights apply in the Netherlands (OR), Austria (Betriebsrat), and France (Comité Social et Économique). Failure to obtain prior agreement may render deployment unlawful under national labour law, independent of AI Act compliance.

How does GDPR Article 22 interact with the AI Act in HR contexts?

**GDPR Art. 22** prohibits decisions based solely on automated processing that produce legal or similarly significant effects on individuals. In HR, hiring, termination, and promotion decisions are clearly in scope. The AI Act does not replace Art. 22 — it adds obligations layered on top. Employers must provide **meaningful human review** before any consequential decision, maintain documentation of that review, and ensure the human reviewer has the competence and authority to override the AI output.

Can emotion recognition AI be used in job interviews?

Emotion recognition AI is not prohibited in recruitment contexts, but **Art. 50(2)** of the AI Act imposes a mandatory transparency obligation: deployers must inform individuals when they are subject to an emotion recognition system. Additionally, since such systems constitute Annex III cat 4(a) high-risk AI, all high-risk requirements apply — conformity assessment, technical documentation, human oversight, and fundamental rights impact assessment. The scientific validity of emotion recognition in recruitment is widely contested, creating additional GDPR proportionality concerns.

What must an employer do when using a third-party AI recruitment tool (e.g., from Workday or SAP SuccessFactors)?

Employers are **deployers** under the AI Act (**Art. 3(4)**) and bear specific obligations under **Art. 25–27**. They must: verify the provider has supplied a conformity declaration, EU technical documentation, and instructions for use; implement use in line with those instructions; ensure designated human oversight personnel have the authority, competence, and time to intervene; conduct a **fundamental rights impact assessment** (mandatory for public-sector deployers; recommended for private-sector); and suspend use if risks emerge. Deployers may not circumvent provider restrictions or use the system for purposes beyond its intended scope.

Does the AI Act apply to AI used in gig economy task allocation?

Yes. **Annex III, category 4(b)** covers AI used for task allocation and monitoring contractual obligations of workers, which directly encompasses algorithmic management systems used by gig economy platforms such as delivery, ride-hailing, and on-demand service operators. These systems are high-risk. Workers on these platforms are entitled to meaningful human oversight of decisions affecting their access to work, pay rates, and account deactivation.

Stay ahead of AI Act changes

Get compliance alerts when deadlines or obligations change.

No spam. One-click unsubscribe.