Key takeaways
Article 22 GDPR
Algorithmic scoring falls within scope
The CJEU SCHUFA ruling of 7 December 2023 (C-634/21) brings any candidate scoring tool that materially influences selection within the scope of Article 22, even with downstream human validation.
AI Act High-Risk
Recruitment classified in Annex III
Recruitment is explicitly classified as a high-risk system under Annex III point 4 of Regulation EU 2024/1689. Deployer obligations apply from 2 August 2026.
Current Exposure
The risk is already here
The GDPR applies in full today. Foundever (Audiencia Nacional, 4 July 2025) and Robo-Firing (Amsterdam Court of Appeal, 4 April 2023) show that algorithmic HR litigation is already active in Europe.
AI tools are transforming recruitment: automated CV screening, interview video analysis, predictive scoring. These technologies appeal to HR teams, but deploying them exposes organisations to legal risks that are frequently underestimated. This article maps the applicable obligations under GDPR and the AI Act, and analyses three recent decisions that are reshaping the rules.
What you are actually deploying
Article 22 GDPR prohibits decisions based solely on automated processing that produce legal effects or significantly affect a person. Recruitment is one of the most exposed use cases.
A screening tool that filters or ranks candidates before any real human intervention constitutes an automated decision within the meaning of GDPR. Formal sign-off by a recruiter is not enough if that recruiter has neither the time nor the information to exercise effective oversight.
What many think they are deploying
Common perception
What the law sees
Legal characterization
GDPR and AI Act: you are already exposed
Legal basis
Two parallel frameworks apply simultaneously. GDPR is operative today: it governs all automated processing of candidate personal data. The AI Act adds specific obligations for high-risk systems. Both bind the deployer directly. Neither can be contracted out to the tool vendor.
Article 22 GDPR
Under Article 22 GDPR, the deployer must:
- Inform the candidate of AI use in the privacy notice
- Allow the candidate to request human intervention and to contest the decision
- Carry out a data protection impact assessment (DPIA) for tools presenting high risks
- Document the legal basis for the automated processing
AI Act: recruitment classified as high-risk
The AI Act explicitly classifies AI systems used for recruitment, selection, assessment, and termination of employment contracts as high-risk (Annex III, point 4). This covers screening tools, predictive scoring tools, and behavioural analysis systems.
The obligations on deployers include:
- Full technical documentation before any deployment
- Prior conformity assessment
- Registration in the EU database
- Effective human oversight for each impactful decision
- Transparent disclosure to candidates about AI use
The human click no longer protects.
HR AI tools already deployed? 30-minute compliance audit, confidential, no commitment.
Request a first callWhat the law already says: three key decisions
None of these decisions rests on the AI Act. All three concern algorithmic systems whose operators could, in theory, have waited for high-risk enforcement to begin. The existing legal framework continues to produce concrete decisions.
C-634/21
SCHUFA Holding
The Court extends Article 22 GDPR to algorithmic scores produced by a third party and used decisively in the decision. Direct reading for any HR deployer relying on a third-party scoring tool.
Robo-Firing
Robo-Firing
Purely symbolic human validation of Uber HR decisions. Ruling found illegal under Article 22 GDPR. 584,000 euro sanction in October 2023. The human click no longer protects. Supervision must be real, documented, and able to alter the outcome.
SAN 2867/2025
CGT v. Foundever Spain
The company denied using algorithms in HR management. The Court declared the practice void, sanctioned it for breach of trade union freedom, and ordered disclosure of algorithm parameters to worker representatives. First Spanish decision recognising trade union rights to information on HR algorithms.
Denying the existence of an HR algorithm when one exists is a standalone fault.
The Digital Omnibus trap
Regulation (EU) 2025/1049 (Digital Omnibus) postpones AI Act compliance requirements for high-risk system providers and deployers to December 2027. This is sometimes read as two years of runway before enforcement begins.
The three decisions above show why this reading is mistaken. GDPR is fully applicable today. Article 22 applies today. The obligation to explain an automated HR decision to a candidate, a dismissed worker, or a union representative exists today.
None of the three decisions is based on the AI Act. All three concern algorithmic systems whose operators could have argued they were waiting for the high-risk deadline. Regulators and courts did not wait. Regulated-sector buyers are already incorporating GDPR and AI Act requirements into their 2026 RFPs. The compliance gap shows up during due diligence.
What you need to verify today
Three areas warrant immediate attention in your organisation.
- Do your privacy notices explicitly mention the use of AI in the recruitment process?
- Do your contracts with HR tool vendors include the required GDPR safeguards: DPA, technical documentation, data subject rights?
- Are your HR teams trained on the effective human oversight obligation, as distinct from mere formal sign-off?
How to act
Operational compliance involves three concrete steps: audit the tools in place and their deployment conditions, GDPR and AI Act documentation (DPIA, processing notice, vendor DPAs), then HR team training and updating recruitment processes. External legal counsel addresses all three levels simultaneously, without recruiting a full-time specialist.
