Is your recruiting AI fit for purpose?
The EU AI Act classifies AI used in employment as high-risk by default. GDPR adds a parallel layer: lawful basis, special category data restrictions, data minimisation, and automated decision-making rights. Both apply simultaneously, and both carry significant fines.
This assessment is built for private-sector hiring teams, whether you use third-party AI tools as supplied by vendors, build your own agents and workflows on top of ChatGPT, Claude, Gemini or similar, or both. Three orientation questions before Section I establish your role under the AI Act and tailor which obligations apply to you.
EU AI Act fines: up to €35M / 7% global turnover for prohibited practices; €15M / 3% for high-risk obligations; €7.5M / 1% for supplying incorrect or misleading information. GDPR fines: up to €20M or 4% global turnover.
✓
CV Screening
We use an AI-powered CV screener that ranks candidates based on pattern matching against historical successful hires. The system provides a match score 0–100 that is used to automatically filter out candidates below a threshold before human review.
✓
AI Interviews
Our platform conducts automated video interviews where candidates answer pre-recorded questions. An AI analyses facial expressions, tone of voice, and word choice to generate a personality and suitability score.
✓
Candidate Scoring
We use a predictive analytics tool that combines LinkedIn data, academic records, and assessment results to generate a predicted performance score. Recruiters see this score before reading CVs.
✓
Recruiting Chatbot
Our recruiting chatbot pre-screens candidates via WhatsApp or webchat, asks qualifying questions, and automatically progresses or rejects candidates based on their responses before any human sees the application.
✓
Online Proctoring
We require candidates to complete online assessments monitored by AI proctoring software that tracks eye movements, keystroke patterns, and facial expressions to detect cheating or suspicious behaviour.
✓
Emotion Detection
During video interviews, we use emotion AI software to detect candidates' emotional states and infer traits like stress resilience, enthusiasm, and honesty from micro-expressions and vocal tone.
✓
Reference & Background Check AI
We use an AI tool that automatically scrapes and scores candidates based on online presence, court records, credit history, and employment verification data. The system flags candidates for review or rejection before a human sees the findings.
✓
Job Description & Bias Detection AI
We use AI to generate job descriptions and audit them for biased language. The tool rewrites or scores JDs before publication and may suggest changes to role requirements, seniority levels, or preferred candidate profiles.
✓
Workforce Planning & Headcount AI
We use predictive AI tools to model future headcount needs, identify redundancy risk, or recommend restructuring based on performance, cost, and skills data. Outputs influence decisions about which roles or individuals are retained or displaced.
✓
Internal Mobility & Promotion AI
We use an AI system to identify internal candidates for open roles, flag employees for promotion, or score readiness for advancement. The tool analyses performance data, skills assessments, and career history to generate recommendations.
✓
Personal AI Accounts
Members of our recruiting team use personal AI accounts — including ChatGPT Plus, Gemini Advanced, or similar consumer-tier tools — to assist with recruiting tasks such as summarising CVs, drafting candidate communications, preparing interview questions, and scoring or comparing candidates.
Context — Your role under the EU AI Act
Three orientation questions to determine which obligations apply to your organisation. These are not scored — your answers shape the questionnaire that follows.
Art. 26
Do you use one or more third-party AI hiring tools — such as an ATS with built-in AI screening, an interview-analytics vendor, or a candidate-matching service — supplied as-is by the vendor and used in your hiring process?
Art. 25(1)(c)
Has anyone in your hiring or talent function built or configured a custom GPT, AI agent, automation, or workflow that uses a general-purpose AI tool — such as ChatGPT, Claude, Gemini, Microsoft Copilot, or any foundation-model API — to assist with candidate sourcing, screening, evaluation, interview analysis, communication drafting, or worker monitoring?
Art. 25(1)(a)–(b)
Has your organisation placed its name or trademark on a hiring AI system already on the market, or made substantial modifications to a hiring AI system already placed on the market or put into service?
Banned AI Practices
Prohibited · Art. 5These uses are absolutely forbidden in the EU regardless of consent or business justification. A single "Yes" here is a critical violation requiring immediate redesign.
Art. 5(1)(a)
1.Does your AI system use subliminal techniques that operate below a person's consciousness to materially distort their behaviour in ways that may cause harm?
Art. 5(1)(c)
2.Does your system score, rank, or classify people based on their social behaviour or personal characteristics in a way that leads to detrimental treatment unrelated to the context in which the data was collected?
Art. 5(1)(h)
3.Does your AI system perform real-time remote biometric identification (e.g. facial recognition) of individuals in publicly accessible spaces? (Note: Art. 5(1)(h) restricts this to law enforcement contexts with narrow exceptions; private-sector use in publicly accessible spaces engages other prohibitions and high-risk obligations.)
Art. 5(1)(g)
4.Does your AI system use biometric categorisation to infer sensitive attributes such as political opinions, religious beliefs, race, or sexual orientation of candidates?
Art. 5(1)(b)
5.Does your AI system exploit the vulnerabilities of specific groups (age, disability, socioeconomic situation) to materially distort a candidate's or worker's behaviour in a way that causes harm?
Art. 5(1)(f)
6.Does your AI system infer or recognise emotions of candidates or workers in the context of recruitment, interviews, assessments, or workplace monitoring? (Excludes systems put in place strictly for medical or safety reasons.)
Employment & Worker Management AI
High Risk · Annex III §4AI systems used for recruitment, selection, promotion, termination, or task allocation are explicitly listed as High-Risk. If your system falls here, extensive obligations apply.
Annex III §4(a)
1.Does your AI system make or meaningfully contribute to decisions about advertising, targeting, or filtering of job vacancies to specific individuals?
Annex III §4(a)
2.Does your AI system assist in screening, filtering, scoring, or ranking of applications, CVs, or candidates during recruitment?
Annex III §4(a)
3.Does your AI system assess, evaluate, or score candidates during job interviews or assessment processes?
Annex III §4(b)
4.Does your AI system monitor employee performance, allocate tasks, or make decisions about promotions, pay, or termination?
Select N/A only if your AI hiring stack does not extend to post-hire workforce monitoring, performance evaluation, task allocation, promotion, or termination decisions. Annex III §4(b) covers AI used in employment relationships beyond initial hiring; if no system in your stack performs these functions, this question is out of scope.
Compliance Requirements
Art. 8–15 (providers) · Art. 26 (deployers) · Art. 27 (specific deployers) · Art. 49 (registration)High-risk AI hiring systems trigger obligations under both Chapter III of the EU AI Act and the deployer-facing duties of Art. 26. The questions below cover both. If you confirmed pure-deployer status in the role questions, the provider-only questions (Art. 9, 10, 11, 13, 15, 43/49) will offer N/A; if you build agents or workflows on consumer AI tools, those provider obligations apply to you in respect of the systems you build.
Art. 9
1.Do you have a documented risk management system in place that is continuously reviewed throughout the AI system's lifecycle?
Art. 10
2.Are your AI training, validation, and testing datasets governed by data governance practices that address potential biases?
Art. 11
3.Do you maintain comprehensive technical documentation as specified in Annex IV before placing your AI system on the market?
Art. 13
4.Is your AI system designed to be sufficiently transparent so that deployers can interpret outputs and use the system appropriately?
Art. 14
5.Does your system allow for effective human oversight, including the ability for humans to override, interrupt, or correct decisions?
Art. 15
6.Has your AI system been tested for accuracy, robustness, and cybersecurity, including resilience against attempts to manipulate outputs?
Art. 43 / Art. 49
7.Has your AI system undergone a conformity assessment and been registered in the EU database before deployment?
Art. 27
8.As a deployer, do you conduct a Fundamental Rights Impact Assessment (FRIA) before deploying the AI system?
Select N/A only if you are a private-sector deployer that does not provide public services and does not use the system for the Annex III §5(b) or §5(c) use cases (creditworthiness, or risk pricing in life and health insurance). Article 27 FRIA is required before first use only by deployers that are bodies governed by public law, private operators providing public services, or deployers of Annex III §5(b)/§5(c) systems. A standard private-sector employer deploying an Annex III §4 hiring system does not have a FRIA obligation, although a GDPR Art. 35 DPIA will typically still apply.
Art. 4
9.Have you taken measures to ensure a sufficient level of AI literacy among staff who operate or use AI in recruiting, taking into account their training, experience, and the context of use?
Candidate Transparency
Art. 50 · Art. 26(7) · Art. 86 · GDPR Art. 22Candidate-facing transparency for AI in hiring sits across three distinct anchors with different scopes. AI Act Art. 50 imposes specific disclosures for narrow scenarios — direct interaction with AI systems, emotion recognition, biometric categorisation, and certain synthetic content. AI Act Art. 26(7) requires deployers to inform workers and their representatives before putting a high-risk system into service in the workplace. AI Act Art. 86 gives an affected person the right to obtain a clear and meaningful explanation from the deployer, but only where a decision is based on output from a high-risk Annex III system (excluding §2), produces legal or similarly significant adverse effects, and where the explanation is limited to the role of the system and the main elements of the decision. GDPR Art. 22, read with Art. 15(1)(h) and post-SCHUFA case law (C-634/21), provides a complementary route to information about the logic involved in solely automated decisions with legal or similarly significant effects. These provisions overlap but are not interchangeable.
Art. 50(1)
1.Are candidates clearly informed when they are interacting with an AI system rather than a human (e.g. in chatbot screening or AI-conducted interviews)?
Select N/A only if no part of your AI hiring stack involves direct interaction with candidates — i.e. no chatbot, no conversational interview agent, no automated outreach with a conversational layer. Article 50(1) applies only where a natural person interacts with an AI system, and the obligation is also waived where the AI nature is obvious to a reasonably well-informed person.
GDPR Art. 22 · AI Act Art. 26(11) · AI Act Art. 86
2.Are candidates provided with meaningful information about the logic, significance, and consequences of automated decision-making that affects them?
Art. 86
3.For high-risk AI hiring systems under Annex III §4 that produce a decision with legal or similarly significant adverse effects on a candidate, can the candidate obtain — on request, from your organisation as deployer — a clear and meaningful explanation of the role the AI system played in the decision and the main elements of the decision taken?
Art. 50(4)
4.If your AI generates deep-fake images, audio, or video — or AI-generated text published to inform the public on matters of public interest — is this content disclosed as artificially generated, as required by Art. 50(4)?
Select N/A only if your hiring AI does not generate deepfake audio, video, or image content, and does not produce AI-generated text published to inform the public on matters of public interest. Article 50(4) is a narrow obligation triggered by those specific outputs; routine candidate emails, job descriptions, AI-drafted communications, and internal content do not engage it.
Art. 26(7)
5.Have you informed worker representatives and affected workers, in accordance with Art. 26(7), before putting into service or using AI systems that monitor or evaluate workers — and complied with any stricter consultation requirements under national law?
Select N/A only if your organisation has no workers or worker representatives in the EU/EEA who would be affected by the AI system, or you do not deploy any AI that monitors or evaluates workers. Article 26(7) applies wherever a deployer puts a high-risk Annex III system into service in an EU workplace; national worker-representation law (works councils, etc.) layers on top.
Every piece of personal data processed by your AI must have a valid lawful basis under GDPR Art. 6, and special category data (biometrics, health, etc.) requires an additional condition under Art. 9. Recruitment creates particularly acute exposure.
GDPR Art. 6(1)
1.Have you identified and documented a valid lawful basis (consent, legitimate interests, legal obligation, etc.) for each category of personal data your AI system processes about candidates?
GDPR Art. 9(1)–9(2)
2.If your AI processes biometric data, health data, racial/ethnic origin, or other special category data, have you identified a valid Art. 9(2) condition (e.g. explicit consent, legal obligation)?
Select N/A only if your AI system genuinely processes no biometric data, health data, racial or ethnic origin, or other special category data at any stage of the hiring or assessment process.
GDPR Art. 5(1)(b) · Art. 5(1)(c)
3.Is your AI system limited to processing only the minimum personal data necessary for the stated recruitment purpose (data minimisation), and are you not repurposing data collected for one role to assess candidates for another without fresh consent?
GDPR Art. 13–14
4.Do candidates receive a clear privacy notice at the point of data collection that specifically mentions AI processing, profiling, and any automated decision-making?
Automated Decision-Making & Profiling
GDPR Art. 22 · Recital 71Art. 22 gives candidates the right not to be subject to solely automated decisions with significant effects. This intersects directly with AI screening, scoring, and shortlisting — and is one of the most litigated GDPR provisions in HR.
GDPR Art. 22(1)
5.Are candidates subject to decisions based solely on automated processing — including AI scoring or screening — that produce significant effects such as rejection or shortlisting, without meaningful human review?
GDPR Art. 22(2)–(3)
6.If you rely on an Art. 22 exception (contract necessity or explicit consent), have you implemented suitable safeguards including the right to obtain human intervention, to express a view, and to contest the decision?
Select N/A only if you answered No to the previous question (GA1) — if there is no automated decision-making with significant effects, there is no Art. 22 exception to invoke and no safeguards to implement.
GDPR Art. 4(4) · Recital 71–72
7.Does your AI system create profiles of candidates — combining data points about behaviour, performance, location, or characteristics — and have you addressed this profiling activity explicitly in your data governance?
Candidates are data subjects with full GDPR rights — access, erasure, rectification, portability. AI systems that store candidate profiles, scores, or inferences must be built to support these rights operationally, not just in policy.
GDPR Art. 15
8.Can candidates submit a Subject Access Request (SAR) and receive, within one month, all personal data held about them — including AI-generated scores, inferences, and profile data?
GDPR Art. 17
9.Can candidates request erasure of their data ('right to be forgotten'), and does this erasure propagate through AI training datasets and model outputs where technically feasible?
GDPR Art. 21
10.Can candidates exercise their right to object to processing based on legitimate interests — including AI profiling — and does your system have a mechanism to record and act on such objections?
Select N/A only if your lawful basis for processing candidate data is not legitimate interests and you do not process candidate data for direct-marketing purposes. Article 21(1) objection rights are tied to legitimate interests and public-interest processing; Article 21(2) gives an unconditional objection right against direct marketing regardless of lawful basis.
GDPR Art. 5(1)(e)
11.Do you have and enforce a data retention policy that limits how long candidate data — including AI scores and profiles — is stored, and are unsuccessful applicants' data deleted within a defined period?
AI recruiting tools almost always involve third-party processors (SaaS vendors, model providers). You remain the controller — responsible for vendor due diligence, DPAs, and international transfer compliance. This is frequently where breaches occur.
GDPR Art. 35
12.Have you conducted a Data Protection Impact Assessment (DPIA) before deploying your AI recruiting system? (A DPIA is mandatory for systematic profiling with significant effects and for large-scale processing of special category data.)
GDPR Art. 28
13.Do you have a Data Processing Agreement (DPA) in place with every AI vendor or third-party tool that processes candidate personal data on your behalf?
GDPR Art. 44–49
14.If your AI vendor processes candidate data outside the EEA (e.g. US-based SaaS, cloud infrastructure), have you verified that an adequate transfer mechanism is in place (e.g. adequacy decision, SCCs, BCRs)?
Select N/A only if your hiring data processing involves no transfer of personal data outside the EU/EEA — i.e. all systems, processors, sub-processors, and cloud regions involved in candidate processing are EU/EEA-based. If any element sits outside the EU/EEA, Articles 44–49 apply and this question is in scope.
GDPR Art. 37–39
15.If your organisation processes personal data on a large scale as a core activity, have you appointed a Data Protection Officer (DPO) and involved them in the AI recruiting system design and review?
Select N/A only if your organisation does not meet either Art. 37(1) mandatory-DPO trigger — i.e. your core activity does not involve regular and systematic monitoring of data subjects on a large scale, and your core activity does not involve large-scale processing of special category data. A sole trader or small agency using a basic ATS is unlikely to meet either threshold.
Shadow AI — Personal Accounts Used for Recruiting
GDPR Art. 28 · GDPR Art. 5 · EU AI Act Annex III §4 · EU AI Act Art. 26Personal AI subscriptions used informally for recruiting tasks represent one of the most widespread and least governed sources of AI compliance risk. The organisation remains the data controller regardless of whether the tool was personally purchased — and all EU AI Act and GDPR obligations follow the data, not the procurement route.
GDPR Art. 28
1.Are members of your recruiting team using personal or consumer-grade AI accounts to process candidate personal data — such as pasting CVs, interview notes, or assessment scores into ChatGPT, Gemini, Copilot, or similar tools — without a Data Processing Agreement in place between the organisation and the AI provider?
GDPR Art. 5(1)(b) · Art. 5(1)(f)
2.Has the organisation verified that the personal AI accounts being used by recruiting staff do not use conversation data — including candidate CVs, interview notes, and assessment outputs — to train or improve the AI provider's models?
Select N/A only if recruiting staff do not use any personal or consumer-tier AI accounts (e.g. ChatGPT, Gemini) for any candidate-related task — i.e. all AI use is via enterprise/business accounts with contractual no-training guarantees.
EU AI Act Annex III §4
3.Has the organisation assessed whether the informal use of personal AI tools for candidate screening, scoring, or comparison constitutes deployment of a High-Risk AI system under Annex III of the EU AI Act — regardless of how the tool was procured?
GDPR Art. 13 · EU AI Act Art. 50 · Art. 26(11)
4.Are candidates informed when personal or consumer-grade AI tools have been used to assist in reviewing, scoring, or assessing their application — even informally?
EU AI Act Art. 4 · Art. 26(1) · GDPR Art. 24 · Art. 32 · Art. 5(2)
5.Does the organisation have a formal policy governing the use of personal, consumer-grade, or individually-licensed AI tools in recruiting — including what data may and may not be entered, which tools are permitted, and what records must be kept?
Answer all questions to generate your report — 44 remaining
This tool is for informational and self-assessment purposes only and does not constitute legal advice. The EU AI Act (Regulation (EU) 2024/1689) and GDPR (Regulation (EU) 2016/679) are complex legal instruments — always engage qualified legal counsel before deploying AI systems in employment contexts. References to Articles are indicative and based on Regulation (EU) 2024/1689 as published in the Official Journal of the European Union on 12 July 2024, and GDPR as enforced by EU/EEA Data Protection Authorities.