top of page
ChatGPT Image Oct 1, 2025, 06_04_28 PM.png

EU AI Act & GDPR Compliance for Hiring

If you use AI for recruiting, promotions, or workforce management, you’re in the EU AI Act’s “high-risk” zone — and GDPR still applies. BiasSignal gives you the audits, controls, and documentation to comply without slowing hiring.

What the law requires (in plain English)

EU AI Act (employment = high-risk)
Using AI to screen CVs, rank candidates, score interviews, manage workers, or decide promotions is classified as high-risk (Annex III). High-risk systems must have: a risk-management process; governed, representative data; technical documentation; logging; human oversight; transparency to affected people; and accuracy/robustness/cybersecurity controls.

 

Key dates

  • Prohibited uses (e.g., emotion recognition in workplaces, social scoring, certain biometric categorization) apply from February 2, 2025.

  • General-purpose AI transparency obligations begin August 2025;

  • Most high-risk obligations for deployers (employers) apply August 2, 2026. The EU has confirmed it will stick to the schedule. 
     

GDPR (still fully applies)
You need a lawful basis, data-minimization, transparent notices, retention limits, and a way for people to obtain human review of solely automated decisions with legal or similarly significant effects (Article 22). Fines can reach €20M or 4% of global turnover for serious infringements.

What’s at stake: fines & exposure

EU AI Act fines

  • Up to €35M or 7% of global turnover for prohibited practices (e.g., emotion recognition at work).
     

  • Up to €15M or 3% for other non-compliance with operator duties (e.g., missing risk management, documentation, or oversight). 
     

GDPR fines

  • Up to €20M or 4% of global turnover for serious infringements (e.g., no lawful basis, violating core principles, failing data-subject rights).
     

How fines can stack (illustrative)

  • Prohibited AI + GDPR miss: A company with €200M turnover that uses emotion recognition in screening (prohibited) and lacks a GDPR lawful basis could face up to 7% (€14M) under the AI Act plus up to 4% (€8M) under GDPR in separate proceedings — €22M total potential exposure. (Actual outcomes depend on facts and authorities.) 
     

High-risk non-compliance: A company with €500M turnover that deploys a high-risk hiring model without risk management or documentation could face up to 3% (€15M) under the AI Act, even before GDPR is considered.

How BiasSignal makes compliance practical

1) Inventory & scope (AI Act + GDPR)

  • Map every HR AI use (CV screening, interview scoring, internal mobility) and classify high-risk vs. non-high-risk; link each to a GDPR legal basis and retention rule. 
     

2) Risk management & testing

  • Bias/performance testing with selection-rate, impact-ratio, and error metrics; dataset lineage and representativeness notes.

  • Continuous monitoring (drift, error spikes), incident capture, and immutable logs to support post-market monitoring. 
     

3) Technical documentation (Annex IV-style)

  • One-click “technical file” covering intended purpose, model limits, data governance, controls, and evaluation results — formatted for regulators and auditors. 
     

4) Human oversight & explainability

  • Reviewer queues, overrides, and reason views so trained staff can intervene before decisions; evidence for Article 22 safeguards. 
     

5) Transparency to candidates & employees

  • Notice builder and layered explanations describing where AI is used, the logic at a high level, key data used, and available human-review routes.
     

6) GDPR DPIAs & rights handling

  • DPIA wizard aligned to EDPB criteria; track mitigations, residual risk, and sign-offs.
     

  • Candidate portal to process access, objection, and human-review requests with SLAs. 
     

7) Vendor diligence & governance

  • Capture supplier attestations, CE/registration checks (where relevant), and instructions for use; version control that flags “significant modifications” needing re-assessment.

What you get

  • Audit pack: bias & performance results, dataset notes, and remediation recommendations.
     

  • Annex IV-ready technical file and risk-management records.
     

  • GDPR DPIA and privacy notices you can publish.
     

  • Human-oversight workflow and decision logs.
     

  • Executive dashboard with readiness score vs. EU AI Act & GDPR controls.

Getting started

  1. Scope your HR AI use cases (15–30 minutes).
     

  2. Run BiasSignal’s audit & documentation pack.
     

  3. Publish notices, assign human overseers, and switch on monitoring.
     

  4. Review quarterly or on significant model changes.
     

Book a 30-minute consult to see your tailored roadmap and sample deliverables. (Click on the contact button at the top of the page)

With a focus on business viability, technical feasibility, and legal compliance, we are committed to being the go-to partner for companies striving for fair and equitable hiring processes.

bottom of page