GDPR and AI Recruitment: Obligations and Best Practices

Artificial intelligence in recruitment raises legitimate legal and ethical questions. Recruiters and HR leaders adopting AI tools have precise obligations regarding personal data protection — and real risks if non-compliant. This guide covers the essentials.

Reminder: why GDPR applies to AI recruitment

The General Data Protection Regulation (GDPR, EU Regulation 2016/679) applies to any processing of personal data of people residing in the European Union. Candidate data — name, email, CV, interview results, behavioral data — are personal data under GDPR.

AI in recruitment creates particular processing: candidate data isn’t just stored, it’s algorithmically analyzed to produce scores, rankings, recommendations. This automated processing triggers specific obligations.

Legal basis: legitimate interest isn’t universal

All personal data processing must rest on a legal basis per GDPR Article 6. In recruitment context, the two most commonly invoked bases are:

Performance of pre-contractual measures (Article 6.1.b): legal to process a candidate’s data who has applied for a specific position. This covers processing their application.

Legitimate interest (Article 6.1.f): often used to retain CVs in a CV database after recruitment ends. But this basis isn’t automatic: it requires a documented balancing test (your interests vs. candidate rights) and limited retention periods.

Consent (Article 6.1.a): technically possible, but difficult to maintain validly over time. Is consent given 3 years ago to store a CV still valid? In most cases, no.

Important point on CV databases: retaining passive candidates in your base for years without valid legal basis exposes your organization to sanctions. The common practice — keeping all CVs indefinitely — is usually non-compliant.

Candidate rights you must respect

Candidates whose data you process have rights they can exercise anytime:

Right of access (Article 15): any candidate can request to see the data you hold about them, including algorithmic scores and recruiter notes.

Right of rectification (Article 16): if data is inaccurate, the candidate can request correction.

Right to erasure (Article 17): the candidate can request data deletion. Exceptions exist (legal obligations, defense of legal claims), but in most cases the request must be honored.

Right to object (Article 21): if your legal basis is legitimate interest, the candidate can object to processing. You must then cease processing except for compelling legitimate reasons.

Right not to be subject to automated decision-making (Article 22): crucial for recruitment AI. If a significant decision (application rejection, interview invitation) is made by an algorithm without human intervention, the candidate can contest it and demand human review.

Automated decisions: a major risk zone

Article 22 of GDPR is the most directly relevant provision for recruitment AI. It prohibits decisions producing legal effects or significantly affecting a person when they’re based solely on automated processing.

In practice, this means:

• An algorithm can help classify applications, suggest profiles, calculate relevance scores
• But a final decision (definitive rejection, hiring) must involve real, documented human intervention
• The recruiter must be able to explain why they retained or excluded a candidate, beyond the algorithmic score

Compliant AI tools — like RelaSync — provide relevance scores as decision aids, never as automatic decisions.

The algorithmic bias question

Beyond law, the ethics of AI recruitment raises the bias question. AI models are trained on historical data — which reflects past human biases.

The canonical example is Amazon in 2018: its AI recruitment tool, trained on 10 years of hiring (predominantly male in tech), had learned to penalize CVs mentioning the word “women.” The tool was withdrawn.

Risks of bias in HR AI tools notably concern:

• Gender: if your historical hiring is gendered, the model can reproduce this bias
• Origin: first and last names can be proxies for ethnic origin
• Age: formulations about “energy” or “flexibility” can disadvantage senior profiles
• Education: if past hiring favored certain schools, AI can learn this bias

To mitigate these risks: choose tools whose vendors can document debiasing procedures, regularly audit AI outputs for suspicious patterns, and never let AI decide alone.

Documentary obligations

GDPR compliance isn’t just behavioral — it’s documentary.

Processing activities register (Article 30): your organization must maintain a register including all your HR data processing, including AI recruitment. For each processing: purpose, legal basis, retention period, recipients, security measures.

Impact assessment (DPIA, Article 35): if you use recruitment AI for decisions significantly impacting candidates, a Data Protection Impact Assessment is probably required. Consult your DPO.

Processor contract: if you use an external vendor for AI (like RelaSync), a DPA (Data Processing Agreement) must be signed, describing the processor’s obligations.

Best practices for compliant use

In summary, here are concrete actions to use recruitment AI in compliance:

1. Define and document your legal basis for each processing phase (active application, passive CV database)
2. Limit retention periods: maximum 2 years for rejected applications is good practice
3. Inform candidates in your privacy policy that you use AI tools to analyze applications
4. Ensure real human intervention in all hiring or rejection decisions
5. Train your recruiters on candidate rights and procedures if rights are exercised
6. Regularly audit your AI tools to detect emerging bias

GDPR compliance in AI recruitment isn’t an obstacle — it’s a framework that, well integrated, builds candidate trust and protects your organization from significant legal risks.