Most AI tools deployed by organizations for recruitment, CV screening, or performance monitoring fall under the most stringent regime of the AI Act, and many organizations are not yet fully aware of this. For the Data Protection Officer (DPO), this is a key concern, as AI systems in HR directly impact fundamental rights such as equal treatment, access to employment, and the protection of employees and applicants. In this blog, we will discuss how AI tools in HR should be classified under the AI Act, outline the main obligations that apply, and explain how a DPO can address these in practice.

The preliminary question: Is it even an AI system?

Before considering AI Act qualification, the DPO must determine whether the tool is an AI system within the meaning of Article 3(1) of the AI Act. The Commission guidelines of February 2025 clarify this delineation.[1] Not every automated HR tool falls under it.

A rule-based 'applicant tracking system' that filters based on hard criteria (diploma, driver's license, minimum work experience) is likely not an AI system, as it lacks essential components of the AI definition under the AI Act. Specifically, it lacks certain autonomy, adaptability after deployment, and the ability to generate predictions, recommendations, or decisions for explicit or implicit objectives that could influence physical or virtual environments. Rule-based software does not possess these characteristics.

A tool that scores candidates based on pattern recognition, derived competencies, or behavioral analysis, and that can improve itself and learn from interaction with its users, does.

Annex III makes most HR AI tools high-risk

The AI Act operates with a risk-based system. In practice, four categories are important. First, there are prohibited AI practices, then high-risk AI systems, followed by AI systems for which specific transparency obligations apply, and finally, systems with limited or minimal risk for which the AI Act does not contain a heavy substantive regime.

In the context of HR activities, Annex III point 4 is the legal starting point. It classifies AI systems for recruitment, selection, assessment, promotion, termination, or monitoring of employees as high-risk.[2] This applies not only to systems that make autonomous decisions but also to tools that significantly guide the outcome of a selection procedure. A tool presented by the provider as "supportive" can thus still be high-risk if, in practice, it filters, scores, or ranks candidates.

Article 6(3) provides an exception for Annex III systems that do not pose a significant risk because they do not materially influence the outcome of the decision-making process. This is the case, for example, when the AI system is intended to perform a limited procedural task or to improve the outcome of a previously completed human activity. However, this exception is stricter than it seems: it explicitly does not apply when the system profiles natural persons.[3] In HR tools, there is a risk that profiling can quickly become relevant, precisely because candidates are analyzed, compared, and ranked based on personal characteristics, behavioral data, or derived probabilities.

‘Emotion recognition’ in the workplace is generally prohibited

Article 5(1)(f) of the AI Act prohibits inferring emotions of employees and applicants based on biometric signals, unless the system is used for medical or safety purposes.[4] Software that measures motivation, stress, or engagement based on facial expressions or voice analysis is therefore not entering high-risk territory, but prohibited territory.

High-risk: obligations for both provider and employer

With the high-risk classification, a dual track follows. The provider must comply with the product-oriented requirements of Section 2 of Chapter 3 of the AI Act, resulting in a conformity assessment, CE marking, and registration in the EU database.[6]

For the DPO, the path of the deployer is particularly relevant. Article 26 obliges the employer, as the deployer, to use the system in accordance with the instructions for use through technical and organizational measures, to ensure adequate human oversight, to monitor its operation, and to keep logs. In addition, the employer ensures that the input data are relevant and sufficiently representative for the intended purpose, insofar as they have control over the input data. Specifically for the workplace, there is an obligation to inform employees and employee representatives.[7]

What do you specifically ask the provider?

If the tool qualifies as high-risk, the DPO must check with the AI tool provider whether the tool is already set up for AI Act obligations: is there technical documentation, are there instructions for use, is a conformity assessment and declaration present, does the AI tool have a CE marking and, if relevant, is the system as referred to in Article 49 registered in the EU database of Article 71? This database is largely publicly accessible and thus also a practical checkpoint.

In addition, the contractual dimension deserves attention. Most HR AI tools are purchased via a SaaS agreement. The AI Act imposes obligations on, among others, providers and deployers, but the distribution of responsibilities is contractually defined. The DPO should verify whether the contract contains AI Act-specific clauses: information provision by the provider, cooperation in the DPIA, incident notification obligations, and agreements on what happens if the provider does not complete the conformity assessment in time.

The bridge to the GDPR: DPIA and right to explanation

Article 26(9) AI Act explicitly states that deployers can use the information from Article 13 AI Act when conducting a DPIA under Article 35 GDPR. In an HR context, this is essential: personal data, profiling, power imbalance, and potentially automated decision-making almost always require a DPIA.

The DPO must distinguish clearly between two rights to explanation. Article 22 GDPR gives data subjects the right to human intervention in fully automated decisions with legal effects. Article 86 AI Act provides an independent right to a clear and meaningful explanation of the AI system's role in decision-making, even when the decision is not fully automated.[8] Particularly for HR tools that support human decision-making without fully taking it over, Article 86 is the more relevant framework. The DPO would be wise to address both rights in parallel.

The timeline: act now, even before August 2026

The rules on prohibited practices and AI literacy (Article 4) have been in effect since February 2, 2025. The full obligations for high-risk systems will become applicable on August 2, 2026.[9] For existing HR AI tools already in use, a transitional regime applies, but this does not exempt the deployer from the obligation to exclude prohibited practices and ensure AI literacy now. Furthermore, the Commission still needs to adopt delegated and implementing acts regarding, among other things, conformity assessment procedures and the further elaboration of Annex IV.

Enforcement: who supervises?

A final practical point of attention for the DPO is from which authority they can expect supervisory enforcement. The AI Act obliges Member States to designate national market surveillance authorities. In the Netherlands, this implementation for the HR domain is not yet final. It is plausible that the Dutch Data Protection Authority will play a role where the AI Act and the GDPR converge, but it is currently unclear whether the AP will also acquire broader AI Act powers, or if another body will supervise.

Conclusion: classification determines everything

For the DPO, it boils down to a series of consecutive questions. Is it an AI system within the meaning of the AI Act? If so, does it qualify as high-risk under Annex III? What compliance documentation must the provider supply? What are the contractual agreements? And does the GDPR governance, including the DPIA, align with the AI Act obligations? Anyone who systematically goes through these questions will have the legal basis in order. Anyone who skips them runs the risk that a seemingly handy HR tool will become a compliance problem far greater than the efficiency gain it provides.

_

[1]AI Act, Article 3(1); European Commission, Guidelines on the definition of an AI system, February 6, 2025 (C/2025/1077).

[2]AI Act, Recital 57; Annex III, point 4(a) and 4(b).

[3]AI Act, Article 6, Paragraph 3, final sentence.

[4]European Commission, Guidelines on prohibited artificial intelligence practices, 4 February 2025 (C/2025/888), section on Article 5, Paragraph 1, sub f.

[5]AI Act, Article 9, Paragraph 4; cf. Directive 2000/78/EC (Equal Treatment Framework Directive) and the Dutch General Equal Treatment Act (Algemene wet gelijke behandeling).

[6]AI Act, Articles 8-15 (substantive requirements), Articles 16-22 (provider obligations), Articles 47-49 (conformity assessment and CE marking), Article 71 (EU database). See also Annex IV for the required elements of technical documentation.

[7]AI Act, Article 26, Paragraph 7. In the Dutch context, this information obligation also triggers Article 27, Paragraph 1, sub k and l of the Works Councils Act (WOR) (right of consent of the works council for employee monitoring systems and processing of personal data).

[8]AI Act, Article 86. The relationship with Article 22 GDPR (right to human intervention in fully automated decision-making) and Article 5, Paragraph 1, sub a GDPR (transparency principle) has not yet been crystallized in case law or EDPB guidance.

[9]AI Act, Article 113. See also European Commission, ‘AI Act applicability timeline’, digital-strategy.ec.europa.eu/en/policies/regulatory-framework-ai.