AI in recruitment and HR: what every employer needs to know

Short answer: AI used in recruitment, selection and workforce management falls under Annex III of the AI Act and counts as high-risk. This is not limited to one sector or company size — it affects every employer with an HR function. On top of that, emotion recognition in the workplace has been banned since 2 February 2025, the AI-literacy duty already applies, and the GDPR sets parallel requirements for automated decisions about people.

Why HR is a focal point

In Annex III the AI Act designates a number of use areas as high-risk. Employment and workforce management is one of them. Concretely, it covers AI systems used for:

• recruiting and selecting staff — think targeted job advertising, filtering applications and evaluating candidates;
• decisions on terms of employment, promotion or termination;
• allocating tasks based on behaviour or personal traits;
• monitoring and evaluating the performance of workers.

That is the very heart of the HR function. A CV-screening tool, an algorithm that ranks applicants or a system that measures productivity quickly falls within scope.

What is outright banned

One HR use is banned entirely: AI that infers emotions in the workplace (Art. 5). Since 2 February 2025 you may not use AI to analyse employees' emotional state — for example through camera or voice analysis during work or interviews. A narrow exception applies only for medical or safety purposes.

What high-risk means in practice

A high-risk HR system carries heavy requirements. Part of these sit with the system's provider (risk management, data quality, technical documentation, CE marking). But as an employer you are usually the deployer, and you have duties too:

• Human oversight (Art. 14): a human must be able to assess and override the outcome — an algorithm may not decide about a candidate or worker unchecked.
• Informing workers (Art. 26): you must inform workers (and, where applicable, their representatives) that they are subject to a high-risk AI system.
• Fundamental rights assessment (Art. 27): certain deployers — mainly public bodies and some private parties — must carry out a FRIA before use.

If you put your own name on a system or substantially modify it, you can become a provider yourself, with the heavier duties that entails.

The GDPR runs alongside

The AI Act comes on top of the GDPR, not instead of it. Recruitment and HR revolve around personal data, often special-category data. Article 22 GDPR protects people against decisions based solely on automated processing that significantly affect them — such as an automatic rejection. You need a valid legal basis, transparency and a route to human intervention.

No escape via sector or size

There is no sector exemption and no size threshold: the rules apply whether you are a staffing agency, a hospital, a municipality or an SME with ten people. For a sector-specific worked example, see AI in recruitment in logistics; the logic is the same.

What to do

• Inventory the AI you use in recruitment and HR — tools that "smartly" match or screen often fall within scope. See the overview of high-risk obligations.
• Classify each system: prohibited, high-risk or a lighter regime.
• Build in human oversight before any decision affecting a person.
• Inform candidates and workers transparently about the use.
• Sort out the AI literacy of your HR and recruitment teams — that duty already applies.
• Set out in supplier contracts how the system meets the requirements and who is liable.

AI in HR is no longer a future concern: the ban on emotion recognition applies today, and the heavier high-risk obligations are phasing in. The employer who inventories now and builds in human oversight will not be caught out later.