Trusq

factual analysis · traceable to primary sources

Topics Opportunities Take the check Work with us LinkedIn NLยทEN
Analysis

AI matching in temporary agency work and secondment: who is responsible for what?

Adopted 2026-06-22 ยท ≈ 3 min read ยท Dirk Baaijen

Matching AI in agency work and secondment is high-risk (recruitment). The tool vendor is usually provider, the agency deployer; the hirer can become co-responsible. The GDPR demands a clear allocation of roles.

Short answer: AI that matches candidates to assignments is recruitment and therefore high-risk (Annex III, point 4). The vendor of the matching tool is usually the provider, the agency or secondment firm is the deployer, and the hirer can in certain circumstances become co-responsible. The allocation of roles must be fixed in advance, both contractually and in fact.

In the triangle of agency work and secondment, candidate data moves between a tool vendor, an agency and a hiring employer. The AI Act and the GDPR each have their own framework of roles; these do not always coincide, and that is precisely why confusion arises in this chain over who must do what.

Why matching is high-risk

Assigning, ranking or selecting candidates for work falls under recruitment and selection in Annex III, point 4 of the AI Act. A matching algorithm that determines which worker is linked to which vacancy materially co-decides on access to work and is therefore high-risk. That triggers the full set of high-risk obligations. The full overview is set out in High-risk: obligations at a glance.

Who is the provider?

The provider is as a rule the party that develops the AI system, or has it developed, and places it on the market under its own name or trademark: the vendor of the matching software. The provider carries the heaviest load: conformity assessment, technical documentation, quality management, CE marking and registration in the EU database. Note the role shift in Article 25: anyone who substantially modifies the system, changes its purpose or markets it under its own brand can itself become a provider, with all the attendant duties.

Who is the deployer?

The deployer is whoever uses the system under its own responsibility, typically the agency or secondment firm that deploys the tool to match candidates. The deployer must use the system in line with the instructions, arrange meaningful human oversight, monitor input data insofar as it controls it, retain logs and inform data subjects (Article 26). Where decisions about individuals are made, there is in addition a duty to inform the candidate.

And the hirer?

The hirer is not automatically a deployer, but becomes one if it in fact uses the tool's outputs to decide for itself whom to hire or engage, or if it co-controls the tool. In practice the allocation is often mixed: agency and hirer take the selection decision together. Fix contractually, therefore, who plays which role and who carries which obligation.

Shared responsibility and GDPR

Under the GDPR it depends on who determines purposes and means. Often the agency is controller for the candidate pool, while agency and hirer can be joint controllers for the specific placement (Article 26 GDPR), with an arrangement between them. The tool vendor is usually a processor, unless it uses data for its own purposes. Each link needs its own legal basis (Article 6 GDPR) and transparency. See also AI in recruitment and HR.

A practical allocation of roles

Draw up a single matrix setting out, per party, the AI Act role (provider/deployer) and the GDPR role (controller/processor/joint). Require the vendor to supply the conformity documentation and instructions. Agree with the hirer who takes the final decision and is therefore the deployer. Put in place a processor or joint-controllership agreement, a DPIA and clear candidate information. Anyone filtering CV data before a human looks should also read AI and CV screening in recruitment. In a chain, the weakest link is everyone's liability risk.

Sources

  1. https://eur-lex.europa.eu/eli/reg/2024/1689/oj
    Regulation (EU) 2024/1689 (AI Act); Annex III point 4 (recruitment), Article 25 (role shift) and Article 26 (deployer).
  2. https://eur-lex.europa.eu/eli/reg/2016/679/oj
    Regulation (EU) 2016/679 (GDPR); Articles 6 and 26 (joint controllers).

Share on LinkedIn

Read next

A

Provider or deployer in HR AI: who is what?

In HR AI the builder of the ATS or HR tech is usually the provider and the employer the deployer. But an employer can become a provider itself through own branding or substantial modification (Art. 25). The role determines which duties apply.

W

Registering high-risk systems in the EU database (Article 49)

Article 49 of the AI Act requires providers and certain deployers to register high-risk systems in a public EU database before deployment. The registration makes visible which systems are on the market and is a condition for lawful use.

U

Informing workers about AI: the transparency duty of Article 26

Before you deploy a high-risk AI system in the workplace, Article 26 of the AI Act requires you to inform the affected workers and their representatives. This duty sits alongside GDPR transparency and the works council's consent right โ€” and is a separate, auditable step.

Dirk Baaijen

About this knowledge base

Compiled and maintained by YRproject โ€” programme and project direction at the intersection of digital transformation, AI and regulation. Every factual claim is traceable to its primary source. YRproject is led by Dirk Baaijen About & method โ†’

A project or programme? Work with YRproject โ†’

The monthly briefing

AI regulation in five minutes: what changed, what is coming and what it means. No spam, unsubscribe anytime.

Your address is used for this only and stored on our own servers.