Can an algorithm reject a candidate? Automated decisions in recruitment
Adopted 2026-06-20 ยท ≈ 1 min read ยท 
edited by Dirk Baaijen
Rejecting a candidate fully automatically is in principle not allowed: GDPR Art. 22 prohibits decisions based solely on automated processing that significantly affect someone, unless safeguards apply. The AI Act adds human oversight and transparency for high-risk recruitment.
Short answer: Letting an algorithm reject a candidate entirely is in principle not allowed. Article 22 GDPR prohibits decisions based solely on automated processing that significantly affect the person โ such as an automatic rejection โ unless specific safeguards apply. The AI Act adds human oversight (Art. 14) and transparency for high-risk recruitment.
The GDPR rule: Article 22
An automatic rejection is a decision with significant effects. Article 22 GDPR permits such a fully automated decision only in limited cases (for instance with explicit consent or a legal basis), and always with safeguards. The person then has the right to:
- information that an automated decision was made and on what logic;
- human intervention โ a genuine assessment by a person;
- the ability to express their point of view and to contest the decision.
"A human presses the button" is not enough: the human judgement must be meaningful, not a formality.
What the AI Act adds
Recruitment is high-risk (Annex III). The system must therefore be designed so a human can effectively assess and override the outcome (Art. 14), and candidates must know they are subject to such a system (Art. 26). The AI Act and the GDPR reinforce each other here: both require a meaningful human role.
What to do
- Don't make rejections fully automatic โ build in a genuine human assessment before the decision is made.
- Inform candidates that (and how) AI is used.
- Offer a route for human review and objection.
- Document the logic and the human control.
- See also AI in recruitment and HR for the broader framework.
Automatic filtering is allowed โ automatically deciding someone's chance of a job generally is not. The difference lies in the meaningful human assessment before the rejection.
Sources
- https://eur-lex.europa.eu/eli/reg/2016/679/oj
General Data Protection Regulation (GDPR), Art. 22: safeguards for decisions based solely on automated processing with significant effects. - https://eur-lex.europa.eu/eli/reg/2024/1689/oj
Regulation (EU) 2024/1689 (AI Act): Art. 14 (human oversight) and Art. 26 for high-risk recruitment.
Read next
AI in recruitment and HR: what every employer needs to know
AI in recruitment, selection and workforce management falls under Annex III of the AI Act and counts as high-risk โ for every employer, regardless of sector or size. Emotion recognition in the workplace is banned, AI literacy already applies, and the GDPR runs in parallel for automated decisions.
The AI Act for DPOs: where it meets the GDPR
The AI Act and the GDPR overlap but are not the same. The DPO is not automatically responsible for AI compliance, yet plays a key role wherever AI processes personal data. This guide maps the touchpoints: DPIAs, legal grounds, transparency and the limits of the DPO role.
AI in legal services: reliability and confidentiality
AI in law firms and legal services is rarely high-risk, but sets sharp demands on reliability, confidentiality and transparency. Hallucinations, professional secrecy and GDPR processing set the limits, alongside the AI Act's transparency duties.