AI Recruitment and GDPR: What Recruiters Must Get Right
AI screens CVs and ranks candidates, but GDPR bites: data minimisation, Article 22 human review, EU AI Act high-risk. The recruiter's guide.
The short answer: yes, AI can help you recruit, but GDPR governs every step. A CV is personal data. Some of it is even sensitive, like health or ethnicity. GDPR requires data minimisation (Article 5). Give the AI only what the task truly needs. Article 22 governs fully automated decisions. A rejection decided by the machine alone can be unlawful without human review. The EU AI Act classes AI recruitment as high-risk. And pasting a CV into a consumer AI adds a retention risk. The fix comes down to three words: minimise, anonymise, keep a human in the loop.
A CV is personal data (and sometimes sensitive)
A CV holds a lot of personal data. Name, contact details, work history, sometimes a photo. Some information goes further. Health, ethnicity inferred from diversity monitoring, opinions. GDPR calls these 'special category' data (Article 9). They need an extra legal condition. GDPR also sets data minimisation (Article 5(1)(c)). You process only data that is adequate, relevant and limited to what the role needs. This rule applies to you. It also applies to any AI you use.
In practice, several GDPR duties stack up from the very first application you receive.
- A lawful basis to process applications (Article 6).
- An extra condition for sensitive data (Article 9).
- Minimisation: only data that the role needs (Article 5).
- Transparency: tell candidates the AI is involved (Articles 13 and 14).
Automated decisions: what Article 22 requires
Article 22 of the GDPR targets a precise case. Decisions based solely on automated processing. And that produce a legal or similarly significant effect. A rejection or ranking that seals an application can fall in scope. When it applies, the candidate has rights. To be informed. To obtain genuine human intervention. To express their point of view. To contest the decision.
Article 22's scope is narrow and contested. If a recruiter truly reviews the output and can override it, the decision often falls outside the ban. But the human in the loop must be real. Not a rubber stamp. Europe's top court and regulators read Article 22 broadly. So a fully automated rejection, with no review, can be unlawful.
The EU AI Act classes recruitment as high-risk
The EU AI Act, Europe's regulation on artificial intelligence, points the same way. It classes AI systems for recruitment and selection as 'high-risk' (Annex III). That covers targeting job ads, filtering applications and evaluating candidates. High-risk status triggers obligations. Risk management, data governance, human oversight, transparency, record-keeping. These obligations phase in over time, broadly around 2026-2027.
A word on scope. The EU AI Act applies in the EU and the EEA. It does not apply directly in the United Kingdom. There, the UK GDPR and the Data Protection Act 2018 govern the topic, under the ICO's oversight. In France, the CNIL is the reference authority on employment and recruitment.
| Duty | What it means in practice |
|---|---|
| Minimisation (GDPR Art. 5) | Give the AI only the data the role needs |
| Lawful basis (GDPR Art. 6 and 9) | Justify the processing; extra condition for sensitive data |
| Automated decision (GDPR Art. 22) | Genuine human review before any significant rejection |
| Transparency (GDPR Art. 13 and 14) | Tell candidates the AI takes part in screening |
| High-risk (EU AI Act, Annex III) | Risk management, oversight, record-keeping |
What the ICO found when it audited the tools
In November 2024, the ICO published the outcomes of voluntary audits of AI recruitment tools. It issued nearly 300 recommendations. The findings are telling. Some tools collected far more data than needed. Others kept it with no time limit. Some let recruiters filter candidates by protected characteristics. Others inferred gender or ethnicity from a name, rather than asking.
The ICO's key recommendations fit in a few lines. Fairness, transparency and explainability. Genuine human review of AI outputs, to catch bias and errors. Minimise and process data lawfully. And run a Data Protection Impact Assessment (a DPIA) before deploying the tool, not after.
The consumer-AI trap
Pasting a CV into a consumer AI adds a second risk. Beyond the screening decision itself. The candidate's data can be retained. Reviewed by staff. Or used to train the vendor's models, under the default settings. This is processing the recruiter often has not disclosed to the candidate. And has no lawful basis for.
A recent case shows this risk. In 2024, Italy's authority (the Garante) fined OpenAI 15 million euros, over ChatGPT's training and transparency. In March 2026, a Rome court annulled the fine. But on jurisdictional grounds, not on the merits. The substantive question stays open. The case is about model training, not recruitment. It simply shows why candidate data should not leave in the clear.
The fix: minimise, anonymise, keep the human
Good news: AI is still a useful recruiting tool. It can draft a job ad. Summarise a cover letter. Compare skills. For that, it does not need the candidate's identity. Strip the direct identifiers before the prompt. Give the model only the material the task needs.
When you must process a real CV, anonymise it first. Replace the name, the contact details and the identifiers with tokens. The AI then reasons about skills, never about identity. You restore the real values afterwards, locally. And you keep a human for the final decision.
- 1Minimise: process only the data the role needs.
- 2Anonymise direct identifiers before any prompt.
- 3Keep a human who can review and overturn the screen.
- 4Tell candidates the AI takes part in the process.
- 5Run a Data Protection Impact Assessment (DPIA) before deploying.
- 6Check the tool won't train its models on your data.
That's what ONYRI Sanitize is for. The engine spots the sensitive data in a CV — name, contact details, identifiers — and replaces it with reversible tokens before sending. Detection and the mapping stay in your browser. Only anonymized text reaches the model. The AI sees only tokens, never the candidate's real identity. You hold the minimisation GDPR requires, and you keep a human for the final decision.
Frequently asked questions
- Is AI recruitment GDPR-compliant?
- It can be, under conditions. A CV is personal data. GDPR requires minimisation (Article 5), a lawful basis and transparency. Article 22 requires genuine human review before any significant automated rejection. The EU AI Act classes AI recruitment as high-risk. Best practice: minimise, anonymise identifiers, keep a human in the loop and run a DPIA.
- Is a job rejection decided by an AI lawful?
- Not if it's fully automated with no safeguard. Article 22 of the GDPR governs decisions based solely on automated processing with a significant effect. A job rejection can fall in that scope. The candidate has a right to human intervention, to give their view and to contest. Genuine human review — not a rubber stamp — is the safeguard.
- Can I paste a CV into ChatGPT to screen it?
- Better to avoid it in the clear. The candidate's data can be retained, reviewed or used for training, under the default settings. This is processing often not disclosed to the candidate. The ICO even flagged over-collection and indefinite retention. Anonymise the identifiers before you send, and use tools with proper terms.
Sources & references
- General Data Protection Regulation (EU 2016/679) — data minimisation (Art. 5) and automated individual decision-making (Art. 22) — EUR-Lex (Publications Office of the European Union)
- Regulation (EU) 2024/1689 (EU Artificial Intelligence Act) — Annex III classes recruitment and selection AI as high-risk — EUR-Lex (Publications Office of the European Union)
- ICO intervention into AI recruitment tools leads to better data protection for job seekers (audit outcomes, November 2024) — Information Commissioner's Office (ICO)
Keep your sensitive data in your browser
ONYRI Sanitize detects and masks your sensitive data before it reaches the AI, then restores the answer — from names to API keys.
Anonymize my prompt