If you're using AI in your hiring process and you have candidates from the EU, GDPR applies to you. Here's what that actually means in practice — without the legal jargon.
The basics: what GDPR requires for AI hiring
1. Lawful basis for processing
You need a legal reason to process candidate data with AI. The two most common bases are:
●Legitimate interest — you have a genuine business need to evaluate candidates, and the processing is proportionate. This works for most screening scenarios.
●Consent — the candidate explicitly agrees to AI-powered evaluation. This is the safest approach and the one most AI hiring tools use.
The key: whichever basis you choose, document it. Have your DPO or legal team sign off on a Legitimate Interest Assessment or ensure your consent flows are properly implemented.
2. Transparency and notification
Candidates must know:
●That AI is being used in their evaluation
●What data is being collected and processed
●How the AI makes its assessment
●Who has access to the results
●How long the data is retained
This isn't optional. Article 22 of GDPR gives candidates the right to know about automated decision-making that affects them. If your AI tool doesn't tell candidates it's AI, you have a compliance problem.
3. Data Processing Agreement (DPA)
If you're using a third-party AI tool (like an autonomous interview agent), you need a DPA with that vendor. The DPA should cover:
●What data the vendor processes
●Where the data is stored (EU vs. non-EU)
●Security measures in place
●Sub-processor list
●Data breach notification procedures
●What happens to data when the contract ends
4. Right to deletion and access
Candidates can request:
●A copy of all data you hold about them
●Deletion of their data ("right to be forgotten")
●An explanation of how the AI assessed them
Your AI vendor should support these workflows natively. If fulfilling a deletion request requires manual intervention from the vendor's engineering team, that's a red flag.
5. Data retention
Don't keep candidate data forever. Define clear retention periods:
●Active candidates: retain during the hiring process
●Rejected candidates: 6-12 months is standard (to defend against discrimination claims)
●After retention period: automatic deletion
The best AI tools let you configure retention periods per company and handle purging automatically.
The EU AI Act: what's coming
The EU AI Act (in effect from 2026) classifies AI systems used in employment and recruitment as high-risk. This means additional requirements:
●Risk management system — documented assessment of risks and mitigations
●Data governance — training data must be relevant, representative, and free from bias
●Transparency — candidates must be informed they're interacting with AI
●Human oversight — a human must be able to review and override AI decisions
●Accuracy and robustness — the system must perform consistently and handle edge cases
Companies using AI hiring tools should ask their vendors: "Are you preparing for AI Act compliance?" If the answer is vague, consider alternatives.
Practical checklist
For any company adopting AI-powered screening in the EU:
Data Processing Agreement with vendor signed Candidate consent flow implemented (pre-interview) Privacy notice updated to mention AI processing Retention periods defined and configured Right-to-deletion workflow tested Right-to-explanation workflow tested AI Act readiness assessed with vendor DPO briefed on the new tool and data flows How Recruo handles this
Recruo was built with EU compliance as a foundational requirement, not an afterthought:
●Candidate consent is collected before every interview starts
●Full transparency — candidates are told upfront they're speaking with an AI
●Configurable data retention with automatic purging
●DPA included in every enterprise contract
●Right to deletion handled natively in the platform
●Explainable scoring — every score comes with reasoning, not just a number
●Certified AI Ethicist on the leadership team overseeing bias monitoring and model audits
GDPR compliance shouldn't be a reason to avoid AI in hiring. It should be a filter for choosing the right AI tool.
