AI Act in HR: selection and risk

·

AI systems used for candidate screening, shortlisting, assessment, promotion, task allocation, monitoring or termination may be classified as high-risk under the AI Act. A company that uses them cannot simply rely on the provider's documentation: it must define the purpose, human oversight, input data, monitoring, rights and the criteria for suspending the system.

Which uses may be high-risk

Annex III covers systems intended for:

Classification must examine the specific use and the exceptions in Article 6. HR tools should not be assumed high-risk by default, nor should a "copilot" be assumed exempt simply because of its name.

Roles

The manufacturer is usually the provider, and the company using the system is the deployer. A company can become a provider if it changes the intended purpose, markets the system under its own name, or makes a substantial modification in the cases set out in the Regulation.

The contract does not replace a genuine analysis of control.

AI Act and GDPR

The AI Act does not replace the GDPR or employment law. The company needs:

The AI Act's "high-risk" classification and the high risk referred to in Article 35 GDPR are distinct concepts, even though they frequently overlap.

Automated decisions

Article 22 GDPR protects people from certain decisions based solely on automated processing that produce legal or similarly significant effects. Human review is only genuine if the reviewer has the competence, information, time and authority to change the outcome.

Rubber-stamping a default recommendation, or reviewing hundreds of applications in seconds, is not effective review.

System inventory

The inventory should record:

Embedded AI features activated through an update must also be inventoried.

Candidate and workforce data

The review should cover:

Seemingly neutral variables can act as proxies. Necessity must be justified variable by variable, not by availability.

Assessing the provider

Request:

A claim of "no bias" is not evidence.

Bias and quality

Comparing overall accuracy is not enough. Rates must be analysed by relevant group and by stage:

MetricQuestion
SelectionWho is excluded?
False negativeWho is wrongly rejected?
False positiveWho is favoured without justification?
CalibrationDoes the score mean the same for everyone?
CoverageWhich applications go unprocessed?
OverrideWhen does a person correct it?

Groups and methods are determined on a sound legal and ethical basis, avoiding the creation of new risks.

Human oversight

The supervisor must be able to see:

Using the output as the sole reason is prohibited where the design requires judgement. Overrides are monitored to detect over-reliance or failures.

Transparency

Candidates and staff need clear information about:

This should not be buried in a lengthy policy. Explanations must enable people to act on them.

Deployer obligations

For high-risk systems, Article 26 requires use in line with the instructions, competent oversight, control over the input data under its control, monitoring, and action in response to risks or incidents.

The company keeps logs for the applicable period when they are under its control, and meets the specific employment information obligations where they apply.

Coordinated assessments

You may need:

A shared inventory is used, but each instrument keeps its own requirements.

Involvement and governance

Involve HR, legal, the DPO, security, equality, employee representatives and management. The business owner should not approve this alone.

The policy defines permitted, prohibited and escalation uses. Example: AI may rank applications for review, but must not automatically reject them without approved conditions.

60-day plan

Days 1 to 15

Inventory, classification and pausing uses with no owner.

Days 16 to 30

Provider, GDPR, DPIA and bias assessment.

Days 31 to 45

Oversight, transparency, logs and training.

Days 46 to 60

Pilot, testing, consultation and decision.

Common mistakes

  1. Relying on the provider's label.
  2. Using public data without a legal basis.
  3. Inferring emotions or personality without necessity.
  4. Measuring only overall accuracy.
  5. Calling an automatic rubber-stamp "human review."
  6. Failing to inform people.
  7. Ignoring version changes.
  8. Keeping CVs and scores indefinitely.
  9. Not allowing challenges.
  10. Deploying without internal representation.

Checklist

Frequently asked questions

Is all HR AI high-risk?

No. It depends on the use and its classification. Selection and employment decisions covered by Annex III usually require a more rigorous analysis.

Can AI reject candidates automatically?

This requires analysis under the AI Act, Article 22 GDPR and employment law. In many scenarios, genuine human intervention and safeguards are required.

Can a public CV be used freely?

No. Public availability does not remove the need for a purpose, legal basis, information and rights.

Who is liable, the provider or the company?

Both have obligations depending on their role. The company that deploys the system retains its own responsibilities.

Official sources consulted

Summum Consultoría can coordinate classification, the DPIA, the provider assessment and employment-related controls.