AI Hiring Tools in Germany: EU AI Act & GDPR Compliance Guide (2026)
Short answer
AI hiring tools — including CV screening, video interview analysis, and candidate ranking — are classified high-risk under Annex III of the EU AI Act. German companies face mandatory risk assessments, GDPR obligations, and works council co-determination rights. Deployment without these safeguards creates legal and financial exposure from August 2, 2026.
- CV screening, video interview analysis, and candidate ranking are all classified high-risk under EU AI Act Annex III.
- Works council (Betriebsrat) approval under §87 BetrVG is mandatory before deploying AI hiring tools in Germany.
- GDPR Article 22 restricts purely automated hiring decisions — genuine human oversight is required at all stages.
- Full EU AI Act compliance for high-risk hiring AI is required by August 2, 2026.
AI hiring tools are classified as high-risk under Annex III of the EU AI Act. German companies using AI for CV screening, video interview analysis, or candidate ranking face mandatory risk assessments, works council co-determination rights, and GDPR data minimisation obligations. Deployment without these safeguards creates legal and financial exposure from August 2, 2026 — with fines of up to €15 million or 3% of global annual turnover.
Are AI Hiring Tools High-Risk Under the EU AI Act?
The answer is unambiguous: yes. AI hiring tools fall explicitly within the EU AI Act’s high-risk classification, triggering the most demanding compliance requirements the regulation imposes.
What the AI Act Says About Recruitment AI
Annex III, Point 2 of the EU AI Act lists “employment, workers management, and access to self-employment” as a high-risk category. The Regulation covers AI systems used to:
- Screen and rank job applications and CVs
- Analyse video interviews and assess candidates’ behaviour, speech, or facial expressions
- Score candidates against predefined criteria
- Facilitate hiring or promotion decisions
- Monitor employee performance where outcomes affect employment status
The rationale is direct: hiring decisions significantly affect people’s lives and livelihoods. Any AI system that meaningfully influences these decisions receives the same regulatory scrutiny as AI used in healthcare diagnostics or critical infrastructure.
Which Uses Are Classified High-Risk?
The following table summarises common recruitment AI use cases and their classification:
| Use Case | High-Risk? |
|---|---|
| Automated CV screening and ranking | Yes |
| Video interview analysis (facial, behavioural) | Yes |
| Candidate scoring algorithms | Yes |
| AI-assisted application shortlisting | Yes |
| Predictive assessments (culture fit, performance) | Yes |
| Job board recommendation engines (consumer-facing) | Potentially |
| Grammar correction in job postings | No |
| General HR chatbot (scheduling, informational) | No |
| Interview scheduling tools | No |
The key test: does the AI system influence who gets considered, shortlisted, or rejected? If yes — regardless of whether a human nominally makes the final decision — the system is high-risk.
What Counts as “AI” in Hiring?
The EU AI Act’s definition of an AI system (Article 3) is deliberately broad. It covers any machine-based system that, given a defined objective, generates outputs such as predictions, recommendations, decisions, or content that influence decisions.
Rule-based applicant tracking systems with fixed, transparent criteria are generally not AI systems under the Act. Machine learning models that score CVs against historical hiring patterns are AI systems. Third-party tools embedded in your ATS may be AI systems even if your vendor does not market them as “AI.”
If you are uncertain whether a tool qualifies, review the vendor’s technical documentation. Misclassification is a compliance risk.
EU AI Act Requirements for Hiring AI (August 2026)
High-risk AI systems must meet six categories of requirements under Chapter III, Section 2 of the EU AI Act. These obligations apply to you as the deployer — meaning you carry responsibility even when a vendor provides the underlying AI system. The full obligation set takes effect on August 2, 2026.
For a broader overview of all EU AI Act deadlines affecting German businesses, see our EU AI Act August 2026 deadline checklist.
Risk Management System
You must establish and maintain a documented risk management system throughout the entire lifecycle of the AI system. This is not a one-time assessment — it requires ongoing activity:
- Identifying known and foreseeable risks of the AI system in your specific deployment context
- Estimating and evaluating those risks during use
- Adopting risk mitigation measures that are appropriate and proportionate
- Documenting residual risks and communicating them to relevant personnel
In a hiring context, this means specifically identifying how the AI system might deprioritise candidates from protected groups, how these risks are monitored, what controls are in place, and how those controls are reviewed over time.
Data Governance and Bias Testing
High-risk AI systems must be trained, validated, and tested using data subject to appropriate data governance. Under Article 10, this means:
- Training data is relevant, representative, and sufficiently complete
- Data is free from errors to the extent technically feasible
- Bias detection and correction measures are applied before and after deployment
For hiring AI, this requires regular bias testing to confirm the system does not disadvantage candidates with protected characteristics. The AGG reinforces this requirement under German law. Results must be documented and available to regulators on request.
Human Oversight Requirements
Article 14 requires high-risk AI systems to allow effective human oversight. For hiring tools, this means:
- Humans can understand, verify, and override AI outputs
- Humans can choose to disregard AI recommendations without automated penalty
- The system does not present its outputs as uniquely correct or automatically binding
Purely automated rejection of candidates — with no human review of AI-generated scores — does not satisfy this requirement. Your recruitment process must include genuine human review, not nominal sign-off by a person who simply confirms what the AI has already decided.
Conformity Assessment: When Is It Required?
For most high-risk AI systems covered by Annex III, a conformity assessment is required before deployment. Under Articles 43–46, deployers using off-the-shelf AI products must:
- Verify that the provider has completed conformity assessment procedures
- Obtain the EU declaration of conformity from the provider
- Register the system in the EU AI Act database where required
If you are developing hiring AI in-house or deploying a system without an existing provider declaration, you may need to conduct conformity assessment procedures yourself. This is a significant undertaking and requires specialist legal and technical input.
Technical Documentation
Article 11 requires providers — and in some cases deployers — to maintain technical documentation demonstrating compliance with the Act. This documentation must include:
- A general description of the AI system and its intended purpose
- Design specifications and the development process overview
- Information on training data and the data governance approach
- Monitoring, validation, and testing procedures and results
- Metrics used to evaluate performance, including bias metrics
- Cybersecurity measures
For German companies deploying third-party hiring AI, request this documentation from your vendor and review it before deployment. Absence of adequate technical documentation from a vendor is a warning sign.
GDPR Compliance for AI in Recruitment
The EU AI Act does not replace GDPR — it operates alongside it. In practice, recruitment AI simultaneously triggers multiple GDPR requirements that must be addressed in parallel with AI Act obligations.
Legal Basis for Processing CV and Interview Data
Processing personal data in AI-assisted hiring requires a valid legal basis under Article 6 GDPR. The most appropriate bases in recruitment are:
- Art. 6(1)(b): processing necessary for pre-contractual steps at the candidate’s request — the standard basis for initial CV screening and interview stages
- Art. 6(1)(a): consent — generally problematic in recruitment due to the power imbalance between candidates and employers; not recommended as a standalone basis
- Art. 6(1)(f): legitimate interests — requires a documented balancing test; unlikely to be sufficient on its own for automated scoring of candidates
Where video interview analysis processes facial expressions or tone of voice, Article 9 GDPR may be triggered for special category data (biometric data). This requires either explicit consent or a narrowly defined alternative legal basis. The bar is significantly higher than for standard processing.
DPA/AVV Requirements for AI Vendors
If your AI hiring tool is provided by a third party processing personal data on your behalf, Article 28 GDPR requires a Data Processing Agreement (Auftragsverarbeitungsvertrag, AVV) to be in place before deployment begins. This agreement must:
- Define the subject matter, duration, and nature of the processing
- Specify the type of personal data processed and the categories of data subjects
- Confirm the processor implements appropriate technical and organisational measures (TOMs)
- Enable you to fulfil your data subject rights obligations
Many standard vendor agreements contain generic DPA language that may not reflect the specific processing your AI hiring tool performs. Review whether the AVV covers how candidate data is used for model training or product improvement — if candidate data leaves the EU for these purposes, cross-border transfer provisions must also be addressed.
Data Minimisation and Retention
Article 5 GDPR requires that personal data is adequate, relevant, and limited to what is necessary for the processing purpose. In AI-assisted recruitment, this means:
- Only data necessary for the hiring decision should be fed into the AI system — extraneous signals such as postcode or educational institution name create both bias risk and data minimisation violations
- Video interview analysis should not collect or retain emotional inference data beyond what is strictly necessary for the assessment
- Candidate data must be deleted once the retention period expires — typically six months after a hiring decision for unsuccessful candidates, subject to your documented retention policy
Automated Decision-Making (Art. 22 GDPR)
Article 22 GDPR gives candidates the right not to be subject to a decision based solely on automated processing that produces legal or similarly significant effects. In recruitment, automated rejection letters generated by an AI scoring system — without genuine human review — constitute a violation.
To comply, you must:
- Ensure a human meaningfully reviews AI outputs before any decision affecting candidates is communicated
- Be able to provide candidates with an explanation of AI-generated decisions on request
- Allow candidates to contest AI-generated assessments and request human review
The “solely automated” threshold is lower than it sounds. Data protection authorities have held that nominal human oversight — where a person simply confirms AI output without genuine evaluation — does not satisfy the requirement.
Cross-Border Data Transfers
If your AI hiring vendor processes data outside the European Economic Area (EEA), Chapter V GDPR applies. Data transfers to the United States require either Standard Contractual Clauses (SCCs) supplemented with a Transfer Impact Assessment, or reliance on the EU-US Data Privacy Framework where the vendor is certified. Verify your vendor’s transfer mechanisms before deployment — this is a recurring audit finding for HR technology platforms.
German Works Council Rights (Betriebsrat)
For German companies with more than five employees and an established works council (Betriebsrat), AI hiring tools trigger additional requirements under the Betriebsverfassungsgesetz (BetrVG) that operate independently of the EU AI Act and GDPR.
Co-Determination Under §87 BetrVG
Section 87(1) No. 6 BetrVG gives the Betriebsrat a right of co-determination over the introduction and use of technical equipment designed to monitor employees’ behaviour or performance. AI hiring tools that record and analyse candidate behaviour, generate scores or rankings based on individual conduct, or feed data into systems affecting employment decisions fall within this provision.
Critically, this is a blocking right: you cannot legally deploy the AI system until agreement is reached with the Betriebsrat. Proceeding without works council agreement exposes you to injunctions, damages claims, and enforcement proceedings before the Arbeitsgericht (labour court). The cost of non-compliance — in management time, reputational damage, and disrupted recruitment processes — typically far exceeds the cost of getting the process right from the start.
This co-determination right applies even when the AI tool is used for external candidates, if the same system will also be applied to internal hires or promotion decisions.
How to Get Works Council Approval
Early, transparent engagement is the only effective strategy. The Betriebsrat must be:
- Informed in sufficient time to genuinely evaluate the proposed system before a deployment decision is made (§80(2) BetrVG)
- Given access to technical documentation, vendor agreements, and your compliance assessments
- Permitted to consult an external expert at the employer’s cost if the complexity warrants it (§80(3) BetrVG)
Works councils are increasingly well-informed about AI technology. Generic reassurances about vendor certifications are insufficient. Expect detailed questions about algorithm logic, training data sources, bias testing results, and how human oversight operates in practice. Prepare substantive answers.
What a Betriebsvereinbarung Should Cover
A works council agreement (Betriebsvereinbarung) for an AI hiring system should address:
- Scope: which positions and processes the AI system covers
- Transparency: what data is processed, how scoring works, and what weighting is applied to different inputs
- Human oversight: when and how human review is required; who can override AI outputs and how overrides are documented
- Candidate information rights: how candidates are informed about AI use and their right to explanation
- Bias monitoring: how the employer will test for and address discriminatory outputs, and at what intervals
- Data retention: how long candidate data and AI-generated assessments are held
- Dispute resolution: how candidates can contest AI-generated scores and request human re-evaluation
- Review period: when the agreement will be reviewed — typically after 12 months or following any significant system update
Compound Law assists German companies with Betriebsvereinbarung negotiation and drafting for AI hiring systems. For further reading on AI in German employment contexts, see our AI employee monitoring compliance page.
Anti-Discrimination Compliance (AGG)
What the AGG Requires
The Allgemeines Gleichbehandlungsgesetz (AGG, General Equal Treatment Act) prohibits discrimination in access to employment on grounds of race, ethnic origin, sex, religion or belief, disability, age, and sexual orientation. These protections apply equally to human-made and AI-assisted decisions.
If your AI hiring system produces outcomes that disadvantage candidates with protected characteristics — even unintentionally, through proxy variables correlated with protected characteristics in historical training data — you face liability under the AGG. Under §22 AGG, once a candidate presents evidence suggesting discrimination, the burden of proof shifts: the employer must demonstrate the decision was not discriminatory.
This reversed burden of proof makes undocumented AI-assisted hiring decisions particularly risky. If you cannot explain how the AI system reached its conclusions, you cannot satisfy your burden of proof in a discrimination dispute.
Regular Bias Testing
Bias testing is both a legal requirement under the EU AI Act (Article 10) and a practical necessity for AGG compliance. Effective testing should:
- Be conducted before initial deployment and at regular intervals during use
- Cover all protected characteristics under the AGG
- Analyse outcome disparities across demographic groups
- Be documented in writing with results retained as compliance evidence
Where bias is identified, you must address it before continuing to use the system in that configuration. Continuing to deploy an AI hiring system known to produce discriminatory outputs constitutes a knowing violation of both the AGG and the EU AI Act, significantly aggravating your legal exposure.
Compliance Checklist for German Companies
Use this checklist to structure your approach to AI hiring tool compliance:
- Classify the AI system: Confirm whether the tool meets the EU AI Act definition of an AI system and whether it is high-risk under Annex III.
- Request provider documentation: Obtain technical documentation, conformity assessment records, and the EU declaration of conformity from your vendor.
- Review your DPA/AVV: Ensure a compliant Data Processing Agreement covers the specific AI processing, including model training and data transfers.
- Check cross-border transfers: Confirm the legal basis for any data processing outside the EEA, particularly for model training or data storage.
- Establish a legal basis under GDPR: Document your lawful basis for processing candidate data; address Article 9 separately where biometric or special category data is involved.
- Implement genuine human oversight: Design your recruitment process so AI outputs are meaningfully reviewed before any decision affecting candidates is communicated.
- Address Art. 22 GDPR: Establish procedures for candidate explanation requests and human review of automated assessments.
- Build your risk management system: Document identified risks, mitigation measures, and your ongoing monitoring approach in writing.
- Conduct and document bias testing: Run bias assessments against AGG-protected characteristics before deployment and maintain records.
- Engage your Betriebsrat early: Begin works council discussions before procurement — co-determination rights require approval before go-live, not after.
- Draft a Betriebsvereinbarung: Negotiate and execute a works council agreement covering scope, transparency, oversight, bias monitoring, and retention.
- Set a compliance review date: Schedule a review no later than Q1 2027 to assess ongoing compliance against evolving regulatory guidance and enforcement decisions.
For a broader overview of EU AI Act deadlines, see our EU AI Act August 2026 deadline checklist. For guidance on AI-assisted performance evaluation — which raises similar issues — see our AI performance evaluation compliance page.
How Compound Law Helps
Compound Law advises German companies on the full compliance architecture for AI hiring tools:
- High-risk AI assessment: Classification, conformity review, and gap analysis against Annex III requirements
- GDPR advisory: Legal basis structuring, DPA review, Art. 22 implementation, and transfer compliance
- Works council strategy: Betriebsrat engagement planning and Betriebsvereinbarung drafting
- Bias testing protocols: Designing testing frameworks that satisfy both the EU AI Act and AGG requirements
- Vendor contract review: Ensuring vendor agreements reflect EU AI Act deployer obligations under Articles 25 and 26
- Ongoing compliance monitoring: Structured review as regulatory guidance and enforcement precedent develop ahead of August 2026
Legal and compliance teams managing AI hiring tool projects can also benefit from AI-powered legal research capabilities — see how Claude Enterprise supports legal and compliance teams in Germany for complex regulatory workstreams.
Contact Compound Law to discuss your AI hiring tool compliance requirements.
