Companies are under increasing pressure to adopt artificial intelligence to improve efficiency and remain competitive. However, in the field of HR, this also brings significant data protection risks and obligations. First and foremost, the employer-employee relationship is characterised by a power imbalance. Employers hold a stronger position, and thus, employees are considered a vulnerable group from a data protection perspective, similarly to children and the elderly. This means that the processing of employees’ personal data is subject to heightened expectations regarding transparency, lawfulness, and risk mitigation.
The use of AI in HR is primarily influenced by two European Union regulations. The first is the General Data Protection Regulation (GDPR), which has been applicable since 2018, and the second is the Artificial Intelligence Act (AI Act), which entered into force in 2024. In practice, these two regulations may create situations where the objectives of one regulation do not fully align with those of the other. While the AI Act promotes innovation and the adoption of AI technologies, the GDPR imposes strict limitations on the processing of personal data and automated decision-making. For this reason, companies using AI must understand the requirements of both regulations as a whole. Consequently, implementing AI in HR requires not only awareness of technological opportunities but also a deliberate and well-considered approach to data protection, employee rights, and corporate responsibility.
Privacy protection principles can best be illustrated through the example of recruitment, which nearly every employer encounters. One of the core principles of data protection is purpose limitation. Personal data may only be processed for a clearly defined purpose. In recruitment, the purpose is generally to identify a suitable candidate, and therefore, employers collect CVs, motivation letters, and other information necessary for evaluating applicants. The challenge arises when artificial intelligence is used to make candidate selection, interviewing, and hiring more efficient. The moment a candidate’s data is entered into an AI tool, an additional purpose may emerge in the form of training the AI model itself. More specifically, this means that a candidate’s resume or other personal information may not be used solely for making a specific recruitment decision, but also for improving the AI system and its capabilities. In such cases, this must be clearly communicated to the individual, and there must be a valid legal basis for such processing.
The principle of data minimisation must also be taken into account. Personal data may only be stored for as long as necessary to achieve the intended purpose. For example, in recruitment processes, it is generally considered reasonable to retain candidate data for up to one year after the recruitment decision, as applicants may submit legal claims against the employer during that period. However, with the use of AI, an important question arises, does the company actually know how long the data entered into the AI system is retained? The situation becomes even more complicated if the data continues to be used for model training purposes. If the employer is unable to control or explain retention periods, this may conflict with the GDPR’s principle of data minimisation.
One of the greatest risks associated with AI in HR is automated decision-making. Traditionally, candidates are profiled during recruitment based on various criteria such as previous experience, language skills, test results, interview impressions, and similar factors. The role of AI is to make this process more convenient and efficient. However, this may create situations where machines make decisions about individuals, or at least strongly influence such decisions. In these circumstances, there may be a direct impact on a person’s life – for example, a candidate may not be invited to an interview or may lose out on a job opportunity altogether. From a data protection perspective, a particularly concerning issue is that explaining the reasoning behind AI-generated decisions is often extremely difficult.
In addition, AI models may produce discriminatory outcomes. For instance, when recruiting software developers, an AI system may begin favouring male candidates if it has been trained on historical data in which developer roles were predominantly occupied by men. For this reason, it is always necessary to assess whether the benefits gained from using AI outweigh the potential risks to individuals’ rights and freedoms. It is important to understand that responsibility for the personal data of employees and candidates always remains with the employer, who acts as the data controller. When an organisation uses an AI-based solution, the AI service provider generally acts as the data processor.
If AI is used in HR for processing employees’ personal data, there is often an obligation to conduct a Data Protection Impact Assessment (DPIA). The purpose of a DPIA is to evaluate the risks AI use may pose to individuals’ privacy, determine whether such processing is proportionate, and identify measures for mitigating potential risks. The assessment must be conducted before implementing the AI system, not afterwards. At the same time, it is worth noting that using AI to prepare such an assessment may itself be problematic. If the risks of AI are being evaluated, relying on the same technology to produce the assessment may create a conflict of interest.
Risks can be mitigated through anonymisation of personal data, limiting the use of AI to specific tasks or stages of a process, and preferring solutions that do not use data for model training. Furthermore, the final decision-making authority regarding employee-related matters must always remain with humans rather than AI systems. Employers must also be able to explain how AI processes data, who has access to it, how long it is retained, and whether the information is used for model training. This information is usually provided through privacy policy describing the purposes of processing, the legal basis, and the categories of personal data being used. However, with AI systems, ensuring such transparency may become more difficult, as employers themselves may struggle to obtain a full understanding of how the AI system functions.
Artificial intelligence can be a valuable tool in HR, but its use requires a conscious, responsible, and transparent approach. As AI increasingly affects people’s working lives and the processing of personal data, final decision-making authority must remain with humans, while employers are responsible for ensuring lawful and secure data processing. When potential risks are recognised and mitigated appropriately, AI can become a valuable support tool for employers rather than a data protection risk.