A mid-sized Warsaw technology company had built its entire talent pipeline around an AI-powered CV screening tool. The system ranked candidates automatically, filtered applications by keyword clusters, and recommended shortlists to hiring managers. Nobody had mapped the tool against the EU AI Act. When the company's legal team finally asked the question, the answer was uncomfortable: the system almost certainly qualified as a high-risk AI application under European Union regulation.

Under the EU AI Act, AI systems used in employment, worker management, and access to self-employment are classified as high-risk. This classification triggers a mandatory set of obligations – including conformity assessment, technical documentation, human oversight mechanisms, and registration in the EU database – before the system may lawfully be deployed. Polish employers who rely on automated recruitment tools face these requirements regardless of where the tool's developer is based.

This case study traces the steps taken to bring that Warsaw company into compliance. It covers the initial risk classification, the documentation and governance work, the GDPR interface, and the practical lessons that apply to any Polish business using AI in hiring.

What made the recruitment tool a high-risk AI system?

The EU AI Act places AI systems used to screen, rank, or filter job applicants in Annex III – the high-risk category. That classification applies from the moment the system influences access to employment. The Warsaw company's tool did exactly that. It scored CVs, applied weighted criteria, and surfaced a ranked shortlist. Hiring managers rarely looked beyond the top ten names. The system was, in substance, making the decision.

Three features confirmed the high-risk classification. First, the tool operated autonomously: no human reviewed the scoring logic before the shortlist was produced. Second, the criteria were opaque – the vendor had not supplied technical documentation explaining how weights were assigned. Third, the output directly affected whether a candidate progressed. Under the AI Act, all three elements point toward high-risk status.

The National Court Register (KRS) filings showed the company had over 200 employees. That scale meant any discriminatory bias in the tool could affect a significant number of individuals. The Polish Data Protection Authority (UODO) had already signalled, in guidance issued in late 2024, that automated profiling in recruitment contexts would receive scrutiny. The company had, in effect, been running a high-risk system without the required safeguards for at least 18 months.

One practical marker: if removing the AI output would require a human to redo the entire shortlisting process from scratch, the system is almost certainly load-bearing – and therefore within scope. That test applied here.

How did the compliance strategy address technical documentation and human oversight?

The AI Act requires deployers of high-risk systems to implement human oversight measures capable of detecting and correcting malfunctions. For a recruitment tool, that means at least one qualified person must be able to understand the system's output, contest it, and override it before any decision affecting a candidate is finalised. The company had no such process. Fixing that was the first structural task.

We worked with the HR director and the vendor to establish a two-stage review. Every shortlist produced by the AI tool would be reviewed by a senior HR professional before it reached a hiring manager. That reviewer received a one-page summary of the scoring criteria and was empowered to remove or add candidates. The review was documented. This created the audit trail the AI Act requires and gave the company a defensible position if a rejected candidate later challenged the process.

Technical documentation was the second challenge. The vendor – a software-as-a-service provider headquartered outside Poland – had not prepared documentation meeting the AI Act standard. After a 30-day negotiation, the vendor agreed to supply a technical file covering the training data description, accuracy metrics, and known limitations. That file was incorporated into the company's own AI system register. The AI Act requires deployers to maintain logs for at least six months after each use of a high-risk system.

We also mapped the GDPR Poland obligations running in parallel. Automated decision-making under the General Data Protection Regulation gives candidates the right to obtain human review of any decision based solely on automated processing. The company's privacy notice had not disclosed the AI tool at all. A revised notice, a data protection impact assessment (DPIA), and an updated record of processing activities were completed within eight weeks.

For clients with cross-border data flows – for example, where candidate data is processed on servers outside Poland – the mechanisms described in our analysis of data transfer from Poland to France provide a useful framework for structuring compliant transfers under both GDPR and AI Act obligations.

What were the enforcement risks and how were they quantified?

The AI Act's penalty structure is tiered. Placing a non-compliant high-risk AI system on the market, or putting it into service without meeting the requirements, can attract fines of up to EUR 15 million or 3 percent of global annual turnover – whichever is higher. For a mid-sized technology company, even the lower threshold represents a material exposure. More immediately, a complaint to UODO about the undisclosed automated profiling could have triggered a GDPR investigation running in parallel.

We secured a reversal of an internal compliance finding for a manufacturing client in the Mazowieckie region (autumn 2025), demonstrating that early voluntary remediation – documented and submitted before any regulatory contact – consistently produces better outcomes than reactive correction after an inquiry has opened. The same logic applied here. The Warsaw company's decision to remediate proactively, before any candidate complaint was filed, materially reduced its exposure.

The lost-opportunity dimension was equally significant. The company was preparing a Series B fundraising round. Institutional investors conducting due diligence on a technology company will now routinely examine AI governance. A high-risk system running without conformity assessment, human oversight documentation, or a DPIA would have been a red flag capable of delaying or repricing the round. Compliance was not a regulatory cost. It was a condition for accessing capital on acceptable terms.

IP considerations also arose. The vendor's contract contained no representation that the training data used to build the model was free of third-party IP claims. For companies building or customising AI tools in-house, the IP lawyer Warsaw analysis of IP protection strategy for tech companies in Poland addresses how to structure ownership and indemnity provisions in AI development agreements.

What lessons transfer to other Polish employers using AI in hiring?

The Warsaw matter produced four transferable lessons. They apply to any Polish employer – from a Kraków fintech to a Silesian manufacturer – that uses any form of automated screening, scoring, or ranking in its recruitment process.

  • Classify before you deploy. Map every AI tool against Annex III of the AI Act before it goes live. Employment and HR systems sit in a named high-risk category. Classification takes days. Remediation after deployment takes months.
  • Demand technical documentation from vendors. A vendor who cannot supply a technical file meeting the AI Act standard is selling a non-compliant product. Build the documentation requirement into procurement contracts, with a 30-day delivery obligation.
  • Build the human oversight layer first. The AI Act's oversight requirement is not satisfied by a theoretical right to override. It requires a documented process, a named responsible person, and a log of decisions reviewed.
  • Run the GDPR compliance check in parallel. Automated profiling in recruitment triggers DPIA obligations and candidate disclosure requirements under GDPR Poland. The two regimes interact and should be addressed together.

One further point on DORA compliance: financial sector employers using AI tools in recruitment may face an additional layer of ICT risk management requirements under the Digital Operational Resilience Act. The interaction between DORA and the AI Act for in-scope entities is an emerging area that warrants separate assessment.

The compliance timeline, once a company commits to it, is manageable. In this matter, the core documentation and governance work was completed in 11 weeks. Registration in the EU high-risk AI systems database followed. The company entered its fundraising process with a clean AI governance position.

For businesses with real estate assets or operations that intersect with technology infrastructure, the broader compliance picture may also touch property-related regulatory requirements – our real estate practice in Poland can advise where those intersections arise.

The specific circumstances of your business require individual assessment. Running a high-risk AI recruitment tool without conformity documentation, human oversight records, or a DPIA is not a minor oversight – it is an active compliance gap with irreversible consequences once a candidate complaint or regulatory inquiry is filed.

If your company uses AI tools in hiring and has not yet mapped them against the EU AI Act, contact us to discuss a structured compliance review: info@kordeckipartners.com.

Frequently asked questions

Q: Does the EU AI Act apply to Polish companies that simply use an AI recruitment tool built by a foreign vendor?

A: Yes. The AI Act applies to deployers – entities that put a high-risk AI system into service in the EU – regardless of where the developer is based. A Polish employer using a foreign-built CV screening tool is a deployer and must meet the obligations that role carries, including human oversight, logging, and DPIA under GDPR Poland. The vendor's obligations and the deployer's obligations are separate and cumulative.

Q: How long does it take to bring an existing AI recruitment tool into compliance?

A: In our experience, a mid-sized company with a single AI recruitment tool can complete the core compliance work – risk classification, technical documentation, oversight process design, DPIA, and privacy notice update – in eight to twelve weeks. The timeline lengthens if the vendor is uncooperative on technical documentation or if the company has multiple AI tools in use across different HR functions. Early engagement with the vendor is the single biggest factor in compressing the timeline.

Q: Is it a common misconception that only AI developers, not employers, are responsible under the AI Act?

A: It is one of the most frequent misunderstandings we encounter. The AI Act creates distinct obligations for providers (developers) and deployers (users). A Polish employer that integrates an AI screening tool into its recruitment process is a deployer. Deployers must implement human oversight, maintain logs for at least six months, conduct DPIAs where required by GDPR, and ensure the system is used within the parameters the provider established. Relying on a vendor's compliance does not discharge the deployer's own obligations.

KORDECKI & Partners is a law firm based in Warsaw and Krakow, advising business clients across 30 jurisdictions. Our team combines expertise in Polish and international law with a practical approach to AI Act compliance, IP protection, and technology regulation. We work with Polish entrepreneurs, foreign investors, and in-house legal teams. To discuss your situation, contact info@kordeckipartners.com.

Disclaimer: This publication is provided for informational purposes only and does not constitute legal advice. The information herein should not be relied upon as a substitute for professional legal counsel tailored to your specific circumstances. KORDECKI & Partners assumes no liability for actions taken or not taken based on the contents of this material. For advice regarding your particular situation, please contact info@kordeckipartners.com.