A Warsaw-based technology company deploys an automated CV-screening tool in spring 2026. The system ranks candidates, filters applications, and feeds shortlists to hiring managers – all without human review at the filtering stage. Under the EU AI Act, that tool almost certainly qualifies as a high-risk AI system. The compliance clock is already running.
The EU AI Act classifies AI systems used in recruitment and employment decisions as high-risk. This classification triggers a mandatory conformity assessment, technical documentation requirements, and human oversight obligations before the system may be deployed. Polish employers deploying such tools face enforcement by the designated national market surveillance authority, with non-compliance carrying fines of up to EUR 30 million or 6% of global annual turnover.
This guide walks through the compliance steps for Polish employers and HR technology vendors. It covers risk classification, the conformity assessment process, GDPR intersections, and the three most common deployment scenarios – manufacturing, IT, and foreign-owned subsidiaries. Each section flags the practical mistakes that most organisations make at that stage.
How does the AI Act classify recruitment tools – and why does it matter?
The EU AI Act places AI systems used for recruitment, CV screening, candidate ranking, and employment-related decisions in Annex III of the regulation – the high-risk category. This classification applies regardless of whether the tool is built in-house or procured from a vendor. The deployer carries primary compliance obligations in Poland, even when the provider is based outside the EU.
High-risk classification triggers a specific set of obligations. The system must be registered in the EU database maintained by the European Commission before deployment. Technical documentation must be prepared and kept current. A conformity assessment must be completed – either through internal procedures or, for certain systems, through a notified body. Human oversight must be built into the workflow, not added as an afterthought after deployment.
The boundary between high-risk and lower-risk tools is not always obvious. A chatbot that schedules interviews is unlikely to qualify. A system that scores candidates on "cultural fit" using behavioural data almost certainly does. The key question is whether the system makes or materially influences a decision about a person's access to employment. If the answer is yes, treat it as high-risk until a legal assessment says otherwise.
Polish employers should also note that the National Labour Inspectorate (Państwowa Inspekcja Pracy, PIP) and the Personal Data Protection Office (Urząd Ochrony Danych Osobowych, UODO) are both relevant enforcement bodies here. PIP oversees employment conditions; UODO enforces GDPR compliance in data processing. Both can investigate the same deployment from different angles simultaneously.
What does the step-by-step compliance process look like?
Compliance with the AI Act for a high-risk recruitment tool follows a defined sequence. The process is not a one-time exercise – it requires ongoing monitoring, periodic review, and documented updates whenever the system changes materially. The full cycle from initial assessment to registration typically takes between 60 and 120 days for a mid-sized organisation.
The first step is a system inventory and risk classification review. Many organisations discover at this stage that they are running tools they did not realise qualified as AI systems under the Act's definition. Any system using machine learning, statistical inference, or logic-based reasoning to generate outputs that influence HR decisions falls within scope. Document each tool, its function, and its decision-making role.
Step two is gap analysis against the high-risk requirements. The core checklist covers:
- Technical documentation covering system architecture, training data, and intended purpose
- Risk management system covering foreseeable risks and mitigation measures
- Data governance procedures for training and validation datasets
- Transparency and information obligations toward candidates
- Human oversight mechanism with the ability to override or halt the system
Step three is the conformity assessment itself. For most recruitment AI tools, self-assessment by the provider is permitted under the Act. The provider prepares a technical file, runs the conformity assessment, and issues an EU Declaration of Conformity. The system is then registered in the EU database before deployment. Deployers – that is, the employers – must verify that this registration exists before switching the tool on.
We assisted a manufacturing client in Mazowieckie region (autumn 2025) in completing a gap analysis across four HR automation tools. Two qualified as high-risk; two did not. The two high-risk tools required documentation overhauls before the employer could legally continue using them.
How do GDPR obligations interact with AI Act requirements?
The AI Act does not replace the General Data Protection Regulation (GDPR). Both frameworks apply simultaneously to AI-driven recruitment tools, and they overlap in ways that create compliance complexity. Understanding where the two regimes converge – and where they diverge – is essential before deploying any HR AI system in Poland.
Under GDPR, automated decision-making that produces legal or similarly significant effects requires a specific legal basis. Candidates must be informed. They have the right to request human review of any automated decision. These obligations apply independently of the AI Act classification. A tool that ranks candidates and produces a shortlist reviewed only by an algorithm – with no meaningful human check – likely triggers GDPR's automated decision-making restrictions even if the employer believes a human "signs off" at the end.
The UODO, which enforces GDPR in Poland, has signalled increasing interest in AI-related data processing. Employers should update their privacy notices to describe AI-assisted recruitment. Data protection impact assessments (DPIAs) are mandatory for systematic and large-scale processing of personal data using new technologies – which covers most high-risk AI recruitment tools. A DPIA under GDPR and a risk management system under the AI Act are not the same document, but they should be coordinated. Running them in parallel saves significant time.
For employers transferring candidate data outside the European Economic Area – for example, to a US-based HR platform – additional transfer mechanisms are required. The legal basis for that transfer must be documented before the AI system processes the data. Our guides on data transfer from Poland to the United Kingdom and data transfer from Poland to Switzerland set out the applicable mechanisms in detail.
What are the three main deployment scenarios for Polish employers?
Three business scenarios account for the majority of AI recruitment compliance questions we see in practice. Each has a different risk profile and a different compliance priority. Getting the scenario right at the outset determines which steps matter most and where to concentrate resources.
Scenario one – manufacturing employer, Poland-based hiring. A Silesian manufacturer uses a vendor-supplied tool to screen applications for production and logistics roles. The employer is the deployer. The vendor should have completed the conformity assessment and registered the tool. The employer's obligations are: verify registration, implement the human oversight procedure, train HR staff on override rights, and update candidate-facing privacy notices. Timeline: 30 to 45 days if the vendor's documentation is in order.
Scenario two – IT company, proprietary tool. A Warsaw IT firm builds its own screening algorithm using open-source components. Here the firm is both provider and deployer. It must complete the full conformity assessment, prepare technical documentation, register the system, and maintain the risk management file. This is the most demanding scenario. Budget 90 to 120 days and allocate internal engineering and legal resource in parallel. Failure to complete this process before deployment forfeits the right to use the tool legally – and the firm cannot cure that gap retroactively.
Scenario three – foreign investor subsidiary. A German parent company rolls out a group-wide talent acquisition platform to its Polish subsidiary. The platform was CE-marked and registered in Germany. The Polish subsidiary still carries deployer obligations: it must verify the registration, implement local human oversight procedures, comply with Polish employment law requirements (which employment law compliance guidance for Poland addresses in detail), and ensure that candidate-facing communications meet Polish language requirements where applicable. Cross-border deployments that skip local compliance review are the single most common source of enforcement risk we see.
We secured a reversal of a data processing restriction order for an IT client in Lower Silesia (spring 2026) after demonstrating that their proprietary screening tool met all high-risk AI requirements – including documentation and human oversight – before the UODO investigation concluded.
What are the most common compliance mistakes – and how do you avoid them?
Most compliance failures with AI recruitment tools are not deliberate. They follow predictable patterns. Identifying those patterns early is the most efficient way to avoid them. The AI Act's transitional periods do not pause enforcement indefinitely – high-risk AI system obligations under Annex III apply from August 2026, leaving limited time to correct structural gaps.
The first mistake is assuming vendor compliance transfers to the deployer. A vendor's EU Declaration of Conformity covers the provider's obligations. The deployer – the employer – has independent obligations that no vendor document satisfies. These include human oversight implementation, staff training, incident logging, and post-market monitoring. Employers who rely solely on vendor paperwork remain non-compliant even if that paperwork is perfect.
The second mistake is treating the DPIA and the AI Act risk management file as the same document. They serve different legal purposes, are assessed by different authorities, and require different content. Running one process and assuming it covers both is a documentation gap that both UODO and the market surveillance authority can exploit in an investigation.
The third mistake is failing to update candidate-facing information. Candidates must be told that an AI system is used in the recruitment process, what it does, and how they can request human review. Many employers update their internal policies but forget to revise job application forms, career portals, and offer letters. That omission is visible to any regulator reviewing the process and carries its own GDPR exposure.
The fourth mistake is delayed registration. The EU database registration must occur before deployment. Organisations that deploy first and register later have already violated the Act. That violation cannot be cured by subsequent registration – it is a historical fact that enforcement can act on.
Frequently asked questions
Q: Does the AI Act apply to recruitment tools already in use before August 2026?
A: High-risk AI systems under Annex III, including recruitment tools, must comply with AI Act requirements from August 2026. Systems already deployed before that date are not exempt – deployers must bring them into compliance by the applicable deadline. A gap analysis conducted now allows organisations to identify what remediation work is needed and sequence it before the deadline, rather than facing an enforcement action after it.
Q: How long does the conformity assessment take, and what does it cost?
A: For a vendor-supplied tool where the provider has already completed self-assessment, the deployer's verification process typically takes 20 to 40 days. For an in-house tool requiring a full provider-level assessment, budget 90 to 120 days and legal and technical fees in the range of EUR 15,000 to EUR 50,000 depending on system complexity. The most common misconception is that self-assessment is a short form-filling exercise – it requires substantive technical documentation and a defensible risk management file, not a checklist signature.
Q: Can a small employer use an AI screening tool without full compliance if the process is not fully automated?
A: Size of employer does not affect the classification of the AI system. A tool that materially influences candidate selection qualifies as high-risk regardless of company size. Partial human involvement reduces GDPR automated decision-making risk but does not remove AI Act obligations. The human oversight requirement under the Act must be genuine – a manager who rubber-stamps AI output without independent review does not satisfy the standard. Employers of all sizes deploying high-risk AI tools must comply in full.
What to prepare before deploying an AI recruitment tool
- Inventory of all AI-assisted HR tools and their decision-making roles
- Vendor conformity documentation and EU database registration number
- DPIA completed and coordinated with the AI Act risk management file
- Human oversight procedure documented and communicated to HR staff
- Updated candidate privacy notices describing AI use and review rights
Deploying without this preparation forfeits the ability to demonstrate compliance from day one. Enforcement bodies assess compliance at the point of deployment, not at the point of investigation.
Every organisation's AI recruitment setup is specific. The risk profile of a proprietary algorithm differs from that of a licensed platform, and the gap between current practice and legal compliance is rarely obvious without a structured review. Waiting until August 2026 to begin that review leaves no margin for the documentation work, vendor negotiations, and staff training that a compliant deployment requires.
To receive an expert assessment of your AI recruitment tool compliance position, contact info@kordeckipartners.com. Our team will map your current tools against AI Act and GDPR requirements, identify the gaps, and structure a remediation timeline that fits your hiring calendar.
KORDECKI & Partners is a law firm based in Warsaw and Krakow, advising business clients across 30 jurisdictions. Our team combines expertise in Polish and international law with a practical approach to AI regulation, IP, and technology compliance. We work with Polish entrepreneurs, foreign investors, and in-house legal teams. To discuss your situation, contact info@kordeckipartners.com.
Disclaimer: This publication is provided for informational purposes only and does not constitute legal advice. The information herein should not be relied upon as a substitute for professional legal counsel tailored to your specific circumstances. KORDECKI & Partners assumes no liability for actions taken or not taken based on the contents of this material. For advice regarding your particular situation, please contact info@kordeckipartners.com.