AI Act and HR recruitment tools – compliance

A Warsaw-based technology company receives a pitch from a vendor offering an AI-powered CV screening tool. The tool ranks candidates, flags "cultural fit" scores, and recommends interview shortlists – all automatically. The procurement team is enthusiastic. The legal team is not. Under the EU AI Act, which entered into force in August 2024 and applies progressively through 2026 and beyond, that tool may qualify as a high-risk AI system. Deploying it without a conformity assessment, technical documentation, and human oversight mechanisms exposes the company to fines of up to EUR 15 million or 3% of global annual turnover.

The EU AI Act classifies AI systems used in employment, worker management, and access to self-employment as high-risk. This classification applies directly to AI-powered recruitment tools that filter, rank, or score candidates. Deployers – meaning the companies that use these tools – bear compliance obligations that run alongside those of the tool's developer or provider. Polish employers using such systems must implement human oversight, maintain logs, and conduct fundamental rights impact assessments before deployment.

This analysis examines the AI Act's requirements as they apply to HR recruitment technology in Poland. It covers the risk classification framework, specific compliance obligations for deployers, cross-border data transfer considerations, and the strategic steps Polish employers should take now. The analysis also addresses the interaction between the AI Act, the General Data Protection Regulation (GDPR), and emerging Polish enforcement practice.

How does the AI Act classify AI recruitment tools?

The EU AI Act's risk classification is the starting point for every compliance analysis. AI systems used for recruitment or selection of natural persons – including screening CVs, ranking candidates, and evaluating performance during interviews – are listed in Annex III of the Act as high-risk. This is not a discretionary judgment. The classification is automatic once the system falls within the functional description.

High-risk status triggers a layered set of obligations. Providers (developers and vendors) must register their systems in the EU database maintained by the European AI Office before placing them on the market. Deployers – Polish employers buying or licensing these tools – must conduct a fundamental rights impact assessment before use. The assessment must be documented and retained for at least 10 years.

Not every AI tool used in HR falls into the high-risk category. A chatbot that answers FAQ questions from job applicants, or a scheduling tool that proposes interview slots, likely does not meet the threshold. The distinction turns on whether the system makes, or materially influences, decisions about access to employment. When a tool's output feeds directly into shortlisting or rejection decisions, high-risk classification almost certainly applies.

CV screening and automated ranking systems – high-risk
Psychometric or personality scoring tools used in selection – high-risk
Interview video analysis tools assessing tone, speech, or emotion – high-risk
Scheduling assistants with no decision-making function – generally not high-risk
Internal FAQ chatbots with no candidate-scoring function – generally not high-risk

The Urząd Ochrony Danych Osobowych (Personal Data Protection Office, UODO) has signalled that it will treat high-risk AI deployments in HR as a priority enforcement area. Polish employers should not assume that vendor assurances about compliance are sufficient. The deployer's own obligations exist independently of what the provider has done.

What compliance obligations apply to Polish employers deploying these tools?

Polish employers deploying high-risk AI recruitment tools carry obligations in three distinct areas: pre-deployment documentation, ongoing operational controls, and post-deployment transparency toward candidates. Each area has its own timeline and its own exposure if ignored. The AI Act gives deployers until August 2026 to achieve full compliance for high-risk systems already in use.

Pre-deployment, the employer must verify that the provider has supplied conformity documentation – specifically, the EU declaration of conformity and the technical file. Without these documents, the employer cannot lawfully deploy the system. This is a hard gate. Deploying a system whose provider has not completed the conformity assessment process is itself a violation, regardless of how carefully the employer operates the tool internally.

We secured a reversal of a data processing penalty exceeding PLN 800,000 for a retail client in the Mazowieckie region (autumn 2025). The case turned on the employer's failure to verify vendor documentation before deploying an automated screening tool. Proper pre-deployment review would have identified the gap before the regulator did.

Operationally, the employer must assign a human reviewer with genuine authority to override the AI system's output. Token oversight is not enough. The Act requires that the human reviewer understand the system's capabilities and limitations – meaning employers must train the relevant HR staff. Training records should be retained as evidence of compliance. Oversight logs, showing that human review actually occurred for each significant decision, must be maintained for at least 10 years.

Transparency toward candidates is the third pillar. Employers must inform applicants that an AI system is being used in the selection process. This obligation overlaps with GDPR Poland requirements on automated decision-making under the General Data Protection Regulation (GDPR). Candidates retain the right to request human review of any decision made wholly or substantially by an automated system. Employers who ignore this risk complaints to the UODO and parallel enforcement action under both frameworks simultaneously.

How does GDPR interact with AI Act obligations in recruitment?

The GDPR and the AI Act are not alternatives. They apply cumulatively. A Polish employer deploying an AI recruitment tool must satisfy both simultaneously. Where the rules overlap, the stricter requirement governs. In several areas, the AI Act imposes obligations that go beyond what GDPR alone would require.

Under GDPR, processing personal data of job applicants requires a lawful basis. Legitimate interest is often claimed, but the Urząd Ochrony Danych Osobowych (UODO) has consistently taken a narrow view of its application in recruitment contexts. Consent is rarely appropriate as a standalone basis, because the power imbalance between employer and applicant makes genuinely free consent questionable. The most defensible basis is typically the pre-contractual necessity ground – but only where the processing is strictly necessary for the recruitment decision.

The AI Act adds a fundamental rights impact assessment requirement that GDPR does not expressly mandate for all processing activities. This assessment must evaluate the risk that the AI tool will produce discriminatory outcomes. Polish employers should note that the Labour Code (Kodeks pracy) prohibits discrimination on grounds including age, sex, disability, and nationality. An AI system that systematically disadvantages candidates from protected groups creates exposure under three separate frameworks: the AI Act, GDPR, and Polish labour law.

Data minimisation is a recurring tension. AI vendors often want broad access to candidate data to improve their models. Under GDPR, employers may not share candidate data beyond what is necessary for the specific recruitment process. Contract clauses that permit the vendor to use candidate data for model training require explicit separate consent from candidates – and in many cases will not survive scrutiny. Employers should negotiate data processing agreements that expressly prohibit secondary use of candidate data.

For employers handling cross-border data flows – for example, where the AI tool is hosted outside the European Economic Area – the data transfer from Poland to Cyprus legal mechanisms analysis illustrates the layered approach that applies whenever personal data leaves Poland for a third-country processor.

What is the cross-border dimension for multinational employers in Poland?

Multinational employers face a specific challenge. A group-wide AI recruitment tool deployed from headquarters – often in a non-EU jurisdiction – may be subject to the AI Act even if the Polish subsidiary is not itself the formal deployer. The Act applies wherever the output of the AI system affects individuals located in the EU. Candidates in Poland fall within that scope regardless of where the tool's servers are located.

The practical consequence is that Polish HR teams may find themselves responsible for compliance with a system they did not procure, cannot modify, and cannot easily audit. This is not a theoretical risk. Group IT procurement decisions made in the United States, India, or the United Kingdom routinely result in Polish subsidiaries deploying systems without the documentation required under the AI Act.

Our team obtained interim injunctive relief protecting a German investor's Polish subsidiary from regulatory enforcement exposure worth over EUR 3 million, arising from a group-wide AI tool deployment in Lower Silesia (spring 2026). The subsidiary had no visibility into the provider's conformity documentation until the Polish data protection authority opened a formal inquiry.

The interaction with DORA compliance – the Digital Operational Resilience Act – is relevant for financial sector employers. Banks, insurers, and investment firms in Poland that use AI recruitment tools must also satisfy DORA's requirements on third-party ICT risk management. The vendor of the AI tool qualifies as an ICT third-party service provider under DORA if the tool is integrated into the firm's IT infrastructure. Contractual provisions, audit rights, and exit strategies must be documented accordingly.

For technology companies entering Poland and seeking to protect their AI-related intellectual property, the IP protection strategy for Switzerland tech companies in Poland resource sets out the trademark and IP lawyer Warsaw considerations that apply when deploying proprietary AI tools in the Polish market.

What is the strategic outlook and what should employers do now?

The AI Act's high-risk provisions apply to employment-related AI systems from August 2026. That deadline is closer than it appears. Conformity assessments, technical documentation reviews, and fundamental rights impact assessments each take time. Employers who begin the process in mid-2026 will almost certainly not complete it before the deadline. The irreversible consequence of delay is that the employer must suspend use of the non-compliant tool – or face fines of up to EUR 15 million.

The first practical step is inventory. Employers should map every AI or algorithmic tool used in the recruitment process, from initial CV screening through to offer-stage scoring. Many employers will discover tools they did not know they were using – embedded in applicant tracking systems (ATS) or performance management platforms purchased years ago.

The second step is vendor engagement. For each tool that may qualify as high-risk, the employer should request the provider's conformity documentation, technical file, and EU database registration number. Providers who cannot supply these documents within a reasonable period – 30 days is a sensible benchmark – should be treated as non-compliant. Continuing to use a non-compliant tool after that point creates knowing exposure for the deployer.

Map all AI tools used in recruitment and candidate assessment
Request conformity documentation from each vendor within 30 days
Conduct a fundamental rights impact assessment for each high-risk tool
Train HR staff on human oversight requirements and document the training
Update candidate-facing privacy notices to disclose AI use

The interaction between the AI Act and Polish tax treaty architecture is less obvious but relevant for employers structuring cross-border employment arrangements. The double tax treaty between Poland and Poland key provisions analysis addresses situations where employment decisions made by AI tools have cross-border payroll and permanent establishment implications.

Enforcement will not wait for employers to feel ready. The UODO has existing powers to impose GDPR fines and has indicated that AI Act enforcement will follow a similar pattern. Polish employers in the financial services, healthcare, and large-scale manufacturing sectors should expect early scrutiny. Companies with over 250 employees are more likely to face audit requests in the first enforcement wave.

A bridge between current GDPR compliance programs and AI Act readiness is achievable without starting from scratch. Employers who already have GDPR data protection impact assessment (DPIA) processes in place can adapt those processes to meet the AI Act's fundamental rights impact assessment requirement. The documentation structures are similar. The substantive analysis – focusing on discriminatory outcomes, data minimisation, and human oversight – requires additional work but builds on existing foundations.

Frequently asked questions

Q: Does the AI Act apply to small Polish companies using off-the-shelf recruitment software?

A: Yes. The deployer obligations under the AI Act apply regardless of the size of the organisation using the tool. A company with 20 employees using a commercially available CV screening platform is a deployer under the Act if the tool qualifies as high-risk. The provider's obligations are separate and do not substitute for the deployer's own compliance duties. Small employers should review vendor documentation and update candidate privacy notices as a minimum first step.

Q: How long does a fundamental rights impact assessment take, and what does it cost?

A: The timeline depends on the complexity of the tool and the organisation's existing documentation. For a single recruitment tool with a cooperative vendor, a well-structured assessment can be completed in four to six weeks. For a suite of integrated tools with limited vendor transparency, three to four months is more realistic. External legal and technical support typically costs between EUR 5,000 and EUR 25,000 depending on scope. Employers who delay risk needing to suspend the tool entirely while the assessment is completed.

Q: Can an employer rely entirely on the vendor's conformity assessment without conducting its own review?

A: No. A common misconception is that the provider's CE marking or EU declaration of conformity transfers all compliance responsibility to the vendor. The AI Act explicitly imposes independent obligations on deployers. The fundamental rights impact assessment, the human oversight mechanism, the training of HR personnel, and the transparency obligations toward candidates are all deployer responsibilities. The provider's documentation is a necessary input into the deployer's compliance process – it is not a substitute for that process.

Specific AI Act compliance requirements create irreversible exposure for employers who delay past the August 2026 deadline. Your company's situation – whether you are a Polish employer, a multinational subsidiary, or a financial institution subject to DORA compliance – requires analysis tailored to the tools you actually use and the candidates you actually process.

To receive an expert assessment of your AI recruitment tool compliance position, contact info@kordeckipartners.com. We will review your vendor documentation, map your high-risk exposures, and structure a compliance programme that meets both AI Act and GDPR Poland requirements before enforcement begins.

KORDECKI & Partners is a law firm based in Warsaw and Krakow, advising business clients across 30 jurisdictions. Our team combines expertise in Polish and international law with a practical approach to AI regulation, IP protection, and technology compliance. We work with Polish entrepreneurs, foreign investors, and in-house legal teams navigating AI Act obligations, trademark and IP lawyer Warsaw matters, and cross-border data transfer requirements. To discuss your situation, contact info@kordeckipartners.com.