A Warsaw-based technology company deploys an automated CV-screening platform to shortlist candidates for 200 open roles. The system scores applicants, filters out profiles below a threshold, and routes selected candidates to human reviewers. The company's legal team assumes the tool is simply a productivity aid. It is not. Under the EU AI Act, that system is almost certainly a high-risk AI application – and the compliance clock is already running.

The EU AI Act classifies AI systems used in recruitment, candidate screening, and employment decisions as high-risk applications. This classification triggers a defined set of obligations: conformity assessments, technical documentation, human oversight mechanisms, and registration in the EU database before deployment. In Poland, the Personal Data Protection Office (Urząd Ochrony Danych Osobowych, UODO) and the national AI supervisory authority share enforcement jurisdiction, with fines reaching EUR 30 million or 6% of global annual turnover for the most serious breaches.

This page maps the full compliance picture for organisations using AI-driven HR and recruitment tools in Poland. It covers the regulatory framework, the high-risk classification criteria, practical documentation requirements, cross-border considerations, and a self-assessment checklist for in-house teams. Each section identifies where complexity concentrates – and where the cost of inaction becomes irreversible.

What makes an AI recruitment tool "high-risk" under the AI Act?

The answer matters immediately. Misclassifying a system as low-risk when it meets the high-risk criteria forfeits the right to a simplified compliance path and exposes the deploying company to enforcement action without warning. The AI Act identifies AI systems used for recruitment, selection of natural persons, and evaluation of persons during employment or promotion as high-risk by definition. A system does not need to make final decisions autonomously – it is sufficient that it materially influences human decision-making.

Three conditions trigger the high-risk label. First, the system processes personal data to assess, filter, or rank candidates. Second, its output directly affects whether a person advances in a hiring process. Third, it operates in a context where the affected person has limited ability to contest the outcome. CV-screening tools, automated video-interview analysers, psychometric scoring platforms, and skills-matching engines all satisfy at least two of these conditions in most deployments.

Polish employers interact with this classification through two overlapping regimes. The AI Act itself sets the product-safety-style obligations. The General Data Protection Regulation (GDPR), enforced in Poland by the UODO, adds separate requirements for automated decision-making that produces legal or similarly significant effects. Where a recruitment AI produces a binding shortlist, both regimes apply simultaneously – and their timelines differ.

  • Automated CV screening with threshold-based filtering
  • Video interview analysis scoring facial expressions or speech patterns
  • Psychometric or cognitive testing platforms with algorithmic ranking
  • Skills-gap assessors integrated into applicant tracking systems
  • Chatbot pre-screening tools that eliminate candidates before human review

The practical consequence is significant. A company that deploys any of these tools without completing a conformity assessment before going live is already in breach. The AI Act does not provide a grace period once the system is in use. Remediation after deployment is possible but costly – and it does not extinguish liability for the period of non-compliant operation.

What are the core compliance obligations for high-risk HR systems?

High-risk AI systems used in HR must satisfy six categories of obligation before deployment. These obligations apply to both providers (developers placing the system on the EU market) and deployers (employers using the system). Polish employers who purchase off-the-shelf recruitment AI from a third-party vendor are deployers – not providers – but deployer obligations are substantial and non-delegable.

Technical documentation is the foundation. Providers must maintain a technical file describing the system's purpose, architecture, training data, performance metrics, and known limitations. This file must be available to the national supervisory authority on request. Deployers must obtain and retain this documentation from their vendors. Contracts that do not require vendors to supply it leave the deployer exposed. We reviewed vendor agreements for a manufacturing client in the Mazowieckie region (autumn 2025) and found that fewer than half included documentation access clauses – a gap we remediated before the client's system went live.

Human oversight is the second pillar. The AI Act requires that high-risk systems be designed and used in ways that allow natural persons to effectively oversee, intervene in, and override outputs. For recruitment tools, this means the HR professional reviewing an AI-generated shortlist must be genuinely empowered to override the system's ranking. A process where the human reviewer rubber-stamps AI outputs without independent assessment fails this standard.

  • Conformity assessment completed and documented before deployment
  • Technical file obtained from vendor and retained on file
  • Human oversight procedure documented and tested
  • System registered in the EU AI database prior to go-live
  • Post-market monitoring plan in place from day one

Registration in the EU AI database is a hard deadline. High-risk systems in the employment category must be registered before they are put into service. The registration process requires a system description, the provider's identity, the intended purpose, and a declaration of conformity. Failure to register precludes lawful deployment – not merely triggers a fine. That distinction is operationally important: an unregistered system cannot be lawfully used, regardless of how well it performs technically.

For a tailored assessment of your recruitment AI's compliance status, reach out to info@kordeckipartners.com.

How does GDPR interact with AI Act obligations in Polish recruitment?

The GDPR and the AI Act are complementary regimes with different enforcement teeth. Understanding where they overlap – and where they diverge – is essential for any Polish employer using algorithmic hiring tools. The UODO enforces GDPR in Poland. The AI Act supervisory authority is being designated separately. Both can act on the same factual situation, and there is no double-jeopardy protection that prevents parallel investigations.

Under GDPR, candidates have the right not to be subject to decisions based solely on automated processing that produce legal or similarly significant effects. Recruitment decisions almost always qualify. This right is not absolute – it can be displaced by contractual necessity, explicit consent, or a specific legal basis. But each of these bases carries conditions. Consent in a recruitment context is rarely freely given (the power imbalance between applicant and employer undermines voluntariness), making it a weak legal basis. Contractual necessity requires that the automated processing be strictly necessary – not merely convenient.

The AI Act adds a transparency layer that GDPR does not fully replicate. Deployers of high-risk HR systems must inform workers and candidates that they are subject to AI-assisted assessment. This notification must be meaningful – not buried in a privacy policy. It must explain the system's purpose and the candidate's rights. Polish labour law, under the Kodeks pracy (Labour Code), also requires employers to inform employees about the introduction of monitoring systems, including digital monitoring. AI-driven performance assessment likely falls within this obligation.

Cross-referencing these regimes produces a compliance matrix that most Polish employers have not yet mapped. Data minimisation under GDPR conflicts with the AI Act's requirement for broad training data. Retention limits under GDPR conflict with the AI Act's post-market monitoring obligations. Resolving these tensions requires a documented legal basis analysis – not a generic privacy notice update. For context on international data flows that arise when recruitment AI vendors process data outside Poland, see our analysis of data transfer from Poland to the United Kingdom: legal mechanisms.

What are the practical pitfalls for Polish employers deploying recruitment AI?

The gap between legal theory and operational reality is wide. Most Polish employers who have deployed recruitment AI tools did so before the AI Act's high-risk obligations became directly applicable. They now face a remediation task that is more complex – and more expensive – than a greenfield compliance project. Three pitfalls account for the majority of compliance failures we see in practice.

The first pitfall is vendor reliance without contractual protection. Many Polish companies purchase recruitment AI as a Software-as-a-Service (SaaS) product from providers based in the United States, Israel, or the United Kingdom. The AI Act obligations do not disappear because the provider is outside the EU. The deployer remains responsible for ensuring that the system meets AI Act standards. Without contractual clauses requiring the vendor to supply technical documentation, maintain the EU AI database registration, and notify the deployer of material changes to the system, the deployer carries full compliance risk with no contractual remedy.

The second pitfall is confusing a Data Protection Impact Assessment (DPIA) under GDPR with a conformity assessment under the AI Act. These are different instruments with different purposes. A DPIA analyses privacy risks. A conformity assessment verifies that the AI system meets the AI Act's technical and organisational requirements. Companies that have completed a DPIA for their recruitment AI have addressed one regime – not both. We secured a compliance gap analysis for a logistics client in Silesia (spring 2026) that revealed three unaddressed AI Act obligations despite a recently completed DPIA.

The third pitfall is inadequate candidate communication. The AI Act's transparency obligation requires proactive disclosure. Candidates must be told that AI is used in their assessment before that assessment occurs. A disclosure buried in application terms and conditions, visible only after submission, does not satisfy this standard. The disclosure must be prominent, specific, and timed to allow the candidate to make an informed decision about proceeding.

Organisations that have structured their IP and technology compliance across jurisdictions will recognise parallels with the approach described in our guide on IP protection strategy for Switzerland tech companies in Poland. The principle is the same: compliance architecture must be built into procurement and deployment, not retrofitted after the fact.

How should cross-border employers structure AI Act compliance for Polish operations?

Poland is the largest labour market in Central and Eastern Europe. Many multinational employers run centralised HR platforms that serve Polish employees and candidates alongside those in Germany, France, or the Netherlands. The AI Act applies at the point of deployment – not at the point of development. A system deployed to Polish candidates must meet AI Act requirements regardless of where it was built or where its servers are located.

The practical implication is that group-wide compliance programmes designed around one EU jurisdiction may not transfer cleanly to Poland. Polish labour law imposes works council consultation obligations before introducing monitoring or assessment systems. The Kodeks pracy (Labour Code) requires employers to consult employee representatives when implementing new control mechanisms. AI-driven recruitment tools deployed to assess existing employees (for promotion, redeployment, or redundancy selection) almost certainly trigger this consultation requirement. A 30-day consultation period is standard – failure to observe it voids the implementation.

Foreign investors entering Poland through acquisition of an existing business face an additional layer. The acquired entity may already be using recruitment AI tools under contracts that predate the AI Act. Post-acquisition, the new owner inherits the compliance obligations. Due diligence for HR technology assets is now a standard component of Polish M&A transactions. For context on structuring Polish acquisitions, our analysis of share deal vs asset deal: choosing the right M&A structure addresses how liability allocation works in each structure.

Three cross-border scenarios illustrate the range of issues that arise. A German manufacturing group running a group-wide applicant tracking system must register the system in the EU AI database with a Polish-language description of its deployment in Poland. A US-headquartered tech company using a US-based recruitment AI vendor must ensure its data processing agreement includes AI Act compliance warranties – not merely GDPR standard contractual clauses. A Ukrainian-owned business scaling in Poland must navigate both Polish labour law consultation requirements and the AI Act's conformity assessment process, often simultaneously.

Specific advice on your cross-border compliance structure is available from info@kordeckipartners.com.

Self-assessment checklist: what should Polish employers prepare?

The checklist below is a practical starting point. It does not replace a legal assessment. It identifies the minimum set of questions that in-house teams and HR directors should be able to answer before deploying or continuing to use AI-assisted recruitment tools. Any "no" answer signals a compliance gap that requires immediate attention.

  • Has the AI system been classified as high-risk or low-risk under the AI Act, with the classification documented?
  • Has a conformity assessment been completed and is the technical documentation file available?
  • Is the system registered in the EU AI database before being put into service?
  • Does the vendor contract require documentation access, change notification, and AI Act compliance warranties?
  • Has a GDPR legal basis analysis been completed specifically for automated candidate assessment?

The timeline for remediation is shorter than most organisations assume. The AI Act's high-risk obligations for employment AI became applicable in August 2026. Systems already in use before that date are not grandfathered. Post-market monitoring must begin from the first day of compliant operation. Each month of non-compliant operation is a separate period of exposure – and enforcement authorities in Poland have signalled that HR technology is an early enforcement priority.

The decision matrix for in-house teams is straightforward in principle. If the system screens or ranks candidates: high-risk, full obligations. If the system merely schedules interviews without assessment: likely low-risk, general obligations only. If the system analyses interview responses, facial expressions, or psychometric data: high-risk, full obligations plus enhanced GDPR scrutiny. The difficulty lies in characterising what the system actually does – not what the vendor's marketing materials say it does. Vendor descriptions routinely understate analytical functions to avoid the high-risk label.

DORA compliance, though primarily directed at financial sector entities, also intersects with AI-driven HR tools in banks and investment firms. Systems used to assess candidates for regulated roles must satisfy both AI Act and DORA requirements for ICT risk management. Trademark and IP considerations arise where employers develop proprietary recruitment AI internally – the IP lawyer Warsaw community has begun seeing disputes over ownership of training data and model outputs. These intersections are not theoretical. They are live issues in current Polish transactions and disputes.

Frequently asked questions

Q: Does the AI Act apply to Polish employers who use AI recruitment tools purchased from non-EU vendors?

A: Yes. The AI Act applies to any AI system deployed in the EU, regardless of where the provider is based. A Polish employer using a US-based recruitment AI platform is a deployer under the AI Act and must ensure the system meets high-risk requirements before using it. The employer cannot shift this obligation to the vendor by contract – though a well-drafted vendor agreement can create a contractual remedy if the vendor fails to cooperate with compliance obligations.

Q: How long does a conformity assessment for a high-risk recruitment AI typically take, and what does it cost?

A: The timeline depends on the complexity of the system and the availability of technical documentation from the vendor. For a standard off-the-shelf applicant tracking system with AI-scoring functionality, a conformity assessment typically takes 6 to 10 weeks. Costs vary significantly – a straightforward assessment for a single-system deployment may run from PLN 30,000 to PLN 80,000, while a group-wide programme covering multiple jurisdictions will cost considerably more. Starting the process before a system goes live is always cheaper than remediation after deployment.

Q: Is it a misconception that a completed DPIA satisfies the AI Act's requirements for high-risk HR systems?

A: Yes – this is one of the most common misconceptions we encounter. A Data Protection Impact Assessment under GDPR and a conformity assessment under the AI Act are separate instruments with different scopes. A DPIA analyses privacy risks and identifies mitigation measures. A conformity assessment verifies that the AI system meets the AI Act's technical requirements, including accuracy, robustness, and cybersecurity standards. Completing one does not satisfy the other. Both are required for high-risk HR AI systems deployed in Poland.

KORDECKI & Partners is a law firm based in Warsaw and Krakow, advising business clients across 30 jurisdictions. Our team combines expertise in Polish and international law with a practical approach to AI Act compliance, IP protection, and technology law. We advise Polish employers, multinational groups, and technology providers on AI governance frameworks, GDPR alignment, and regulatory risk management. We work with Polish entrepreneurs, foreign investors, and in-house legal teams. To discuss your situation, contact info@kordeckipartners.com.

Disclaimer: This publication is provided for informational purposes only and does not constitute legal advice. The information herein should not be relied upon as a substitute for professional legal counsel tailored to your specific circumstances. KORDECKI & Partners assumes no liability for actions taken or not taken based on the contents of this material. For advice regarding your particular situation, please contact info@kordeckipartners.com.