A Warsaw-based technology company launches an AI-powered screening tool to shortlist candidates for 200 open roles. Within weeks, the tool flags patterns that human reviewers would never have surfaced – and the HR director realises, uncomfortably, that the system may have just violated three separate regulatory frameworks simultaneously. The AI Act, the Ogólne rozporządzenie o ochronie danych (General Data Protection Regulation, GDPR), and Polish labour law all apply at once. The interaction between them is not obvious.

Under the EU AI Act, automated recruitment and HR management tools that influence hiring, promotion, or termination decisions are classified as high-risk AI systems. Providers and deployers of such systems face obligations that include conformity assessments, technical documentation, human oversight mechanisms, and registration in the EU database before deployment. Penalties for non-compliance reach EUR 15 million or 3 percent of global annual turnover, whichever is higher.

This page sets out the compliance architecture for AI-driven HR and recruitment tools operating in Poland. It covers the risk classification logic, the layered obligations under the AI Act and GDPR, the practical pitfalls that catch companies off guard, cross-border considerations for foreign investors, and a self-assessment checklist. The analysis is structured for compliance officers, HR directors, and in-house legal teams who need to act before the high-risk provisions become fully enforceable.

Why do AI recruitment tools fall into the high-risk category?

The AI Act places automated systems used in employment, worker management, and access to self-employment in its high-risk annex. This is not a matter of interpretation. Any tool that sorts CVs, ranks candidates, conducts automated video interviews, monitors employee performance, or assists in termination decisions falls within the regulated perimeter. The classification triggers a full compliance chain – not just a disclosure obligation.

Three elements define whether a tool is captured. First, the system must be AI-based, meaning it uses machine learning, statistical inference, or similar techniques. Second, it must be used in an employment context. Third, it must produce outputs that influence decisions affecting natural persons. A simple keyword filter in an applicant tracking system likely falls outside scope. A neural-network ranking model that scores candidates against a competency profile almost certainly does not.

Poland's national supervisory authority – the Urząd Ochrony Danych Osobowych (Personal Data Protection Office, UODO) – has issued preliminary guidance confirming that automated scoring of job applicants constitutes high-risk processing under both the AI Act and GDPR simultaneously. The Krajowa Izba Gospodarcza (Polish Chamber of Commerce, KIG) has flagged the compliance gap in its 2025 sectoral reports. Employers who treat AI screening as a purely technical matter – rather than a legal one – are already behind.

The practical consequence is significant. A company that deploys a vendor-supplied recruitment AI without verifying the vendor's conformity assessment forfeits its ability to claim ignorance as a defence. Deployer obligations under the AI Act are independent of provider obligations. Both parties carry liability. The window to establish compliant deployment procedures before enforcement begins is closing.

We reversed a UODO enforcement finding for a financial-sector client in Mazowieckie that had deployed an automated shortlisting tool without a documented human oversight mechanism (autumn 2025). The reversal turned on process documentation, not on the technology itself.

What obligations apply to providers and deployers in Poland?

The AI Act draws a sharp line between providers – those who develop or place AI systems on the market – and deployers – those who use AI systems in their own operations. For HR tools, most Polish companies are deployers. But the compliance burden on deployers is substantial and is frequently underestimated.

Deployers of high-risk AI systems must fulfil at least four categories of obligation. They must implement human oversight measures that allow a natural person to intervene, override, or halt the system. They must monitor the system's operation and report serious incidents to the relevant authority within 15 working days. They must conduct a fundamental rights impact assessment before deployment. And they must inform employees or candidates that they are subject to an AI-assisted decision, in plain language, before the process begins.

  • Designate a responsible person for AI system oversight within the organisation
  • Obtain and review the provider's technical documentation and conformity declaration
  • Conduct a fundamental rights impact assessment before go-live
  • Establish a logging and incident-reporting procedure aligned with the 15-working-day deadline
  • Update candidate-facing privacy notices to reflect AI-assisted processing

GDPR adds a parallel layer. Automated individual decision-making that produces legal or similarly significant effects requires explicit consent or a specific legal basis. Candidates have the right to obtain human review of any automated decision, to contest the outcome, and to receive a meaningful explanation of the logic involved. The Naczelny Sąd Administracyjny (Supreme Administrative Court, NSA) has confirmed that hiring decisions fall within this category.

The interaction between the AI Act and GDPR creates a compliance overlap that cannot be resolved by addressing each framework in isolation. A company that satisfies GDPR's transparency requirements but fails the AI Act's conformity assessment is non-compliant. The reverse is equally true. Integrated documentation – a single compliance file covering both frameworks – is the most efficient approach and the one that survives regulatory scrutiny.

What are the most common compliance pitfalls in HR AI deployment?

Most enforcement risk does not come from deliberate evasion. It comes from structural misunderstandings about where responsibility sits and what documentation is required. Three patterns recur in practice.

The first is vendor reliance without verification. A company purchases an AI recruitment platform from a European SaaS provider. The vendor supplies a CE mark and a conformity declaration. The company files both documents and considers itself compliant. This is wrong. The deployer's obligations – human oversight, impact assessment, incident reporting, candidate notification – are not discharged by the vendor's conformity documentation. They are separate and non-delegable.

The second pitfall is inadequate data governance. AI recruitment tools process sensitive personal data: CVs, assessment scores, interview recordings, and inferred characteristics. Under GDPR, processing on the basis of legitimate interest is difficult to justify for automated scoring. Consent is often the only viable legal basis – and consent must be freely given, specific, and withdrawable without consequence. Many candidate consent mechanisms currently in use do not meet this standard.

For a cross-border reference, our guide on data transfer from Poland to Cyprus addresses the mechanisms that apply when candidate data flows outside the EEA – a frequent issue for multinationals using US-hosted recruitment platforms.

The third pitfall is the absence of a human oversight record. The AI Act requires that human oversight be real, not nominal. A checkbox confirming that a human "reviewed" an AI ranking does not satisfy the requirement if the reviewer had no practical ability to interrogate the model's reasoning. Regulators will look at the process, not the label. Companies that cannot demonstrate a genuine human decision point in their hiring workflow face the highest enforcement exposure.

We obtained a suspension of a UODO investigation for an IT-sector client in Małopolska whose automated video-interview scoring system lacked any documented override procedure (spring 2026). The suspension was conditional on implementing a compliant oversight framework within 60 days.

How does cross-border deployment affect compliance obligations?

For foreign investors operating in Poland – whether through a branch, a subsidiary, or a remote-work arrangement – the compliance picture is more complex. The AI Act applies to any AI system deployed within the EU, regardless of where the provider is established. A German parent company that deploys a US-built recruitment AI for its Polish subsidiary is subject to Polish and EU regulatory oversight.

The deployer is always the entity that uses the system in a specific operational context. If the Polish subsidiary makes hiring decisions using a group-wide AI tool, the Polish entity carries deployer obligations. It cannot route those obligations to the parent. This has direct consequences for corporate liability allocation in group structures – and for indemnity provisions in intercompany service agreements.

DORA compliance, while primarily directed at financial-sector entities, provides a useful structural analogy. Under DORA, ICT risk management obligations cannot be contractually transferred to a third-party provider. The same logic applies to AI Act deployer obligations. Our analysis of AML compliance obligations for Polish companies illustrates how layered regulatory frameworks interact in practice – the pattern is directly relevant to AI Act deployment planning.

Language and notification obligations add a further layer. Candidate-facing disclosures must be provided in a language the candidate understands. For multinationals recruiting in Poland, this means Polish-language AI disclosure notices are mandatory, not optional. A generic English-language privacy policy does not satisfy the requirement.

Transfer of candidate data to non-EEA jurisdictions – for example, to a US-based parent's applicant tracking system – requires a valid transfer mechanism under GDPR Chapter V. Standard contractual clauses remain the most common instrument, but they must be supplemented by a transfer impact assessment where the destination country does not provide adequate protection. Many multinational HR platforms currently in use have not been reviewed for post-Schrems II compliance.

What does a compliant AI recruitment framework look like in practice?

Building a compliant framework is not a one-time project. It is an ongoing governance structure. The architecture has four components: pre-deployment assessment, operational controls, documentation, and periodic review.

Pre-deployment assessment begins with risk classification. Not every AI tool used in HR is high-risk. A chatbot that answers candidate FAQs is unlikely to be classified as high-risk. A system that ranks candidates against a competency model and produces a shortlist that HR follows in 90 percent of cases almost certainly is. Classification determines the compliance pathway. Getting it wrong in either direction is costly – under-compliance triggers enforcement; over-compliance wastes resources.

Operational controls centre on human oversight. The oversight mechanism must be designed so that the human reviewer has access to the model's inputs, outputs, and confidence levels. A reviewer who sees only the ranked list – without the underlying scores or the variables driving them – cannot exercise meaningful oversight. The AI Act requires explainability as a precondition for genuine human control.

Documentation requirements are specific. The compliance file should include: the fundamental rights impact assessment, the data protection impact assessment (required under GDPR where processing is high-risk), the technical documentation obtained from the provider, the human oversight protocol, the incident-reporting procedure, and records of all candidate notifications. This file must be available to supervisory authorities on request. A 72-hour response window is the working assumption for regulatory inquiries.

For a detailed treatment of the high-risk classification framework and the sectors most affected, our analysis at AI Act high-risk classification: affected sectors and systems provides the doctrinal foundation for the compliance decisions described here.

Periodic review is required because AI systems drift. A model trained on historical hiring data will reflect the biases embedded in that data. Periodic audits – at minimum annually, and after any significant change to the model or its deployment context – are necessary to maintain compliance. The audit should cover both technical performance and fundamental rights impact.

Self-assessment checklist and next steps

Compliance with the AI Act in the HR context is achievable. But it requires deliberate planning, cross-functional coordination between legal, HR, and IT, and a documentation discipline that most organisations have not yet developed. The following checklist identifies the minimum preparatory steps for any company deploying AI in recruitment or workforce management in Poland.

What to prepare before deploying an AI recruitment tool:

  • Classify the tool: confirm whether it meets the three-element high-risk test (AI-based, employment context, decision influence)
  • Obtain and review the provider's conformity assessment, technical documentation, and EU database registration number
  • Complete a fundamental rights impact assessment and a GDPR data protection impact assessment
  • Design and document a human oversight mechanism that gives reviewers access to model inputs, outputs, and scoring logic
  • Update candidate-facing privacy notices in Polish to disclose AI-assisted processing and explain the right to human review

Three business scenarios illustrate the range of situations companies face. A Polish manufacturing company using a global ATS with AI ranking features is a deployer of a high-risk system and must complete all deployer obligations regardless of the vendor's compliance status. An IT company building a bespoke internal recruitment AI is both provider and deployer – the full provider conformity pathway applies. A foreign investor establishing a Polish subsidiary and inheriting the group's AI HR platform must allocate deployer obligations to the Polish entity and ensure Polish-language candidate disclosures are in place from day one.

The decision matrix is straightforward. If your tool uses AI to influence who gets hired, promoted, or managed – and you operate in Poland – the high-risk framework applies. The compliance timeline is not open-ended. High-risk AI provisions are enforceable now for new systems and will apply to legacy systems on a rolling basis through 2026. Companies that have not begun their compliance review are already operating in a gap that regulators will eventually close.

Specific compliance gaps in your company's AI recruitment framework carry irreversible consequences – a UODO enforcement order can require suspension of the tool, deletion of processed data, and public disclosure of the finding. Acting before an investigation begins is materially less expensive than responding to one.

To receive an expert assessment of your AI recruitment tool's compliance status under the AI Act and GDPR, contact info@kordeckipartners.com.

Frequently asked questions

Q: Does the AI Act apply to recruitment tools already deployed before the regulation came into force?

A: Yes, with a transitional period. Systems placed on the market before the high-risk provisions became applicable have a grace period, but that period ends on a rolling schedule through 2026. Companies operating legacy AI recruitment tools must complete their compliance review and remediation before the applicable deadline for their system category. Waiting for enforcement to begin is not a compliant strategy.

Q: How long does a fundamental rights impact assessment typically take, and what does it cost?

A: For a single AI recruitment tool of moderate complexity, a fundamental rights impact assessment typically requires four to eight weeks if the provider's technical documentation is available and complete. Legal and technical advisory costs for a standalone assessment typically fall in the range of EUR 5,000 to EUR 15,000, depending on the complexity of the system and the organisation's existing documentation. Combining the fundamental rights assessment with the GDPR data protection impact assessment reduces total cost and elapsed time.

Q: Can a company rely on its AI vendor's GDPR compliance to satisfy its own obligations?

A: No. This is one of the most common misconceptions in AI Act compliance. The vendor's obligations as a provider – conformity assessment, technical documentation, EU database registration – are separate from the deployer's obligations. A deployer that relies solely on vendor documentation without completing its own impact assessment, oversight design, and candidate notification process is non-compliant. Vendor contracts should include representations about provider obligations, but they do not substitute for deployer compliance.

KORDECKI & Partners is a law firm based in Warsaw and Krakow, advising business clients across 30 jurisdictions. Our team combines expertise in Polish and international law with a practical approach to AI Act compliance, technology regulation, and data protection. We work with Polish entrepreneurs, foreign investors, and in-house legal teams navigating the intersection of AI regulation, GDPR, and employment law. To discuss your situation, contact info@kordeckipartners.com.

Disclaimer: This publication is provided for informational purposes only and does not constitute legal advice. The information herein should not be relied upon as a substitute for professional legal counsel tailored to your specific circumstances. KORDECKI & Partners assumes no liability for actions taken or not taken based on the contents of this material. For advice regarding your particular situation, please contact info@kordeckipartners.com.