Every AI tool you use in recruitment is about to become a legal liability or a competitive advantage. There is no middle ground. On 2 August 2026, the EU AI Act makes recruitment AI a high-risk category with mandatory compliance obligations. That is not a future event. That is five weeks from now. And it applies on top of the GDPR requirements your agency is already supposed to be meeting. If you record interviews, transcribe conversations, generate candidate summaries, or push AI-generated data into your ATS, both regulations apply to you simultaneously. This article explains what that means in practice, what you need to do, and why the agencies that get this right first will win the business that others lose.
What GDPR Already Requires When You Use AI in Recruitment
De jury van de General Data Protection Regulation has been in force since 2018, but many recruitment agencies still treat it as a checkbox rather than an operating principle. When you add AI tools to the interview process, the compliance requirements become significantly more demanding.
Voice recordings from interviews are personal data. Under GDPR, they may also qualify as biometric data depending on how they are processed. That means every recorded interview your team conducts needs a lawful basis for processing, a clear retention policy, and proper security controls. If your AI tool sends recordings to a third-party API for transcription, that third party is a data processor and you need a Data Processing Agreement in place.
Candidates have specific rights under Article 22 of the GDPR when automated processing is involved in decisions that affect them. If your AI tool generates a candidate summary, extracts competency signals, or produces any form of structured evaluation, that output cannot be the sole basis for a hiring decision without giving the candidate the right to request human intervention. A recruiter must genuinely review the AI output and exercise independent judgment before any decision is made.
This is where many agencies unknowingly fall short. A recruiter who glances at an AI-generated summary and forwards it to a client without adding their own assessment is not exercising meaningful oversight. That is rubber-stamping an automated decision, and it creates GDPR exposure.
There are several practical requirements that every recruitment agency using AI tools should have in place right now.
- Candidate consent must be obtained before recording begins, with clear language about what the AI tool does with their data
- A Data Processing Agreement must exist with every AI vendor that touches candidate data
- Retention periods must be defined and enforced. Interview recordings and transcripts should not sit on servers indefinitely
- Candidates must be able to exercise their right to erasure under Article 17. If a candidate asks for their data to be deleted, your systems need to be able to do that completely
- Your privacy notice must explain that AI is used in the recruitment process, what it does, and how candidate data is handled
The agencies that treat these as operational requirements rather than legal afterthoughts are the ones that avoid the fines. Cumulative GDPR fines have exceeded 6.8 billion euros since 2018, with 193 penalties issued in the employment sector specifically. A UK-based recruitment agency was fined 150,000 euros after failing to locate and delete a candidate’s data when requested. The mistakes that generate penalties are almost always operational, not intentional.
What the EU AI Act Changes for Recruitment Agencies
The GDPR regulates what data you collect and how you process it. The EU AI Act regulates the decisions your tools make with that data. Both apply at the same time. GDPR compliance does not satisfy the AI Act, and AI Act compliance does not satisfy the GDPR. They are parallel obligations.
Under the EU AI Act, AI systems used in recruitment and selection are classified as high-risk under Annex III. That covers CV screening, candidate matching, interview analysis, candidate evaluation, and any AI that influences hiring decisions. Starting 2 August 2026, deployers of these systems must meet a full set of compliance obligations.
The critical word here is “deployer.” If your agency selects, configures, or relies on an AI tool to inform hiring decisions, you are a deployer under the Act. It does not matter whether you built the technology. It does not matter if your vendor tells you compliance is their responsibility. You cannot pass your compliance obligations to a technology partner. The Act assigns obligations to both providers (vendors who build the systems) and deployers (businesses that use them).
The Act also has extraterritorial reach. If your AI system’s output is used in the EU or affects candidates located in the EU, the regulation applies regardless of where your company is headquartered or where the technology is hosted. A staffing agency in London screening candidates for a role in Amsterdam is within scope.
Here is what the EU AI Act requires from deployers of high-risk recruitment AI.
- Human oversight must be meaningful, not a formality. The person making the hiring decision must genuinely review the AI output, understand what the system assessed and how, and exercise independent judgment. A recruiter who simply forwards an AI-generated shortlist without reviewing the underlying evidence does not satisfy this requirement
- Transparantie: is mandatory. Candidates and workers must be informed before a high-risk AI system is deployed in the hiring process. They have the right to know that AI is being used, how it functions, and what role it plays in decisions that affect them
- Risk assessments must be completed. Deployers need to conduct a fundamental rights impact assessment before first use of any high-risk AI system
- Data quality and bias monitoring are operational requirements. If you exercise control over the input data fed into your AI tools, you must ensure that data is relevant and representative. Candidate pools skewed by geography, language, or existing network effects create bias risk that falls on you
- Logs must be kept for at least six months. Combined with the requirement to monitor system performance on an ongoing basis, this creates an infrastructure need that many agencies have not yet planned for
- AI literacy among staff is already a requirement. Everyone involved in operating or using AI systems must receive adequate training. This obligation became effective in February 2025
There is a provision in Article 6(3) that exempts certain narrow procedural AI tasks from the high-risk classification. A tool that sorts incoming documents or flags duplicates might qualify. But this exemption explicitly does not apply if the AI system involves profiling under GDPR Article 4(4). Profiling means any automated processing that evaluates personal aspects of an individual, including work performance, reliability, or behaviour. Most candidate matching tools, ranking algorithms, and structured interview analysis systems do exactly that. If your tool matches, ranks, evaluates, or allocates candidates based on personal characteristics, the exemption almost certainly does not apply to you.
The penalty framework is substantial. For deployers who fail to meet their high-risk system obligations, fines can reach up to 15 million euros or 3% of global annual turnover, whichever is higher. For prohibited AI practices, the ceiling rises to 35 million euros or 7% of turnover. But the fine is not the biggest commercial risk. Regulators also have the power to withdraw or recall non-compliant AI systems from the market. For an agency whose operating model depends on AI-powered interview analysis and candidate matching, having a core tool pulled mid-contract creates immediate operational disruption.
How In2Dialog Is Built Around Compliance From Day One
Most AI recruitment tools were built for speed and features first. Compliance was added later, often as a page on the website rather than a design principle in the product. In2Dialog took the opposite approach.
All candidate data is processed and stored within the European Union. There are no international data transfers to navigate, no Standard Contractual Clauses to manage, and no reliance on US-based AI infrastructure where data residency is uncertain. For agencies operating under GDPR, this eliminates one of the most common compliance headaches entirely.
In2Dialog uses its own secure database architecture. Interview data is never sent to external AI models like ChatGPT or other public APIs. Your candidate recordings, transcripts, and reports stay within a controlled environment. The data is not used to train external systems. That distinction matters because several popular AI meeting tools are thin wrappers around public models where your candidate data enters a pipeline you do not control.
Candidate consent is built into the workflow. Before recording begins, the consent process is handled as part of the standard interview setup. This is not an afterthought bolted onto the product. It is integrated into how recruiters use the tool every day.
Retention controls are configurable. Audio data is automatically deleted after one year and transcripts after two years by default. Shorter periods can be configured based on your agency’s policy. When a candidate exercises their right to erasure, the system can execute that completely.
The human remains in the loop at every decision point. In2Dialog generates structured reports that combine the interview transcript with the candidate’s CV and the job description. But the report is a tool for the recruiter, not a replacement for the recruiter. The system does not make hiring decisions. It does not auto-reject candidates. It does not produce scores that determine whether someone moves forward. The recruiter reviews the report, applies their own judgment, and makes the decision. That is exactly what both the GDPR and the EU AI Act require.
This design also means In2Dialog can document the audit trail that regulators expect. Every interview has a recording, a transcript, a structured report, and a record of how that data was used. When a regulator asks how a decision was made and who was responsible for it, the answer is clear and traceable.
For agencies evaluating their AI tools ahead of the 2 August deadline, the questions to ask every vendor are specific.
- Where is candidate data processed and stored? Is it within the EU?
- Does the tool send data to third-party AI models? If so, which ones?
- Can the vendor provide a signed Data Processing Agreement?
- Does the tool support configurable retention periods and right-to-erasure requests?
- Is the AI output designed as a decision support tool with human oversight, or does it make autonomous decisions?
- Can the vendor provide technical documentation, bias audit results, and usage logs to support your deployer obligations?
If your current vendor cannot answer these questions clearly, that is your signal to act before August.
The agencies that treat compliance as a competitive capability rather than a burden will have a measurable advantage. Enterprise clients with EU operations are already building AI governance into their vendor selection criteria. Being able to demonstrate compliant AI practices, transparent candidate processes, and documented oversight frameworks will win RFPs and preferred supplier negotiations that non-compliant agencies will lose.
The EU AI Act is the first major AI regulation of its kind. It will not be the last. Similar frameworks are taking shape in the UK, Canada, and at state level in the US. Investing in compliant infrastructure now builds capacity that transfers across jurisdictions. The agencies building governance into their operating model are solving for the next decade, not just the next deadline.
See how In2Dialog’s AI interview tools work for recruitment agencies or book a demo to see how compliance is built into every step of the workflow.






