← All insights
ComplianceJune 10, 20265 min read

AI Resume Screening in the EU: What the Rules Require

By · AI agents for European teams

The team behind AgentWorks — building EU-compliant AI agents and multi-LLM workflows for European teams.

Reviewed June 10, 2026

Share

TL;DR

Explains why AI resume screening is classified high-risk under EU AI Act Annex III and how GDPR Article 22 limits automated rejections, with concrete obligations (bias testing, human oversight, audit trails) recruitment and IT leaders must implement before the August 2026 deadline. Written for CTOs, IT leads, and ops managers at European companies evaluating AI recruitment tools.

AI resume screening is not a gray area under EU law. The EU AI Act classifies it as high-risk, and GDPR Article 22 puts hard limits on how much of the decision can be automated. Recruitment teams building or buying screening tools need to treat this as a compliance project, not just a procurement decision.

Why resume screening is high-risk, not just "sensitive"

Annex III, point 4 of the EU AI Act lists AI systems used for recruitment or selection as high-risk, specifically those used to place targeted job ads, analyze and filter applications, or evaluate candidates (artificialintelligenceact.eu). The classification is triggered by the use case, not by how much of the decision the AI actually makes.

That detail matters because many vendors market their tools as "just ranking" or "just surfacing top candidates," implying a human still decides. Under Annex III, a system that filters or scores CVs is high-risk whether or not a human signs off on the final rejection. If your tool touches the applicant pool before a human sees it, it is in scope.

High-risk obligations under Article 6(2) include a conformity assessment before deployment, technical documentation, human oversight designed into the system (not bolted on), bias and accuracy testing, and logging that supports audits. These requirements become enforceable on August 2, 2026, with penalties up to €15 million or 3% of global annual turnover under Article 99.

Expert tip: run the conformity assessment before your pilot ships, not after. Retrofitting technical documentation onto a live screening tool is far more expensive than building the file alongside the model selection process.

GDPR Article 22: the human review has to be real

Even outside the AI Act, GDPR Article 22 gives every EU job applicant the right not to be subject to a decision based solely on automated processing that produces a legal or similarly significant effect. A hiring rejection qualifies.

The European Data Protection Board has been explicit that the human review exemption only counts if a person genuinely can, and does, change the outcome. Rubber-stamping an AI's shortlist does not satisfy Article 22 — the EDPB has stated that a controller "cannot avoid the Article 22 provisions by fabricating human involvement" (gdprinfo.eu). This was reinforced at the EDPB/EDPS conference on AI in HR held in July 2026, which focused specifically on automated hiring decisions.

In practice this means:

  • A recruiter must be able to see the reasoning behind a candidate's score, not just the score.
  • The recruiter must have time and authority to overturn the AI's recommendation.
  • You need a record showing the review happened and what the reviewer considered.

A screening tool that produces a ranked list with no visible reasoning, reviewed by someone with a stack of 200 CVs and five minutes, will not survive a regulator's scrutiny of "meaningful" human involvement.

What this means for your recruitment stack

Three obligations recur across both frameworks and are worth building into any AI screening workflow now, rather than waiting for the August 2026 deadline.

Bias testing before and during deployment

The AI Act requires testing for the kind of protected-characteristic bias that CV screening models are prone to (proxies for gender, age, ethnicity via school names, gaps, or address). This is not a one-time check. Retest whenever the model, prompt, or scoring criteria change, and keep the results as part of your technical documentation.

Human-in-the-loop that actually loops

Design approval gates into the workflow itself so a recruiter reviews and can override before any rejection goes out, not after. Configurable human-in-the-loop checkpoints at each decision step give you a defensible answer when a regulator asks who made the final call.

An audit trail that survives an investigation

Article 6(2) documentation and GDPR accountability both come down to the same evidence: what data went in, what the model scored, who reviewed it, and what changed. An append-only log that cannot be edited after the fact is the simplest way to satisfy both.

If you are evaluating platforms to run this kind of workflow, check how the vendor handles EU AI Act readiness specifically for high-risk use cases like recruitment, not just general data protection claims.

Building screening agents that are AI Act-ready

None of this rules out using AI for resume screening. It means the tooling has to support oversight rather than replace it. A recruitment agent should surface its reasoning per candidate, route flagged or borderline decisions to a named reviewer, mask personal data it does not need to process, and log every step without letting anyone quietly edit the trail afterward.

That is the bar for being AI Act-ready: not a blanket compliance claim, but demonstrable conformity assessment, real human oversight, tested-for bias, and an audit trail that holds up. Recruitment is one of the clearest high-risk categories in the regulation, so it is also one of the categories where cutting corners is most visible to a regulator, and to the candidates it affects.

FAQs

Is all recruitment AI automatically high-risk under the EU AI Act?

Yes, if it is used to analyze, filter, rank, or evaluate job applications, it falls under Annex III, point 4, regardless of whether a human makes the final decision. The obligations apply from August 2, 2026.

Does GDPR Article 22 apply if a recruiter reviews the AI's shortlist?

Only if that review is genuine. The EDPB has stated that superficial or rubber-stamp review does not remove the decision from Article 22's scope — the human must have real authority and information to change the outcome.

What documentation do we need before deploying an AI resume screener?

A conformity assessment, technical documentation describing the system's design and data, evidence of bias and accuracy testing, and logs that support post-deployment audits. These map to Article 6(2) obligations for high-risk systems.

Can we use AI to reject candidates automatically without human review?

Not under GDPR Article 22 if the rejection is based solely on automated processing and has a significant effect on the candidate, which a hiring rejection does. You need a documented, substantive human review step before any automated rejection is finalized.

About the author

· AI agents for European teams

AgentWorks is an AI agent platform purpose-built for European teams that need EU AI Act-ready governance, multi-LLM choice across OpenAI, Anthropic, Google and Mistral, and transparent per-token € pricing.

Read more about AgentWorks