AI Recruitment in Germany: What HR Teams Need to Know About GDPR and Automated Hiring

Short answer

German employers can use AI recruitment tools, but purely automated hiring decisions significantly affecting applicants are prohibited under GDPR Article 22 unless an exception applies. A human-in-the-loop is required, and from August 2026 the EU AI Act adds further HR AI obligations.

• GDPR Article 22 prohibits purely automated decisions with significant effects — human review is required.
• BDSG Section 26 governs processing of applicant data; consent is rarely the right legal basis.
• AI Act Annex III classifies employment AI as high-risk — compliance obligations apply from August 2026.
• Works councils have co-determination rights when employers introduce AI hiring tools under BetrVG Section 87.

German employers can use AI recruitment tools, but purely automated hiring decisions that significantly affect applicants are prohibited under GDPR Article 22 unless a specific exception applies. This guide explains the legal framework — GDPR, BDSG, the EU AI Act, and German works council law — and what HR teams need to do to stay compliant.

Can German Companies Use AI to Screen Job Applicants?

Yes — with conditions. AI tools for candidate screening, CV ranking, and applicant tracking are legally available to German employers, but they cannot be the sole decision-maker. The key restriction comes from GDPR Article 22, which prohibits decisions that are purely automated and have significant effects on a person, unless one of the defined exceptions applies.

In practice, this means:

• You can use AI to rank CVs, flag missing qualifications, or score candidates.
• You cannot reject or advance a candidate based solely on an automated output without human review.
• A human must genuinely evaluate the AI’s output — rubber-stamping does not satisfy the requirement.

GDPR Article 22 and Automated Hiring Decisions

GDPR Article 22 establishes a general prohibition on purely automated individual decision-making that produces legal or similarly significant effects. For recruitment, “significant effects” clearly covers rejection, shortlisting, and invitation to interview.

Three exceptions exist under Article 22(2):

1. The decision is necessary for entering into a contract with the data subject.
2. The decision is authorized by EU or Member State law.
3. The data subject has given explicit consent.

In German recruitment practice, exception (1) is the most commonly relied upon — processing applicant data to determine suitability for a role is arguably necessary for the contract. However, even where an exception applies, Article 22(3) requires that the employer implement suitable safeguards, including the right for the applicant to obtain human review, express their point of view, and contest the decision.

What counts as “purely automated”? The EDPB guidance is clear: a human must make a genuine decision. If the human simply approves whatever the algorithm outputs without independent assessment, this is likely still “purely automated” in substance.

BDSG Section 26 — Applicant Data Protection in Germany

Germany’s Federal Data Protection Act (BDSG) Section 26 provides the specific legal basis for processing applicant data. It permits processing where necessary for decisions about establishing an employment relationship.

Key points for HR teams:

• Consent is rarely the right basis for applicant data. The power imbalance between employer and applicant makes freely given consent under GDPR hard to establish. Rely on BDSG Section 26 instead.
• Sensitive data (health, disability, ethnicity) requires a higher standard of justification — typically explicit consent or necessity to exercise employment law rights.
• Deletion obligations: Applicant data must be deleted within a reasonable period after a recruitment process concludes. German practice generally treats 4–6 months as reasonable; longer retention requires justification.
• Data minimisation: Only collect data relevant to the role. AI tools that infer personality traits, cultural fit scores, or psychometric profiles from CV text or video interviews carry elevated risk.

AI Act and High-Risk AI in HR

The EU AI Act, which entered into force in August 2024, classifies AI systems used for recruitment and HR decisions as high-risk systems under Annex III. This includes:

• AI used to screen or filter job applications.
• AI used to assess candidates in tests during or preparatory to the recruitment process.
• AI used to make or influence decisions on promotion, termination, or task assignment.

High-risk obligations apply from August 2, 2026. From that date, German employers deploying or using high-risk AI recruitment tools must:

• Ensure the system has been registered in the EU database for high-risk AI systems (obligation on providers).
• Conduct a conformity assessment or verify the provider’s CE marking.
• Maintain logs of system use and carry out monitoring.
• Implement human oversight measures.
• Provide transparency to affected individuals.

If you are currently selecting an AI recruitment vendor, ask them now about their AI Act compliance roadmap. Their compliance (or lack of it) becomes your problem from August 2026.

For a broader overview, see our EU AI Act compliance guide for German companies and our AI Act in HR and recruitment industry overview.

Which AI Recruitment Tools Can German Companies Use?

There is no official whitelist. The key questions to ask when evaluating any AI recruitment tool:

1. Does the vendor have a Data Processing Agreement (DPA)? Mandatory under GDPR Article 28 if the vendor processes personal data on your behalf. Review the DPA carefully — particularly sub-processors, data residency, and breach notification timelines.

2. Where is data processed? Processing applicant data outside the EU/EEA requires additional transfer mechanisms (Standard Contractual Clauses, adequacy decision). U.S. vendors must be covered by the EU-U.S. Data Privacy Framework or SCCs.

3. Does the tool support human-in-the-loop review? Any tool that claims to make autonomous hiring decisions without human review creates GDPR Article 22 liability. The tool should produce outputs that inform human decisions, not replace them.

4. Does the vendor provide AI Act compliance documentation? From August 2026, you need to be able to demonstrate that the AI system you are using meets EU AI Act high-risk requirements. Ask vendors for their technical documentation and conformity assessment records.

Common tool categories:

• ATS with AI ranking (e.g., Workday, SAP SuccessFactors, Greenhouse): Generally lower risk if configured to assist rather than decide.
• CV screening AI (standalone tools that parse and score CVs): Higher risk — human review mechanism is critical.
• Video interview AI (automated analysis of facial expressions, speech, vocabulary): Very high scrutiny in Germany. Works councils typically oppose these tools. Processing of biometric data requires explicit consent or specific legal basis.

Works Council (Betriebsrat) and AI Recruitment

German companies with 5 or more employees may have a Betriebsrat (works council). Under Betriebsverfassungsgesetz (BetrVG) Section 87(1)(6), the works council has mandatory co-determination rights over the introduction and use of technical systems that are capable of monitoring employee behavior or performance.

While applicants are not employees, German labor courts and the literature have generally treated applicant tracking systems as falling within the scope of BetrVG Section 87 where employees in the HR department interact with the system or where the system processes data relevant to hiring decisions that affect the workforce composition.

In practice:

• Inform the works council before introducing any AI recruitment tool.
• Negotiate a Betriebsvereinbarung (works agreement) governing the tool’s use: what data is collected, how long it is retained, who can access outputs, and what human review steps apply.
• The works council cannot veto the business decision to hire, but it can make the tool legally unusable if you fail to reach agreement.
• Failure to comply with co-determination rights can lead to injunctions against using the system.

Practical Compliance Steps for AI Recruitment in Germany

Use this checklist before deploying any AI recruitment tool:

1. DPIA: Conduct a Data Protection Impact Assessment under GDPR Article 35. Required for systematic, large-scale automated profiling of applicants.
2. Legal basis review: Confirm BDSG Section 26 covers the processing. Document your legal basis assessment.
3. DPA with vendor: Execute a GDPR Article 28 Data Processing Agreement.
4. Transfer mechanisms: If data leaves the EU/EEA, ensure adequate transfer safeguards.
5. Update applicant privacy notice: Include information on automated processing, the logic involved, and applicants’ rights under Article 22(3).
6. Human review process: Design and document the human review step. Train HR staff on what meaningful review requires.
7. Works council engagement: Inform the Betriebsrat and negotiate a Betriebsvereinbarung before go-live.
8. Deletion schedule: Implement automatic deletion of applicant data after the recruitment process concludes (typically 4–6 months).
9. AI Act readiness: For tools likely classified as high-risk under AI Act Annex III, request vendor compliance documentation now and plan for August 2026.

Our AI Act compliance guide for German employers covers the AI Act obligations in detail. For employment law questions specific to your situation, speak with our team.

---

This guide provides general legal information for HR teams and business operators. It does not constitute legal advice. Specific situations — particularly works council negotiations or DPIA scoping — require individual legal counsel.