All Posts
Opinion
10
min read

What the EU AI Act means for staffing

Published on
May 28, 2026
by
Diederik Syoen

The short version

AI screening is not a smarter CV filter. It is a system that can affect whether someone gets work. Under EU rules that puts you in the same bucket as credit scoring at banks.

Courts are already fining companies that misuse HR algorithms. If you run a staffing agency or sell HR tech, you need to know the rules.

What most teams think they deployed What regulators and courts treat it as
A productivity tool that sorts CVs faster An automated decision under GDPR Article 22 if a recruiter mainly rubber-stamps the output
"The vendor handles compliance" Shared responsibility. You as deployer still owe candidates disclosure, oversight and answers
"We'll sort the AI Act out before August 2026" GDPR is fully live today. Several AI Act bans (e.g. emotion recognition from voice in hiring) have applied since 2 February 2025
"Our recruiter clicks approve, so a human decided" A click is not oversight. European courts have already rejected purely symbolic human sign-off

Note: "Rubber-stamp" means approving something without reviewing the details. That is what bulk-clicking AI recommendations looks like in practice.

Three sentences that usually unlock the conversation:

  1. Every candidate should know they're dealing with AI. At the moment it happens, not in a privacy policy nobody opens.
  2. A human has to be able to change the outcome. They need time to review, authority to override and a record when they do. Screening 200 people an hour and clicking "yes" on all of them does not count.
  3. No emotion-from-voice features. Banned in EU workplace hiring contexts since 2 February 2025, whatever the vendor demo showed.

About August 2026: that was the original date for full high-risk AI obligations on recruitment tools (documentation, logging, conformity). EU co-legislators agreed in May 2026 to push most Annex III deadlines to 2 December 2027, pending formal adoption. Risk still starts earlier: buyers already put AI Act questions in 2026 RFPs and French regulators named recruitment a 2026 priority.

About "we have until 2027": the Digital Omnibus buys time on when high-risk paperwork bites. It does not change classification: recruitment AI stays high-risk under Annex III. GDPR, works council rules and candidates' rights to challenge automated decisions apply either way.

A scorecard for any AI vendor in your stack

For your next vendor meeting: six questions for any provider in your stack.

Question to ask 🍏 Strong answer 🍅 Walk away
1. Are you a high-risk provider under Annex III, point 4? Where's your conformity-assessment status? "Yes, point 4(a). Here's our state and the timeline (December 2027 if Omnibus is adopted, August 2026 until then)." Hesitation, or "we don't think it applies."
2. Show me, in the product, where the candidate is told they're talking to AI. Specific moment, specific words, demoed live. "It's in our terms of service."
3. What does your AI explicitly not do? A clear list including emotion recognition, voice biometric ID, auto-rejection, social scoring. "We can do whatever you want."
4. What happens when a recruiter overrides the AI? Where does that get logged? A real path with logged reasons, retained 6+ months, surfaced for audit. "They just click no."
5. What can I hand my works council and DPO before we deploy? DPIA template, instructions for use, log retention specs, bias-audit results, technical documentation. "We'll figure that out together."
6. Can you produce a candidate's right-to-explanation response on request (Art. 86)? "Yes. Here's the format." "What's that?"

Where the legal risk actually sits

Everything below is the deeper cut: where staffing AI sits in the law, what's already illegal, what's already being enforced in court, what deployers actually have to run themselves and how we built Ringtime around it.

The trap most staffing teams walk into

The costliest misunderstanding does not even live in the AI Act. It lives in GDPR Article 22. The Court of Justice of the EU sharpened it in December 2023.

Most agencies we talk to assume automated decision-making works like this: "As long as a human signs off at the end, it's not automated." The law says otherwise. So do the courts since CJEU C‑634/21 (SCHUFA Holding, 7 December 2023). SCHUFA's credit scoring was challenged because banks made the final lending decisions, not SCHUFA. The Court ruled that when the human gives the algorithmic score a "determining role", it counts as an automated decision under Article 22, whoever clicks the button at the end.

Staffing translation: a recruiter who clicks "approve" on 200 AI-recommended candidates a day, with no case-by-case review of the AI's reasoning, is rubber-stamping. That is not human oversight. Under the SCHUFA reading of Article 22 it is already an automated decision with significant effect on the candidate. Most agencies have no clean legal basis to run that at volume.

Two practical implications:

  • The risk is live today, not when the Omnibus deadline lands. The AI Act adds obligations. It does not replace what is already in force.
  • "We have human oversight" fails when the human reviews 200 candidates an hour. Real oversight needs time per candidate, authority to override and a logged record of the override.

Where staffing AI actually lands in the AI Act

The AI Act has eight high-risk categories in Annex III. These three matter most for staffing and recruiting.

Annex III category Relevant for staffing AI? What it actually means
Point 4(a): recruitment, selection, evaluation of candidates Yes. Core hit. Voice/chat screening, ranking, filtering. Full high-risk obligations once the Annex III date applies (2 August 2026 on paper today; 2 December 2027 in the May 2026 Omnibus deal).
Point 4(b): task allocation, performance monitoring, termination decisions Yes, if your AI keeps working with placed workers Agencies using AI to predict no-shows, allocate shifts or flag underperformers cross into this category. Same high-risk regime, different obligations to think through.
Point 1: biometric identification or categorisation Adjacent flag for voice products Voice identification (recognising who is speaking) sits here. Voice transcription (speech to text) does not. Worth confirming which side your vendor is on.

Screening-only deployments sit in 4(a). A "candidate insights" or "workforce analytics" module may sit under 4(a) or 4(b). Once the AI evaluates a placed worker, you pick up a second high-risk category and the obligations stack.

The bans that already apply (since 2 February 2025)

Article 5 is the floor: practices that are simply illegal in the EU, with no grace period. Four matter for staffing AI.

Prohibition What this looks like in staffing
Art 5(1)(a): manipulative or deceptive techniques Scripts that pressure candidates into accepting offers, or hide what is being collected from them.
Art 5(1)(b): exploiting vulnerabilities Using economic pressure (unemployment, immigration status) to extract worse terms.
Art 5(1)(c): social scoring A cross-context "candidate reliability score" pulled from accumulated behaviour across employers.
Art 5(1)(f): emotion recognition from biometrics in workplace contexts Inferring how a candidate "felt" from tone of voice, pitch or stress.

Penalties for these are the steepest in the regulation: up to €35M or 7% of global turnover. These bans did not wait for August 2026. They have been illegal in the EU since 2 February 2025. If a vendor in your stack does any of the above today, that is already an enforceable violation.

This is being enforced already today

People say "no one's actually being fined yet, so we have time." The cases below say otherwise. None of them waited for the AI Act's high-risk deadline. They turned on GDPR and labour law already in force.

  • CJEU, SCHUFA (7 December 2023, C‑634/21). Credit scoring used by banks still counted as automated decision-making when humans gave the score a determining role. Same logic applies to AI-ranked candidate shortlists.
  • Amsterdam Court of Appeal, "Robo-Firing" (4 April 2023). Uber drivers' dismissals were upheld by humans in name only. The court found purely symbolic human validation illegal under GDPR Article 22. Follow-on sanctions ran into the hundreds of thousands of euros. Staffing buyers should assume the human click no longer protects you unless supervision is real, documented and able to change the outcome.
  • Audiencia Nacional (Spain), CGT v. Foundever (4 July 2025). The employer denied using algorithms in HR. The court voided the practice, sanctioned a breach of trade union information rights and ordered disclosure of algorithm parameters to worker representatives. In Belgium and the Netherlands, works council consultation before deploying recruitment AI is the step agencies most often skip (Belgian Institute for the Equality of Women and Men guidance). Denying the tool exists when it does is its own fault line.
  • CNIL (France), 3 April 2026. The French data protection authority named recruitment as a 2026 enforcement priority. Inspections target automated decision-making, candidate transparency and indefinite CV retention at large companies and recruitment agencies.
  • ICO (UK), 2024. The UK regulator audited 30+ AI recruitment providers and employers. Found tools that inferred gender and ethnicity from candidate names and filtered candidates by protected characteristics. Several vendors had to change their products.
  • Mobley v. Workday (US, ongoing). A federal court allowed an AI hiring discrimination class action to proceed in 2024 on the theory that the AI vendor itself can be directly liable as an "agent" of the employer. In May 2025 the court granted class certification on age discrimination. European regulators are testing the same pattern: vendor liability for screening outputs.

Dutch and Belgian supervisors are also turning up the volume on HR AI in 2026. The Autoriteit Persoonsgegevens dedicated a full chapter of its 2026 AI & algorithms report to recruitment. Belgian guidance on candidate hiring data and the Institute for Gender Equality's AI-in-hiring recommendations point the same way: less data than you think, more transparency than most teams ship.

The agencies in trouble in 2026 are not only the ones who missed a deadline. They are the ones whose stack would not survive a day with an auditor, a candidate, a union rep or a DPO asking obvious questions.

What deployers actually carry

The Act splits obligations between provider (the vendor) and deployer (the agency using it). Vendors carry the heavier list: risk management, technical documentation, conformity assessment, EU database registration. That is our work.

The deployer side under Article 26 is shorter. The parts staffing agencies miss are real:

  • Specific, in-the-moment AI disclosure to every candidate. Generic privacy notices do not cut it (AP, GBA).
  • A DPIA before deployment. GDPR Art. 35 already required this. The AI Act sharpens what "high-risk" means.
  • Inform workers and their representatives before deployment (Art. 26(7)). In Belgium, the Netherlands, France and Germany this typically means formal consultation through the works council under domestic labour law. Skipping it is the most common BE/NL deployment-killer we see.
  • Six-month minimum log retention for auto-generated logs.
  • Real human override authority. See the rubber-stamp trap above.
  • Right-to-explanation responses (Art. 86). Rejected candidates can ask for a clear explanation of the AI's role and the main factors in their assessment. The deployer has to be able to give it. The AI has to be explainable enough to relay.

Vendors carry technical compliance. Deployers carry organisational compliance. Both fail if the other cuts corners.

What we built into Ringtime because of it

We designed Ringtime around four boundaries we do not cross, even when a customer asks.

Respect hard boundaries. No voice biometric identification. No emotion or sentiment inference from the audio signal: no tone, no cadence, no stress markers. Audio is transcribed and the buffer discarded. Only text reaches the model. Ringtime never tells a recruiter "the candidate sounded nervous." Not even when asked.

Treat hiring workflows as high-risk by default. Anything that screens, filters or evaluates a candidate gets the higher bar: scoped controls, full logging, role-based access, retention windows and clear usage boundaries on what the AI can and cannot ask. We assume every conversation is sensitive.

Make transparency operational. Every Ringtime conversation opens with the AI identifying itself, in the candidate's language. Inside the product, recruiters see which fields, scores and recommendations the model produced and on which inputs. Transparency only counts if the people who need it can act on it: the candidate at the start of the call, the recruiter when reviewing, the privacy officer when auditing.

Make human oversight real. Two design choices follow from the SCHUFA logic above. Ringtime never produces a binary yes/no. It produces a recommendation with the transcript, the scoring and the reasoning attached so the recruiter can challenge it. Handoffs to a human happen only on the candidate's explicit request, never on AI-inferred fit. We refuse to build the trigger that turns a recruiter's contact decision into a downstream automated decision.

FAQ

Is recruitment AI high-risk under the EU AI Act?

Yes. Annex III, point 4(a) names AI systems used for recruitment, selection and evaluation of candidates as high-risk. The narrow procedural-task exception in Art. 6(3) does not apply because evaluating candidates is profiling under GDPR.

When does the EU AI Act apply to staffing agencies?

Article 5 prohibitions (including the workplace emotion-recognition ban) have been in force since 2 February 2025. Full high-risk provider and deployer obligations were scheduled for 2 August 2026; the May 2026 Omnibus deal would move most Annex III systems to 2 December 2027, subject to formal adoption. Plan for both dates until the law is published.

Does GDPR Article 22 already prohibit automated rejection of candidates today?

In practice, yes, in most EU staffing setups. The CJEU's SCHUFA ruling (C‑634/21, December 2023) established that algorithmic scoring counts as automated decision-making when the human gives it a "determining role", even if a person formally signs off. A recruiter rubber-stamping AI recommendations at volume is unlikely to meet the bar for meaningful human review.

Build it in, or fix it under pressure

Compliance should be in the product before you see it. Same way GDPR eventually got baked into how we build, not how we sell. Contract negotiations and a later Omnibus deadline are both too late if the product was wrong on day one.

The buyers who will be fine built it in already. The vendors who will be fine wrote it into the product, not only into the contract.

If you want to walk through how this maps to your setup (works council prep, DPIA template, deployer checklist), we are happy to do that.

We are not lawyers. This article is general information, not legal advice. For your specific setup, contracts or deployment decisions, talk to your legal team and DPO. We do the same when we need advice on our own obligations.

BLOG

Related posts

Opinion
7
 min read

Stop measuring first response time. It's a vanity metric

first response time looks fast but means little. time to meaningful conversation shows when real engagement actually starts.
Technology
8
 min read

Speech-to-text name accuracy - why spelling still fails

Testing leading STT engines and voice agents shows that Flemish names and emails consistently break: spelling is slow, corrections don’t propagate, and emails look right but are unusable.
Opinion
7
 min read

Why ai voice agents will be the most important sales hire in 2026

AI voice agents take over the mechanical parts of sales, separating execution from judgment and forcing teams to redesign roles instead of burning out people.

Ready to see what Ringtime
can do for your agency?

Book a demo and we'll walk you through it with your own vacancies. Or talk to our AI agent right now, available 24/7.

Have questions? Our AI agent calls you in 30 seconds.

Book a demo

Hear the power of Ringtime and change the way you work.

Hello, Ringtime speaking.

Try it out yourself. Leave your phone number and a Ringtime assistant will call you.