AI in Recruitment: Key Considerations for Employers in Bulgaria and EU
Artificial intelligence (AI) is increasingly shaping recruitment practices, transforming the way organizations assess and select candidates. AI tools offer a data-driven and efficient approach to finding talent, promising to streamline the hiring process, reduce human bias, and assist companies in identifying candidates quickly and accurately.
However, the growing use of AI in recruitment introduces challenges such as algorithmic bias, transparency, and the protection of personal data, which require careful consideration. The EU AI Act (Regulation (EU) 2024/1020) sets stricter standards, compelling organizations in Bulgaria and the EU to balance the benefits of technological advancement with fairness, transparency, and respect for candidate rights.
Navigating Regulatory Compliance
As AI becomes integral to various business processes, including recruitment, organizations in Bulgaria and the EU must navigate a complex regulatory landscape. Two key regulations apply to the use of AI systems in hiring: the AI Act (EU Regulation 2024/1020) and the General Data Protection Regulation (GDPR) (EU Regulation 2016/679).
AI systems intended for recruiting or selecting candidates are classified as “high-risk” under the AI Act, necessitating compliance with strict requirements designed to safeguard fairness, ensure transparency, and protect fundamental rights.
Responsibilities of Deployers
Under the AI Act, organizations using AI systems (e.g., employers and recruitment agencies) are generally considered “deployers”. They may be reclassified as “providers” and subject to more stringent obligations if they:
- Put their name or trademark on a high-risk AI system that has already been placed on the market or put into service (unless a contract clearly assigns these responsibilities elsewhere).
- Make a substantial modification to the system.
- Change the intended purpose of the AI system.
Key Compliance Obligations for Deployers
Deployers of high-risk AI systems for recruitment must adhere to several obligations that align with GDPR requirements for automated decision-making and profiling:
1. Transparency and Notification Obligations
- Inform candidates and employees that they are subject to a high-risk AI system before deployment.
- Provide clear information about the system’s purpose, capabilities, and limitations.
- Ensure compliance with GDPR transparency requirements, including the right to information, access, and contest automated decisions.
2. Human Oversight Obligations
- Assign trained personnel with sufficient authority to oversee the AI system.
- Ensure they can interpret outputs and intervene or suspend the system if necessary.
- Maintain active and informed oversight rather than a formalistic approach.
3. Data Quality and Bias Mitigation Obligations
- Input data must be relevant, representative, and mitigate bias at the deployment stage, which may necessitate internal audits or validation procedures.
- Conduct bias audits to ensure data does not lead to discriminatory outcomes.
- Align with GDPR principles of data minimization and accuracy.
4. Technical and Organizational Measures Obligations
- Use the system only as per the provider’s instructions (violating this could result in qualifying the deployer as a provider).
- Implement safeguards to prevent misuse or unintended consequences.
- Suspend operation if the system poses a risk or malfunctions, and inform the provider, distributor, and relevant market surveillance authority.
5. Recordkeeping and Monitoring Obligations
- Maintain logs of system operations for at least six months (if logs are under the deployer’s control).
- Continuously monitor performance to detect anomalies or risks and inform providers.
- Cooperate with market surveillance authorities and provide documentation upon request.
6. Impact Assessment Obligations
- Before first use, perform a fundamental rights impact assessment as part of the data protection impact assessment.
- The deployer may rely on previously conducted fundamental rights impact assessments or existing assessments carried out by the provider.
7. AI Literacy and Training Obligations
- Ensure a sufficient level of AI literacy among staff and other persons dealing with the operation and use of AI systems.
- Provide adequate training for all staff involved in AI operations.
Respecting Candidate Rights under GDPR
Deployers must uphold candidates’ rights under the GDPR, particularly those in Article 22, which protects individuals against being subject to decisions based solely on automated processing. Where such processing is permitted, candidates must be guaranteed:
- The right to human intervention.
- The right to express their point of view.
- The right to contest a decision.
These safeguards are especially critical in recruitment, where AI-driven decisions can significantly affect individuals’ careers and livelihoods.
High-risk AI systems have the potential to transform recruitment by streamlining processes and supporting better decisions. However, this potential can only be realized if organizations apply AI technology responsibly in line with the GDPR and AI Act. Compliance not only protects candidate rights and reduces legal risks but also builds trust in AI-powered hiring.
