AI in Recruiting: Legal Risks German Labor Law | IT-Medienrecht

So schützen Sie sich vor rechtlichen Fallstricken: Erfahren Sie alles zu AI in Recruiting, Datenschutz (GDPR), AGG & Arbeitsrecht in Deutschland für…

As a lawyer specializing in advising start-ups, I have first-hand experience of the growing importance of artificial intelligence (AI) in recruitment. Many founders and HR managers are fascinated by the prospect of using AI to make application processes more efficient and objective—for example, through automated CV screening or digital pre-interviews. However, I also sense considerable uncertainty: What is legally permitted?

Where are the pitfalls, especially in German data protection and employment law? And how do you ensure that, as a young company, you don’t unintentionally violate laws such as the GDPR or the AGG? This article aims to clarify these crucial questions.

AI in Recruitment: Legal Framework & Compliance for Startups in Germany

In this article, I provide a comprehensive guide derived from my legal practice. I highlight the legal framework for using AI in the application process in Germany. This includes requirements from the General Data Protection Regulation (GDPR) for automated decision-making (Art. 22 GDPR) and information obligations towards applicants.

Additionally, I cover protection against discrimination under the General Equal Treatment Act (AGG) and data protection requirements. These encompass legal bases, purpose limitation, storage periods, and technical and organizational measures. Specifically for start-ups, I discuss additional challenges and how to address them pragmatically.

Finally, I offer practical recommendations on how founders can select and implement legally compliant AI tools. This ranges from provider selection to audit trails, bias monitoring, and necessary documentation.

My aim is to equip you—as a founder or HR manager of a startup—with the tools to use AI in recruiting responsibly and in compliance with the law. When used correctly, AI can help you find the right talent and save valuable time. Incorrect use, however, risks legal conflicts and reputational damage. Therefore, let’s explore the relevant legal issues step by step, so you can leverage AI's opportunities without falling into legal traps.

The Legal Framework for AI in Recruitment

Automated Decisions in the Application Process (Art. 22 GDPR)

A central starting point is Art. 22 para. 1 GDPR. This article states that everyone has the right not to be subject to a decision based solely on automated processing which produces legal effects concerning him or her or similarly significantly affects him or her.

What does this mean for the application process? If an AI system independently decides to reject certain applicants—for example, by creating a ranking where all candidates below a certain score automatically receive a rejection—the AI makes a decision with a significant impact. The applicant loses the chance of getting the job. Such fully automated rejections are generally not permitted under Art. 22 para. 1 GDPR.

Although exceptions exist in Art. 22 para. 2 GDPR, these rarely apply to recruitment processes. An exclusively automated decision would be permitted if it:

In recruitment, it's difficult to argue that a computer must necessarily make the decision without human involvement to conclude a contract; human review is always possible. There are no special legal permissions for automated recruitment decisions in Germany. Relying on applicant consent is also risky. It's questionable whether consent can truly be voluntary in the application process due to job-seeking pressure. Furthermore, consent can be withdrawn at any time, undermining planning security.

The practical recommendation is therefore clear: avoid making decisions in the application process that are made solely by an AI. The HR department should always have the final say. Art. 22 GDPR compels HR to retain "decision-making sovereignty".

It is important to understand how strictly this principle is interpreted by current case law. A landmark ruling by the European Court of Justice—the so-called SCHUFA ruling of 7 December 2023 (ECJ, Case C-634/21)—emphasized the scope of Art. 22 para. 1 GDPR. Although the case concerned credit scoring, its guiding principles apply to applicant selection. The ECJ ruled that even an automated action which significantly shapes the decision-making process can be considered an “exclusively automated” decision.

This means that even if a human is formally involved, a violation of Art. 22 GDPR occurs if this human merely rubber-stamps the AI's result. Applied to recruiting, if an AI system pre-sorts applications, only showing the HR department top candidates while others are filtered out unseen, the AI has de facto decided the fate of these unseen individuals. Such a procedure would be problematic because it automatically excludes applicants without human review of their documents. For more on this, consider the broader ethical issues and liability risks in automated decision-making processes.

The consequence: ensuring a final human decision. AI can certainly be used for support—for example, to scan and evaluate applications. However, the final selection of who is invited or rejected should not solely rely on the algorithm. HR can consider all applicants classified as suitable by the AI. They should also randomly review applications rated poorly by the AI to discover possible "overlooked" candidates. It is crucial that a human can deviate from the AI recommendation and actually uses this option, at least in individual cases. This ensures the decision is not "exclusively automated."

Applicants’ rights in this context also include transparency and participation. If—despite all caution—an admissible automated decision is made, Art. 22 para. 3 GDPR outlines certain protective measures. For example, the applicant would have the right to present their point of view or to challenge the decision, as well as the right to human intervention. Ideally, however, we should avoid reaching a point where an applicant receives a fully automated rejection. Taking Art. 22 GDPR seriously means planning for a “human-in-the-loop” from the outset. This human entity supervises the AI selection, drastically reducing legal risks and often improving selection quality by incorporating context and soft skills that an algorithm may not recognize.

Information Obligations and Transparency in the Use of AI

Data protection thrives on transparency. Applicants have a right to know whether and in what form AI systems are used in the selection process. Companies must comply with the information obligations under Art. 13 GDPR as soon as data is collected, typically when the applicant submits their documents. This privacy policy for applicants should explicitly mention that an AI-based system supports the application process.

The purpose must be clearly stated (e.g., “Implementation of the application process, including a partially automated evaluation of the application documents”). Applicants must be informed of key points such as:

Article 13(2)(f) of the GDPR requires that data subjects, in the case of automated decisions within the meaning of Art. 22 para. 1 GDPR, be informed about the logic involved and the scope and intended effects. If an automated decision were actually involved (such as an automatic rejection by the AI), the applicant would at least have to be given a basic explanation of the criteria used by the system and what this means for them. In practice, however, we avoid such fully automated decisions, as recommended above.

Nevertheless, you should proactively ensure transparency even when using AI for purely supportive purposes. Applicants appreciate open communication that, for example, software scans and evaluates their details, but the final decision remains human. This information can be included in the privacy policy, for instance: “We use software for the initial screening of applications, which creates profiles based on job requirements and suggests a ranking list. However, the final selection decision is the responsibility of our HR employees.” Such text informs the applicant honestly without causing alarm, demonstrating that there is no blind “computer decides, humans have no influence” scenario.

Beyond fairness to candidates, transparency also fulfills legal obligations and can prevent future disputes. If a rejected applicant feels discriminated against or questions their rejection, documented and pre-communicated AI logic can objectively explain that the decision was based on legitimate criteria. While there’s no general obligation to state reasons for rejection, applicants can assert a right to information under Art. 15 GDPR to learn what data is stored and if profiling occurred. At that point, you must transparently explain how the AI system operated.

Another crucial aspect is purpose limitation. Applicant data may only be used for the process for which it was collected. If AI extracts insights from CVs, this data must not be used for unrelated purposes. For instance, using application data to further develop the AI model without consent is inadvisable. If a startup uses every incoming application to train its proprietary AI evaluation tool, this constitutes a new purpose (“training the system”) beyond applicant selection. The applicant would need clear prior information—likely requiring consent—or the data would need anonymization before being used for training.

Profiling is closely linked to AI. The GDPR defines “profiling” (Art. 4 No. 4) as any automated processing of personal data intended to evaluate personal aspects relating to an individual. Thus, if an AI tool calculates an aptitude score or evaluates personality traits, this is profiling. While not prohibited, profiling demands special attention to transparency. For example, a privacy policy might state: “We also use automated analysis methods (profiling) to assess your suitability for the position. This serves the sole purpose of matching your details with the job profile.” If a fully automated decision is made in exceptional cases (which should be avoided), explicit reference to Art. 22 GDPR and explanation of rights (to human intervention, etc.) would be necessary.

To summarize: Clear and honest communication about AI use builds trust and fulfills legal obligations. Applicants should not feel secretly excluded by a “recruiting robot.” Providing more information than less demonstrates professionalism and responsibility. Keep your data protection information current, especially when introducing new tools or changing data processing methods. This enables applicants to exercise their rights and allows you to meet your accountability obligations (Art. 5 para. 2 GDPR).

General Equal Treatment Act (AGG) and AI Risks

In addition to data protection, anti-discrimination law is a particular focus in the application process. The General Equal Treatment Act (AGG) also expressly applies to applicants. A rejected candidate can invoke it if they have been discriminated against based on a protected characteristic.

Protected characteristics are listed in § 1 AGG: Race, ethnic origin, gender, religion or belief, disability, age, or sexual identity. No one may be discriminated against on the basis of one of these characteristics, either in the selection process or during recruitment.

How can AI lead to discrimination? Often, it is not deliberate discrimination. For example, an algorithm rejecting all women would be overt, direct discrimination under Section 3 (1) AGG, which is clearly illegal. Much more likely is hidden, indirect discrimination (Section 3 (2) AGG). Indirect discrimination occurs when an apparently neutral rule or practice actually disadvantages people with a protected characteristic. AI systems are susceptible to this because they learn from historical data and find statistical correlations. If the training data or defined selection criteria are biased, the AI adopts this bias.

Consider a practical example: an AI-supported screening tool trained on past application data. If historically more male applicants were hired without explicit reason, the AI might identify patterns indirectly linked to gender—such as certain CV phrases or hobbies. Consequently, applications from women might be ranked lower on average. The company might not even notice this, but the result would be indirect gender discrimination: a seemingly neutral criterion (similarity to previous "successful" applications) disadvantages women as a group.

Similar issues can arise with age. AI systems might rank older applicants lower because they interpret longer professional experience differently, or because certain current software skills are more common in younger applicants' CVs. Ethnic origin discrimination can occur if the algorithm unintentionally rates applications with specific first names or places of residence lower due to correlations with lower hiring rates in the training data. This constitutes indirect discrimination based on origin.

Section 7 AGG prohibits such discrimination in the employment relationship, including the application phase. The risk is not merely theoretical; cases have emerged where automated systems produced discriminatory results (known as algorithmic bias). It's important to know that if a rejected applicant presents evidence suggesting discrimination, Section 22 AGG applies—the so-called reversal of the burden of proof. The employer must then prove that no AGG violation occurred. This is extremely challenging with an opaque AI system. How can you prove in court that your algorithm lacked impermissible bias when developers often struggle to explain precisely why the algorithm rejected someone? This situation poses a significant liability risk.

If courts or the anti-discrimination office become involved, there is a risk of claims for compensation and damages under Section 15 AGG. While a rejected applicant has no right to be hired, they can demand monetary compensation. Many employers have paid thousands of euros because an applicant credibly claimed discrimination based on age, for example, even if unintentional. Furthermore, the damage to an employer's image is enormous. A press release stating "Startup XY systematically sorts out older applicants" can be devastating for a young company.

What steps can minimize the AGG risk? Firstly, design your AI-supported procedure to focus on objective, job-related criteria. Avoid considering characteristics that could serve as proxies for discrimination. For example, an AI does not need access to an applicant's date of birth or gender; such data should either not be fed into the system or be hidden during evaluation. Some companies initially disregard photos and names to reduce bias (keyword: anonymized applications). While sensible, this isn't a guarantee, as seemingly neutral data like zip codes or club memberships can still become proxies. Therefore, it's vital for AI tool developers or providers to systematically test for bias. Use test data to see if the AI rates identical profiles differently based on a single characteristic like gender or age. Such tests indicate potential indirect evaluation of protected characteristics.

Furthermore, AI results should be statistically analyzed. For example, over a few months, compare the proportion of certain groups among top candidates to their proportion in all applicants. If, from 100 applications (50 women, 50 men), the AI only suggests 2 women in the top 10, this should trigger an alert for potential unintentional bias. Such monitoring measures are part of bias monitoring, which will be discussed in the practical section.

Ultimately, the responsibility for non-discriminatory procedures always lies with the company. You cannot deflect blame by saying "the software spit it out that way." If the AI discriminates, your company is legally "discriminating." Start-ups must exercise utmost care here. Ideally, document why a candidate was rejected—e.g., "lack of XY expertise"—to prove retrospectively that reasons were unrelated to AGG characteristics. A more plausible and comprehensible decision-making process better refutes an AGG accusation. AI can be a powerful tool, but it requires correct training and use to avoid becoming a legal boomerang.

Data Protection Requirements in the Application Process

When handling applicant data, the general rules of the GDPR and supplementary German data protection law apply. First, the legal basis: In Germany, data in the employment context (including applicants) is generally governed by Section 26 (1) BDSG. This permits processing personal applicant data if it is necessary for the decision on establishing an employment relationship.

This covers many typical actions in the application process, such as reviewing a CV, noting interview results, or using a suitable IT system, provided it genuinely serves proper personnel selection. "Necessary" implies a proportionality test: Is there a milder means than this data processing? Is it appropriate for achieving the objective of finding the right person? An AI tool must not be used "excessively."

Depending on the situation, the general legal bases of the GDPR may also apply: Art. 6 para. 1 lit. b GDPR (implementation of pre-contractual measures in an application context) or lit. f (legitimate interest of the company in efficient recruitment). Ultimately, all these bases require careful consideration and proportionality. Applicant consent, conversely, is rarely suitable as a basis, except in special cases. As mentioned, it is often not truly voluntary due to the "imbalance" of power. Consent may be useful only if, for example, you ask applicants to keep their data in a talent pool. In such cases, consent must be explicit, informed, and voluntary, and revocable at any time.

Data Minimization and Privacy by Design

The data protection principles of Art. 5 GDPR also apply: purpose limitation, data minimization, storage limitation, integrity, and confidentiality. For AI, this means not collecting more information than truly necessary for selection (data minimization). Questions in the application form should be job-relevant; information on religion, ideology, health data, or family planning has no place there, unless an applicant voluntarily declares a severe disability.

Any additional data collection increases risks. Where possible, employ privacy by design and default (Art. 25 GDPR): the system should be configured for data efficiency by default. For example, you can often specify which fields the AI evaluates; it’s important to carefully weigh this and, if in doubt, allow less data processing.

Purpose Limitation and Retention Periods

Applicant data may only be used for the ongoing process and not for other purposes. You should not, for example, use unsolicited application documents to "train" your AI algorithm, unless the data is fully anonymized or separate consent is obtained. Once an application process concludes, data of rejected candidates must be deleted when no longer required.

In practice, a maximum period of around 6 months for retention is considered permissible. Many companies keep documents for this period to address potential legal claims, particularly under the AGG. At the latest after this period, data should be permanently removed or anonymized. Inform applicants of this in your data protection notice (e.g., “Your data will be kept for up to 6 months after the end of the procedure and then deleted”). To retain data longer, you will need consent for a talent pool, as mentioned previously.

Technical and Organizational Measures (TOM)

Ensure appropriate security for applicant data (Art. 32 GDPR). This means controlling access to data (only authorized HR personnel or contracted service providers), protecting data during transmission or storage (e.g., encryption), and maintaining confidentiality. If you use a cloud-based AI tool, conclude an order processing contract with the provider under Art. 28 GDPR. This contract must specify how the service provider protects data and that it processes data only according to your instructions.

With international providers, pay attention to data transfer requirements (keyword: Schrems II and standard contractual clauses if data flows to the USA). When in doubt, a European provider simplifies compliance. For more details on international transfers, see Risks when hosting personal data on US cloud servers.

Data Protection Impact Assessment (DPIA)

Finally, check whether a data protection impact assessment (DPIA) is required (Art. 35 GDPR). For AI systems used in applicant assessment, there is usually a high risk to applicants' rights due to automation and potential effects on career advancement. Therefore, a DPIA will typically be necessary. Document in advance the risks posed by the AI process (e.g., incorrect decisions, potential for discrimination, data protection violations) and the countermeasures taken (e.g., human control, pseudonymization, strict access restrictions, bias tests).

A DPIA provides peace of mind and demonstrates to authorities that you have fulfilled your obligations. It doesn't need to be a 50-page treatise; the important thing is to think through the process.

Data Subject Rights

Applicants also have data subject rights: they can request information about what data has been stored about them (Art. 15 GDPR). You must be prepared for this, meaning you need to explain how an AI system was used if necessary. Applicants may also request rectification or erasure of their data or object to processing. In practice, objecting to processing will likely mean the application cannot be considered further. It is crucial to establish processes from the outset to ensure these rights are fulfilled promptly, preventing future issues.

Special Requirements and Challenges for Startups

One might assume that these rules only apply to large corporations with vast numbers of applicants. However, start-ups and small companies must also comply with legal requirements. Young companies, in particular, are often unaware of their obligations, as their initial focus is on product or business ideas, not compliance. As a lawyer, I identify typical challenges here:

To summarize: Startups must balance innovation with scarce resources and rapid action. However, compliance in AI-supported recruiting cannot be overlooked. Often, clearing the biggest stumbling blocks with common sense and a little advice is sufficient. The effort remains manageable, and you can still recruit in a modern, legally sound way.

Selection and Implementation of Legally Compliant AI Tools – Practical Guide

  1. Provider and Tool Check

    Choose your AI system carefully. Early in the selection phase, check the provider’s reputation and compliance. Is the company based in the EU and thus automatically subject to the GDPR? If not, what safeguards does it offer (e.g., EU data center, standard contractual clauses)? Read the tool’s data protection information: does it use applicant data for its own purposes (e.g., training other AI models)? If in doubt, ask. Reputable providers should explain how their model works, what data it processes, and what measures prevent bias. Also, examine certifications; seals of approval or audits for the product can be helpful. For those drafting contracts for AI services, explore Drafting contracts for AI-based services.

  2. Bias Monitoring from the Start

    Before fully integrating the tool into your application process, conduct internal tests. Use historically anonymized application data or constructed test profiles. The goal is to uncover any bias early. Analyze the results: Are there tendencies, for example, that a certain age group consistently performs worse?

  3. Ensure Human Control

    Implement organizational measures to ensure the AI does not make final decisions. This may seem obvious, but it is crucial in practice. For instance, stipulate that every automated pre-selection is always cross-checked by a recruiter, at least on a random basis or in borderline cases. Train your HR employees to critically scrutinize AI results. It is beneficial to create an internal guideline stating: “AI is an auxiliary tool; responsibility lies with people.” Such a principle helps shape the culture around the tool. Specifically, you could require that all applicants meeting certain minimum criteria are manually screened at least once before rejection, regardless of their AI score. This maintains Art. 22 GDPR-compliant conditions.

  4. Transparency Towards Applicants

    As detailed above, inform candidates about the use of AI. Practically, you should revise your privacy policy for applicants before the tool goes live. Mention the system, describe its function briefly, and emphasize that no decision is made without human review. Consider briefly mentioning this in job advertisements or on your careers website (“We use modern tools to evaluate applications efficiently and fairly”). This builds trust. It is also important to designate an internal contact person who can answer queries. If an applicant asks, “What criteria does the AI actually use to evaluate me?”, your team should be prepared to give a comprehensible answer.

  5. Carry Out a Data Protection Impact Assessment (DPIA)

    Document a DPIA before the tool goes live, especially if required—which is usually the case for AI in recruitment. Adopt a structured approach: Describe the system's function, the data it uses, access controls, data retention periods, etc. Identify risks (e.g., unauthorized access, discrimination, misjudgments) and list countermeasures (e.g., pseudonymization of applicant data during analysis, regular checks, human review). Evaluate the residual risk. It doesn't need to be a 50-page treatise; the important thing is to think through the process. Should a supervisory authority or an investor inquire, you can demonstrate that you have carefully examined and acted upon these considerations.

  6. Set Up an Audit Trail and Documentation

    Avoid running the system as a black box. Ensure decisions remain traceable. Many AI tools offer options to view a candidate's score or the criteria leading to rejection (sometimes with explanations like “lack of key qualification XY”). Activate these functions. Save relevant logs, adhering to data protection retention periods. In the event of a dispute (e.g., an AGG procedure), you can then prove the basis for the decision. Applicants may have a right to information, so avoid derogatory comments in the system; stick to factual information. An audit trail can also include justifications from recruiters who override AI recommendations (e.g., inviting an AI-rejected applicant). This helps identify if AI criteria need adjustment because good candidates were overlooked.

  7. Contractual Protection with the Provider

    Contractually ensure that the AI service provider offers support if required, for instance, in fulfilling information requests or official audits. Clarify liability issues in advance to prevent being solely responsible in case of problems.

  8. Training and Sensitizing Your Team

    Train your HR managers in using the AI tool. They must understand how AI works, its limitations, and how to identify incorrect decisions. Raising awareness helps to critically question AI results rather than blindly trusting them.

  9. Contingency Plan for Incidents

    Even with utmost care, incidents can occur—such as technical failures, data leaks, or blatant bias. Develop a simple emergency plan: Who will be informed (data protection officer, management)? What happens if the tool fails—is there a backup process (e.g., manual application processing)? What if serious discrimination is discovered—do we stop the application immediately, inform affected applicants, correct decisions retrospectively? Addressing these questions proactively helps maintain composure in an emergency and act swiftly and correctly. A data protection breach (e.g., a leak) must be reported to authorities within 72 hours, so responsibilities should be clear.

  10. Staying Up to Date

    The world of AI and its surrounding laws is constantly evolving. What is state-of-the-art and legal today may change within a year. Stay informed! Follow the development of the planned EU AI Act, the European AI regulation. It is foreseeable that AI in recruiting will be classified as a high-risk application and will need to meet future legal requirements, such as technical documentation, risk management, and potential certification. You should also monitor national legislative initiatives, like amendments to the AGG or BDSG. Legal certainty is an ongoing process, not a static state. Regular updates prevent unpleasant surprises and enable early adoption of innovations. For more on this, consult Navigating the EU AI Act: Compliance for AI Startups and AI expertise in startups: Do small companies really need an AI officer under the EU AI Act?.

Current Developments: Case Law and Regulation

Finally, a look at current rulings, official notices, and new regulations relevant for AI in recruiting:

Conclusion

In my experience, using AI in recruiting can offer real added value for start-ups. It enables faster pre-selection, more objective decisions, and reduces pressure on the team. However, this is only true if it is done responsibly and in a legally compliant manner. The legal guardrails—from Art. 22 GDPR to information obligations and the AGG—are not arbitrary; they protect applicants from unfair treatment and their data from misuse. Especially in the sensitive context of an application, a startup should demonstrate that it takes this responsibility seriously.

My advice as a lawyer: take a proactive approach to the issue. Do not wait until the first incident or a warning letter arrives. Data protection and equal treatment should be considered from the initial planning stages of integrating AI into recruiting. While it sounds time-consuming, it can be structured effectively with the tips provided here. If necessary, seek external advice; a brief consultation can prevent costly mistakes. It's an essential part of legal preparation for the first investment round.

The ethical dimension is also crucial. A startup typically strives to be innovative and modern, but also inclusive and fair. A biased AI system does not align with this image. Conversely, a transparent, fair AI process can enhance the image of a progressive and responsible employer. Applicants are increasingly aware of how they are treated, and in the "war for talent," this can determine whether top talent applies to you or opts for a competitor.

Ultimately, investing in legal certainty pays off. You not only avoid fines or legal proceedings but also build trust among applicants, employees, and business partners. Should an authority investigate or an applicant follow up, you can confidently demonstrate: "We have this under control; we use AI, but the human remains the master of the process."

Developments will continue, with the AI Act and new rulings shaping the landscape. However, if you internalize the basic principles—transparency, fairness, data economy, and security—you will master future challenges. AI in the application process does not have to be a minefield. With the right mindset and precautions, it becomes a powerful tool that gives your startup a head start without encountering legal trouble.