I'm running a fair number of AI Act assessments at the moment, and one misunderstanding has surfaced at a couple of clients. It's an easy trap to fall into, and it usually comes from a good place: a team that already knows their privacy obligations and assumes those obligations map neatly onto the AI Act. They don't always, and recruitment is where I see this play out most often.
Here's the scenario: I was assessing an AI tool being used to process candidate resumes. The justification I got was reasonable on its face: "There's no automated decision being made on the candidate. A human still decides. So the risk isn't really that high." Sensible, right? Except it conflates two entirely separate things.
Automated Decisions
The "automated decision" argument comes from GDPR. Under Article 22, solely automated decisions that produce legal or similarly significant effects on a person carry extra requirements, including specific safeguards and, in many cases, additional grounds for the processing. So the team wasn't wrong to be thinking about it. They were just answering a GDPR question when the assessment in front of them was an AI Act question.
High-Risk Processing
The AI Act works differently. Annex III doesn't ask whether a decision is automated or human-made. It lists categories of use that are considered high-risk by definition. Point 4 covers employment, and it specifically calls out AI systems used to "analyse and filter job applications" and to "evaluate candidates". There's no automation threshold in that wording. A human making the final call doesn't remove the classification. It's a condition for meeting the human-oversight obligation, not a way to sidestep being high-risk in the first place.
Which brings me back to the resumes: the argument was that screening resumes isn't a material decision. But, look at what the tool was actually doing; It was sorting candidates into buckets: "no relevant experience" over here, "this one leans towards an architect role" over there. That's filtering. That's evaluating. You've landed squarely inside the Annex III wording, regardless of who clicks the final button. The moment your tool is helping decide who gets looked at and who doesn't, you're in scope. Even if someone still checks after the fact.
So what does that mean practically? First, it means the high-risk obligations apply: things like human oversight, transparency to candidates, logging, and working within the provider's instructions for use. Second, it opens up the question of a Fundamental Rights Impact Assessment (FRIA).
Fundamental Rights Impact Assessments
Now, a FRIA under Article 27 is not strictly mandatory for a private company doing its own recruitment. The mandatory trigger applies to public bodies, private entities providing public services, and certain credit and insurance deployers. A private employer screening its own candidates generally falls outside that list. But given this is high-risk processing, likely running at volume, my recommendation was to do a FRIA voluntarily. It's the kind of thing that looks a lot better done ahead of a complaint than scrambled together after one.
And here's the smart part. Because we're already doing a DPIA for the same system, a good chunk of the FRIA is effectively pre-written. A DPIA typically covers something in the region of 30 to 40 percent of what a FRIA needs, particularly around data flows, purpose, and risks to the individuals involved. You then extend it to cover the fundamental-rights angles a DPIA was never designed to catch, such as non-discrimination and the right to an effective remedy.
Work Smarter Not Harder
So the moral isn't "the AI Act is another burden bolted onto GDPR". It's that these regimes overlap, and if you assess them in sync rather than treating them as separate silos, you do less work, not more. Conflating them is where teams get caught out. Combining them is where they get ahead.
If you're deploying AI in recruitment (or anywhere it's touching decisions about people) and you're not sure whether you've read the classification correctly, this is exactly the kind of thing I help teams untangle. I'm always happy to come in and walk a team through where GDPR ends and the AI Act begins, or to roll up my sleeves on the assessments themselves. Reach out if it would help.