More and more companies are using AI in the recruitment process -- from pre-screening to video analysis. But what employment law, data protection, and works constitution boundaries apply? A compliance guide for employers.
AI in Recruiting: A Revolution with Risks
The recruitment process is undergoing fundamental change. Where HR managers once reviewed CVs individually, algorithms are increasingly taking over the pre-screening: AI-supported systems analyse application documents, evaluate video interviews, assess personality traits, and generate predictions about candidates' future performance.
The promises sound enticing -- faster processes, more objective selection, lower costs. Yet the Amazon case demonstrates what can go wrong: in 2018, the company had to discontinue its AI-powered recruiting tool after discovering that the algorithm systematically disadvantaged women. The cause lay in the training data -- ten years of predominantly male applications had shaped the algorithm.
For German employers, the deployment of AI in the recruitment process raises a multitude of legal questions. This article examines the key legal frameworks and provides practical recommendations for action.
The AGG: Anti-Discrimination Protection in Algorithmic Decisions
The General Equal Treatment Act (Allgemeines Gleichbehandlungsgesetz, AGG) protects applicants against discrimination on the grounds of race, ethnic origin, gender, religion, disability, age, or sexual identity. This protection applies without restriction even when the decision is made or prepared by an algorithm.
Indirect Discrimination Through Algorithms
Particularly insidious is the risk of indirect discrimination pursuant to Section 3(2) AGG. An algorithm may use ostensibly neutral criteria that in practice disadvantage specific groups:
- Location filters: Disadvantage applicants from certain neighbourhoods, which may correlate with ethnic origin
- CV gaps: Disproportionately affect women with parental leave periods
- Graduates of certain universities: May introduce social background as a hidden criterion
- Language analysis in video interviews: May disadvantage non-native speakers or people with disabilities
Reversal of the Burden of Proof Under Section 22 AGG
If a rejected applicant presents evidence suggesting discrimination, the burden of proof shifts. The employer must then demonstrate that no discrimination occurred. With algorithmic systems, this proof is particularly difficult when the employer itself does not fully understand how the algorithm works -- a common problem with complex machine learning models.
Section 26 BDSG: Employee Data Protection in Recruitment
Section 26 of the Federal Data Protection Act (Bundesdatenschutzgesetz, BDSG) governs the processing of personal data in the employment context. Although the ECJ expressed doubts in its judgment of 30 March 2023 (C-34/21) about the compatibility of national employee data protection provisions with the GDPR, Section 26 BDSG remains the central German provision until new legislation is enacted.
Requirements for Data Processing in Recruitment
The processing of applicants' personal data is permissible where it is necessary for the decision on establishing an employment relationship. When deploying AI systems, particular requirements arise:
- Data minimisation: Only data genuinely relevant to filling the position may be processed
- Purpose limitation: Collected data may not be used for other purposes
- Transparency: Applicants must be informed about the type and scope of data processing
- Deletion: Data of rejected applicants must generally be deleted within six months
The Prohibition on Automated Individual Decisions
Art. 22 GDPR generally prohibits decisions based solely on automated processing that produce legal effects for the data subject. A fully automated rejection in the recruitment process without any human involvement is therefore impermissible.
In practice, this means: AI systems may pre-filter applications and issue recommendations, but the final decision must be made by a human being who critically reviews and independently assesses the algorithmic recommendation.
Section 87(1) No. 6 BetrVG: Works Council Co-Determination
Perhaps the most practically significant hurdle in deploying AI in recruiting is the works council's co-determination right under Section 87(1) No. 6 of the Works Constitution Act (Betriebsverfassungsgesetz, BetrVG). According to this provision, the works council has a co-determination right regarding the introduction and use of technical devices designed to monitor the behaviour or performance of employees.
AI Recruiting Tools as Technical Monitoring Devices
The case law of the Federal Labour Court (Bundesarbeitsgericht) interprets the concept of technical monitoring devices broadly: it suffices that the technical device is capable of monitoring -- a corresponding intent on the employer's part is not required.
AI-powered applicant management systems regularly qualify as technical monitoring devices within the meaning of Section 87(1) No. 6 BetrVG because they:
- Systematically capture and evaluate behavioural and performance data of applicants
- Generate assessments and rankings that allow inferences about behaviour and capability
- Analyse personality traits (in the case of video interviews)
Legal Consequences of Failing to Involve the Works Council
If an employer introduces an AI recruiting system without involving the works council, the measure is unlawful. The works council can demand that the employer cease using it and, if necessary, enforce this through expedited court proceedings. Data already obtained may not be used.
The EU AI Act: A New Regulatory Layer from 2026
The EU AI Act classifies AI systems in the area of employment and HR management as high-risk AI systems (Annex III, No. 4). This expressly covers systems intended for use in:
- The recruitment or selection of natural persons, particularly for targeted job advertisements, the analysis and filtering of applications, and the evaluation of candidates
- Decisions on promotions and terminations
- The assignment of tasks based on individual behaviour or personal characteristics
- The monitoring and evaluation of performance and behaviour in the employment relationship
Obligations for Employers from August 2026
The core provisions for high-risk AI systems will become enforceable on 2 August 2026. Employers deploying AI systems in recruiting must then:
- Ensure human oversight: Appropriate human supervision over the operation of the AI system
- Fulfil transparency obligations: Inform applicants about the use of AI systems and explain how the system functions
- Ensure data quality: Ensure that training data is relevant, representative, and free from bias
- Conduct risk management: Continuously monitor the AI system and identify risks
- Maintain documentation: Comprehensive documentation of system operation
Violations may result in fines of up to EUR 35 million or 7 per cent of global annual turnover.
The Amazon Case: Lessons for Practice
The Amazon case of 2018 is more than an anecdote -- it illustrates a structural problem of algorithmic hiring:
What Happened?
From 2014, Amazon developed an AI system for automated evaluation of job applications. The system was trained on ten years of historical application data. Since the tech industry is male-dominated, the vast majority of applications came from men. The algorithm consequently "learned" to prefer male applicants and:
- Downgraded CVs containing the word "women's" (e.g. "women's chess club")
- Disadvantaged graduates of certain women's colleges
- Reproduced the existing gender distribution instead of correcting it
Why the Case Is Also Relevant for German Companies
Although Amazon discontinued the system, the case illustrates universal risks:
- Historical bias is perpetuated algorithmically: When training data reflects past discrimination, the algorithm perpetuates it
- Proxy discrimination: Seemingly neutral characteristics (university, place of residence, hobbies) can serve as proxies for protected characteristics
- Opacity: Employers often do not understand which criteria the algorithm actually applies
Compliance Checklist for Employers
For companies that use or intend to use AI in the recruitment process, the following checklist is recommended:
Before Implementation
- Conduct a Data Protection Impact Assessment under Art. 35 GDPR
- Involve the works council and conclude a works agreement on the use of the system
- Assess discrimination risks: Bias audit of training data and algorithm
- Clarify information obligations: Prepare transparent information for applicants about the use of AI
- Document the legal basis: Justify the necessity of data processing under Section 26 BDSG
During Ongoing Operation
- Ensure human final decision-making: No fully automated rejections
- Conduct regular bias audits: Review results for discrimination patterns at least annually
- Enable applicant feedback: Provide information on the involvement of AI systems upon request
- Train HR staff: HR managers must understand the limitations and risks of the system
- Maintain documentation: Record decision processes and system adjustments comprehensively
From August 2026 (EU AI Act)
- Arrange conformity assessment for the AI system deployed, or have the provider demonstrate it
- Implement a risk management system
- Fulfil the AI Act's additional transparency obligations
- Check the registration requirement for high-risk AI systems
Conclusion: Technology in the Service of Fair Hiring
AI can make the recruitment process more efficient and -- with careful implementation -- even fairer than purely human decisions. The prerequisite, however, is that companies take the legal framework seriously and do not deploy AI systems as a "black box" whose workings no one understands.
The combination of the AGG, BDSG, GDPR, BetrVG, and the forthcoming EU AI Act creates a dense regulatory framework that obliges employers to use AI responsibly in human resources. Those who implement these requirements early protect not only applicants from discrimination but also their own company from significant legal and reputational risks.
At compleneo, we support you with the legally compliant implementation of AI systems in human resources -- from the data protection impact assessment to the works agreement to preparation for the EU AI Act. Get in touch with us.
