From my perspective, Article 22 GDPR is the rule that most HR directors have heard of but few have read carefully. The headline is familiar: individuals have the right not to be subject to a decision based solely on automated processing that produces legal or similarly significant effects. The common misreading is that this bans Ai in recruitment. I believe it does not — what it bans is a specific combination, and the combination is avoidable with normal workflows.
What Article 22 actually restricts
The rule kicks in when three conditions coincide. One, the decision is based solely on automated processing — no meaningful human review. Two, the decision has legal or similarly significant effects for the individual. Three, none of the three exceptions apply (contract necessity, authorised by law, explicit consent).
In recruitment, shortlisting alone is rarely a decision with “legal or similarly significant” effect — you’re sifting candidates, not rejecting them from employment. The hiring decision is. If Ai shortlists the 80 candidates down to 12, and a human recruiter reviews those 12 and decides whom to interview, Article 22 is not triggered — there’s meaningful human involvement between the Ai and the outcome.
Specially where firms get into trouble is when the human review is pro-forma. If the recruiter just rubber-stamps the Ai’s shortlist without actually looking at the rejected CVs, regulators have argued this is effectively “solely automated.” The human review must be meaningful — informed, substantive, with the authority to override.
How to structure the compliant workflow
Three design principles that make Ai shortlisting clean under Article 22. First, the Ai scores and ranks — it doesn’t reject. The recruiter sees all 80 candidates with their Ai scores; they promote or reject based on their own review. Second, the Ai reasoning is transparent — it explains why a score is what it is, so the recruiter can evaluate and override. Third, protected characteristics are redacted before scoring — DOB, gender, nationality, marital status, disability indicators aren’t seen by the Ai, so can’t drive the score.
Apart from this, document the process. Your GDPR Article 15 obligation (subject access) extends to explaining how the Ai was used. Candidates who ask “why wasn’t I shortlisted” deserve a real answer — the Ai’s scoring criteria, the recruiter’s review, the reasons. A governed Ai platform captures this automatically.
Protected characteristics: where bias sneaks in
Specially since 2023, tribunals have started seeing cases where Ai shortlisting is alleged to have discriminated against protected groups. The pattern is usually: the Ai was trained on historical hiring data, which encoded past biases, which the Ai then reproduced. The fix — which good Ai recruitment platforms implement — is to strip protected characteristics before the Ai scores, so the score is based on competency, experience, fit, not on demographics.
From my perspective, this is actually a net reduction in bias compared to manual shortlisting, because humans are unconsciously influenced by names, addresses, photos, gaps in employment. An Ai that sees competency signal only can produce more consistent shortlists than a tired recruiter at 5pm on a Friday. Provided the Ai is designed correctly.
Subject access and Article 17
Candidates have the right to request all data held on them (Article 15) and, in many cases, erasure (Article 17). For recruitment Ai, this means your tool must support per-candidate data export and deletion. Scattered across email, ATS, notes and Ai prompt histories, this is practically impossible. In a governed platform, it’s one click.
Apart from this, consider retention. Most recruitment agencies retain unsuccessful candidate data for 6 to 24 months for future roles. The retention period for Ai-interaction data should match — and the erasure must be real, not just status-flag updates.
Other Me for recruitment
We’ve built Other Me for UK HR consultancies and recruitment agencies specifically. Protected characteristics auto-redacted before scoring. Ai explains its reasoning so the recruiter can meaningfully review. Per-candidate audit chain so Article 15 requests take an hour, not weeks. Per-search isolation so candidates in one brief don’t surface in another.
Read the workflow on the HR and Recruitment solution page. You can start a free 7-day trial, no credit card, run one real search through it, and examine the audit chain. If your DPO wants the architecture documentation before the trial, the Security page publishes it openly.