Local AI for HR: GDPR Article 22 and Candidate Screening

English 5 min read
hr gdpr local-ai

AI in Recruiting: A Privacy-Law Balancing Act

HR is one of the most sensitive areas for AI deployment. CVs and cover letters contain a dense layer of personal data β€” and often touch special-category data under GDPR Article 9: health indicators, ethnic origin, religious affiliation, political opinions inferred from past roles or organisations. At the same time, recruiting teams face growing pressure to process larger applicant volumes faster.

Local LLMs offer a practical path forward: AI-assisted screening without personal data leaving your own infrastructure. But the step requires more than spinning up Ollama β€” it demands a clear understanding of what GDPR actually permits.

This guide summarises, based on our reading of the regulation, what is allowed, what is risky and what is prohibited.

GDPR Article 22: What It Actually Says

Article 22 GDPR prohibits solely automated decisions that produce legal effects or similarly significantly affect the data subject β€” unless one of the exceptions in Article 22(2) applies.

In a recruiting context, this means: if an algorithm definitively rejects a candidate without any human review, that is likely a violation β€” unless:

  • the decision is necessary for entering into a contract and appropriate safeguards are in place,
  • a member state law explicitly authorises it, or
  • the data subject has explicitly consented.

Even where an exception applies, the organisation must ensure data subjects have the right to human review, to express their point of view, and to contest the decision (Article 22(3) GDPR).

The practical takeaway: AI as a triage assistant β€” yes. AI as the sole decision-maker on who advances β€” no.

It is also worth tracking the EU AI Act: fully automated candidate screening systems fall, based on our reading, under the high-risk category (Annex III, no. 4). The corresponding deployer obligations were delayed by the May 2026 Digital Omnibus to 2027–2028, but they should be incorporated into system design from the outset.

Special Category Data: Article 9 GDPR

When a local LLM evaluates a CV and draws conclusions β€” explicitly or implicitly β€” from nationality, origin-suggesting names, mentioned illnesses or religious memberships, Article 9 GDPR applies. Processing special-category data requires in most cases explicit consent or another narrow legal basis.

The safest approach: structural pre-processing before LLM input. Photos, dates of birth and any Article 9-sensitive fields are stripped by a parsing pipeline before the model ever sees the text.

Why Local LLMs Are the GDPR-Compliant Choice

Sending CVs to a cloud API β€” whether OpenAI, Anthropic or any other provider β€” transmits personal data to a third party. That creates:

  1. A data processing agreement (DPA) requirement under GDPR Article 28
  2. Third-country transfer scrutiny under GDPR Chapter V β€” especially if servers sit outside the EEA
  3. Risk that data is used for model training unless contractually prohibited

With a local LLM on your own server or an Apple Mac Studio M3 Ultra, all of this disappears. Data never leaves your network. No third-country transfer, no Article 28 DPA with a model vendor needed. GDPR accountability stays entirely with your organisation β€” structurally simpler and legally more robust.

Practitioners on X have noted that compliance costs for GDPR and the AI Act are a "fixed cost that only giants can absorb". Local AI stacks can invert that dynamic for SMBs: the same functionality, lower compliance overhead.

Practical Guide: GDPR-Compliant Candidate Analysis With a Local LLM

Step 1: Ensure Human Final Decision

Every AI output remains a decision aid, not a decision. Your workflow must document that a human reviewed the AI recommendation and made an independent judgement. Without this audit trail, Article 22(1) GDPR is triggered.

Step 2: Data Minimisation Before LLM Input

Build a pre-processing pipeline that:

  • Extracts and discards photos
  • Filters dates of birth, nationality, religious affiliation
  • Optionally pseudonymises names (for blind screening)

Step 3: Model Selection for HR Tasks

For CV analysis on local hardware, the following models have performed well according to community reports:

  • Qwen2.5 7B via Ollama: reliable structured JSON output, 20–40 tok/s reported on Apple Silicon
  • Llama 3.2 3B: very fast for simple classification, runs on Mac Mini with 8 GB RAM
  • Phi-4 Mini (3.8B): strong reasoning quality for structured application formats, solid at structured output

Step 4: Bias-Free Prompt Design

Your system prompt must explicitly prohibit the model from drawing conclusions about protected characteristics:

Evaluate only professional qualifications, work experience, and described 
skills. Draw no conclusions about age, gender, ethnicity, religion, or any 
other protected characteristic.

Step 5: Employee Representation Bodies

In organisations with works councils or staff representative bodies (Betriebsrat in Germany, comitΓ©s de empresa in Spain, and equivalents in other member states), AI screening tools that assess or monitor employees typically require consultation or formal agreement before deployment under national implementing laws. Check the applicable national rules before going live.

Step 6: Data Protection Impact Assessment (DPIA, Article 35 GDPR)

AI-assisted candidate screening with scoring functionality likely requires a DPIA based on our reading of Article 35 GDPR. Most EU supervisory authorities have published positive lists of processing operations requiring a DPIA, and automated profiling in employment contexts appears on most of them. Document the DPIA before deploying the system.

What Is Allowed β€” and What Is Not

Use Case Status Note
Extract skills from CV βœ… Allowed Structuring, not profiling
Candidate ranking as decision aid ⚠️ Allowed with human in the loop Step 1 must be documented
Automatic rejection without human review ❌ Prohibited Likely violates Article 22(1) GDPR
Generate interview questions from job profile βœ… Allowed No personal data needed
Create job profiles and requirements βœ… Allowed No personal data
Process special-category data (Art. 9) ❌ Prohibited Without explicit consent, not lawful

Funding Across the EU

Several EU member states offer SMB digitalisation grants that cover compliant local AI implementations:

  • Germany: BAFA advisory grants and KfW digitalisation loans can support privacy-first AI tooling; funded solutions must be GDPR-compliant, which structurally favours on-premise stacks over cloud.
  • Spain: Kit Digital β€” "AI and Analytics" category β€” is compatible with local AI deployments for companies with 3–50 employees (details on our Kit Digital page).
  • EU-wide: Digital Europe Programme funds SMB digital readiness projects, including AI adoption, with a focus on trustworthy and compliant systems.

More on the technical foundation at our local AI overview, data sovereignty page and kAIra toolkit.

Next Steps

AI in HR is legally viable β€” with clear process design, data minimisation and human accountability. Local LLMs remove the most acute privacy risks: personal data never leaves your network. The cloud dependency disappears entirely.

If you want to explore what a GDPR-compliant HR AI setup looks like for your organisation, get in touch β€” we support the full path from DPIA to infrastructure to go-live.