The Expanding Regulatory Landscape
European recruitment technology operates under a growing web of data privacy regulations. Beyond GDPR, the EU AI Act (Regulation 2024/1689) now classifies AI systems used in employment decisions as “high-risk,” imposing new transparency, documentation, and human oversight requirements. Understanding these overlapping frameworks is critical for any organisation using video interview platforms.
GDPR: The Foundation
The General Data Protection Regulation remains the cornerstone. Key provisions for recruitment technology include:
- Article 22: Candidates have the right not to be subject to decisions based solely on automated processing, including profiling, that produce legal or similarly significant effects. This directly impacts AI-scored interviews.
- Articles 13 to 14: Transparency requirements mandate clear information about how candidate data is processed.
- Article 35: Data Protection Impact Assessments are required for high-risk processing, which often includes large-scale video interview programmes.
Enforcement is real: €355 million in employment-related GDPR fines have been issued across 162 cases (CMS Enforcement Tracker, 2025), and the maximum penalty is €20 million or 4% of global turnover.
The EU AI Act: New Rules for Recruitment AI
The AI Act entered into force in August 2024, with a phased compliance timeline. AI systems used for “recruitment and selection of natural persons” are classified as high-risk under Annex III. This means:
- Mandatory risk management systems and technical documentation
- Data governance requirements for training datasets
- Transparency: candidates must be informed they are interacting with an AI system
- Human oversight: meaningful human review of AI-assisted hiring decisions
- Registration in the EU AI database before deployment
Full compliance for high-risk systems is required by August 2026.
ePrivacy and Cookie Regulations
The ePrivacy Directive (and the forthcoming ePrivacy Regulation) governs electronic communications. For recruitment platforms, this affects:
- Cookie consent for candidate-facing interview portals
- Tracking technologies used to monitor candidate engagement
- Email and messaging communications with candidates
Cross-Border Data Transfers
Following the Schrems II decision and the EU-US Data Privacy Framework, organisations must carefully manage international data transfers. Using a video interview platform that stores data outside the EEA requires either an adequacy decision, Standard Contractual Clauses (SCCs), or Binding Corporate Rules (BCRs).
Practical Compliance Checklist
- Map all personal data flows in your recruitment technology stack
- Conduct a DPIA for video interview processing
- Update privacy notices to cover AI Act transparency requirements
- Ensure meaningful human oversight of AI-assisted decisions
- Verify your platform stores data within the EU/EEA
- Implement automated retention and deletion policies
- Review vendor DPAs and sub-processor lists annually
Why StormInterview Is Built for European Compliance
StormInterview is EU-based and EU-hosted. AI features include full transparency disclosures, human-in-the-loop review, and audit trails designed for both GDPR and AI Act compliance. Data never leaves the EU. At €79/month, compliance is built into every plan.