GDPR Article 22 for hiring: Automated decision making explained

The concern is:

hiring teams increasingly rely on AI and automation to reject, rank, and filter candidates before a recruiter ever reviews them.

Under GDPR, that creates legal risk if there is no meaningful human involvement in the final decision.

The ICO says:

“Many employers… are likely relying on solely automated decisions… without meaningful human involvement… and the decisions these systems take have legal or similarly significant effects on people.”

That places those decisions directly within Article 22.

And it means more robust risk assessments, tool scrutiny and safeguards are required than most businesses currently have in place.

The problem hiring teams think they have

Most hiring teams believe they have a volume problem.

Too many applications.
Not enough time.

So the obvious fix is automation:

• score candidates
• rank them
• filter them
• move faster

On the surface, this works.

The problem they actually have

In trying to handle scale, many teams have crossed a line they do not fully understand.

They have moved from:

using automation to support decisions

to
letting automation make decisions

That is exactly where GDPR Article 22 becomes relevant.

What GDPR Article 22 actually says about Automated Decision Making (ADM)

Article 22 gives individuals the right:

not to be subject to decisions made solely by automated processing if those decisions significantly affect them

In recruitment, that includes:

• being rejected for a job
• being filtered out before interview
• being prevented from progressing

If a system is making those decisions on its own, you are in scope.

What “solely automated decision making” really means

This is where most hiring teams get it wrong.

A process is considered solely automated if:

• no human reviews the decision before it is applied
• the system output is treated as final
• recruiters are not actively checking or challenging outcomes

Designing the model is not enough.
Setting thresholds is not enough.

A human must be involved in the actual decision, not just the setup.

What counts as “meaningful human involvement”

This is the critical point.

According to the Information Commissioner’s Office, human involvement must be active and genuine.

That means the reviewer:

• understands how the system reached its decision
• has authority to change the outcome
• actively evaluates whether the recommendation makes sense
• considers additional context beyond the score

Rubber stamping outputs is not meaningful involvement.

Why automated hiring creates risk for employers

The ICO has already audited AI recruitment providers and issued hundreds of recommendations relating to transparency, bias, and automated decision making safeguards.

Potential consequences include:

• regulatory investigation
• discrimination claims
• inability to explain hiring decisions
• reputational damage
• challenges from rejected candidates

What breaches actually look like ?

These patterns are already common.

Auto rejection after an assessment

• candidate completes an assessment
• system scores below threshold
• candidate is automatically rejected
• no human review

This is likely non-compliant under Article 22.

CV screening with no review

• CV tool ranks candidates
• a large proportion is filtered out
• recruiters only see the top tier

If rejected candidates are never reviewed, this is high risk

AI scored video interviews

• candidates submit recorded responses
• AI scores tone, language, answers
• low scoring candidates are rejected automatically

This is high risk without human validation

The real problem is not automation. It is black box decisioning.

Most hiring systems do not just automate decisions. They obscure them.

The issue is not that candidates are being scored or ranked.
It is that the logic behind those decisions is often unclear, unchallenged, or poorly defined.

For example, a candidate might be rejected because they scored “low on communication”.

But:

• what does “communication” actually mean in this role?
• how was it measured?
• how heavily was it weighted?

If those answers are unclear, the decision is not defensible.

In many hiring processes:

• criteria are loosely defined or inconsistent
• scoring models are configured quickly with limited scrutiny
• weighting decisions are implicit rather than deliberate
• recruiters cannot clearly explain how outcomes are generated

That is where risk starts to build.

Because under GDPR Article 22, you are not just responsible for the decision.
You are responsible for being able to explain and justify how that decision was made.

Where most hiring processes fall down

The failure point is not the technology.

It is the lack of structured thinking before automation is applied.

Many teams jump straight to:

• “What tool should we use?”
• “What score threshold should we set?”

Instead of asking:

• What does good actually look like in this role?
• Which attributes genuinely predict success?
• What should be weighted heavily vs lightly?
• Where do we need human judgement rather than automation?

Without that clarity, automation simply scales poor decision making.

A more defensible approach: structured hiring criteria design

Most hiring tools start with a scoring model and retrofit criteria around it.

ThirveMap’s approach does the opposite:

We define the criteria first, then build the model around it.

A compliant and defensible hiring process starts before any automation is introduced.

At ThriveMap, this happens through a structured hiring criteria alignment process. The assessment is built around the actual criteria required to succeed in the role.

It involves:

• defining the real requirements of the role in detail
• aligning stakeholders on what “good” looks like
• making weighting decisions explicit and transparent
• identifying where judgement is required vs where automation is appropriate

This creates a clear, documented model of how decisions should be made.

Not a black box.

Why this reduces Article 22 risk

This approach directly addresses the core risks in automated decision making:

Decisions are explainable

Every score, ranking, or outcome links back to defined criteria
Not hidden logic or vague assumptions

Human judgement is designed in

Automation is used where it adds value
Human review is retained where context matters

The model is transparent

Recruiters understand how decisions are generated
And can confidently challenge or override them

Outcomes can be audited

Because inputs, weightings, and decisions are explicit
You can monitor bias, accuracy, and consistency over time

The difference in practice

Most hiring systems:

• start with automation
• layer in criteria afterwards
• treat outputs as truth

A defensible system:

• starts with clearly defined criteria
• designs how decisions should be made
• then applies automation to support that model

That shift is subtle.

But it is the difference between:

? scaling decisions you understand
vs
? scaling decisions you cannot explain

Designing recruitment processes that are defensible

The safest recruitment processes are not fully manual or fully automated.

They combine automation with structured human review.

That typically means:

• automation handles scale and prioritisation
• recruiters review borderline or high impact decisions
• scoring models remain transparent and explainable
• outcomes are monitored for bias and inconsistency

At ThriveMap, this is why assessments are designed to support recruiter judgement rather than replace it.

Does GDPR ban AI hiring tools?

No. GDPR does not ban AI or automation in recruitment. The issue is whether decisions are made solely by automated processing without meaningful human involvement.

Can recruiters use ChatGPT to screen CVs?

Using tools like ChatGPT to review or rank CVs can raise two separate issues under UK GDPR:

1. Personal data handling

CVs contain personal data, including names, employment history, and sometimes sensitive information.

Uploading CVs into an external AI tool may:

transfer personal data to a third party
fall outside your organisation’s approved data processors
breach internal data handling policies
require explicit safeguards or agreements

If this is not properly controlled, it may be non-compliant regardless of how the outputs are used.

2. Automated decision making (Article 22)

There is also a risk under GDPR Article 22 if the tool is used to make decisions about candidates.

For example:

CVs are uploaded
the tool ranks or filters candidates
recruiters only review the top results
others are effectively rejected without review

? This could be considered solely automated decision making if there is no meaningful human involvement in reviewing those outcomes.

When could it be used safely?

Using AI tools in recruitment can be lower risk if:

outputs are treated as supporting information, not final decisions
a recruiter reviews all candidates, not just top ranked ones
decisions can be explained independently of the tool
personal data is handled in line with approved policies and processors

Can recruiters automatically reject candidates?

Potentially, but safeguards are required if the decision has a significant effect on the candidate. Human review and transparency are critical.

Does Article 22 apply to CV screening tools?

It can. If CV screening tools automatically filter out candidates without meaningful human review, Article 22 safeguards may apply.