AI-based employee evaluation and monitoring — EU AI Act Annex III deployer obligations

What Annex III(4) covers

Annex III of the EU AI Act, point 4 (employment, workers management and access to self-employment) lists the following as high-risk AI systems:

• AI intended to be used for recruitment or selection of natural persons, in particular for advertising vacancies, screening or filtering applications, and evaluating candidates in the course of interviews or tests.
• AI intended to be used to make decisions affecting terms and conditions of work, promotion or termination of work-related contractual relationships.
• AI intended to be used to allocate tasks based on individual behaviour or personal traits or characteristics or to monitor and evaluate performance and behaviour of persons in such relationships.

In practice this covers: ATS with AI-scored CV ranking, chatbot-based competency interviews, productivity-tracking software that generates individual performance scores, workforce analytics tools that flag underperformers, and task-assignment platforms that use personal profile data.

Application date

High-risk deployer obligations under Article 26 apply from 2 August 2026. The Digital Omnibus provisional political agreement (7 May 2026 — not yet adopted or published in the Official Journal) proposes deferring stand-alone Annex III high-risk obligations for systems already on the market to 2 December 2027. Until formally adopted, 2 August 2026 is the binding date. The Article 4 AI literacy obligation is in force since 2 February 2025.

Article 26 deployer obligations for employment AI

Article 26 of Regulation (EU) 2024/1689 sets the following deployer-side obligations for any high-risk AI system:

• Art 26(1) — use within intended purpose. Deployers must use the AI system in accordance with the vendor’s instructions for use. Any use outside the documented intended purpose may trigger Article 25 provider-shift obligations.
• Art 26(2) — competent human oversight. Designate one or more natural persons with the necessary competence, training and authority to effectively oversee the AI system, including the authority to halt, override, or disregard its output. A manager who receives an AI performance score and must sign off without being able to question it does not satisfy this requirement.
• Art 26(4) — input-data quality. Where the deployer controls the input data fed to the system (e.g. selecting which employee data is uploaded to the analytics tool), it must ensure those data are relevant and sufficiently representative for the intended purpose.
• Art 26(5) — monitor and report. Deployers must monitor the operation of the AI system on the basis of the instructions for use and, where required, inform the provider or distributor of any serious incident observed.
• Art 26(6) — log retention. Keep the automatic logs generated by the high-risk AI system for at least 6 months, unless national law or GDPR requires a different retention period. These logs must be accessible and secured for potential regulatory review.
• Art 26(7) — worker notification (no exception). Where a deployer intends to put a high-risk AI system into use in the context of employment, it shall inform the workers and workers’ representatives (where such representatives exist) before putting it into use. This obligation applies regardless of the system’s risk assessment outcome and before any pilot or trial run.

Article 26(7) worker notification in detail

The notification duty under Article 26(7) is unconditional: it does not depend on whether the AI system produces legally binding outcomes, whether the system is used for a trial period, or whether affected workers have consented. The obligation is to inform before deployment. Key practical points:

• “Workers’ representatives” means trade union representatives, works councils, or employee delegates where these exist under applicable national law. Where no such bodies exist, individual workers must be informed directly.
• The notification must be sufficient to enable workers to understand what the system does, what data it processes, and what decisions or recommendations it produces. A one-sentence IT-change notice is unlikely to satisfy this standard for a performance scoring system.
• Some national employment laws impose additional consultation (not merely notification) obligations, particularly where works council legislation applies (e.g. Works Constitution Act in Germany, Wet op de ondernemingsraden in the Netherlands). Check the national law in each jurisdiction where the system is deployed.
• Retain evidence of notification: date, method, recipient group, content of notice. This will be requested by any market surveillance authority conducting an inspection.

GDPR Article 22 automated decisions in employment

GDPR Article 22 gives employees the right not to be subject to a decision based solely on automated processing that produces legal or similarly significant effects. Termination, promotion, pay adjustments, and task allocation driven solely by AI scores trigger this right. Practically:

• A human who reviews the AI’s recommendation but lacks the information, time or authority to override it is not providing meaningful human review for Art 22 purposes.
• The employee has the right to obtain meaningful information about the logic involved, the right to express their point of view, and the right to have the decision reviewed by a human.
• In an employment context, relying on GDPR Art 22(2)(a) (necessary for a contract) is permissible where the automated decision is genuinely necessary; relying on Art 22(2)(b) (explicit consent) is problematic because employment consent is rarely freely given.

An Art 26(2) EU AI Act human overseer who has genuine authority and competence to override the AI will typically also satisfy the GDPR Art 22 human-review safeguard. Documenting the same person and procedure against both obligations is efficient.

Evidence a supervisor will request

• AI inventory entry for each employment AI system: name, vendor, version, intended purpose, Annex III classification.
• Art 26(7) notification record: date, recipient group, notification content, delivery method.
• Art 26(2) human-oversight designation: name and role of designated overseer, competence evidence, documented override procedure.
• Art 26(6) log retention confirmation: system name, log type, retention period, access controls.
• Art 26(4) input-data quality record: what data the deployer provides to the system, relevance assessment, data-quality checks performed.
• Vendor Art 13 instructions for use: on file, in the deployer’s control, version-dated.
• AI literacy training record (Art 4): coverage of staff operating the system, including HR managers receiving AI performance scores.
• GDPR ROPA entry (Art 30 GDPR): processing activity record covering the AI system as a data processing activity.

Penalties

Violations of high-risk deployer obligations under Article 26 are sanctioned under Article 99(4) with administrative fines of up to EUR 15 000 000 or 3 % of total worldwide annual turnover, whichever is higher. For SMEs and start-ups, Article 99(6) applies the lesser of the two figures. GDPR Article 22 violations are separately sanctionable by the DPA with fines up to EUR 20 000 000 or 4 % of global annual turnover (GDPR Art 83(4)).

Related EU guides

• EU AI Act for recruitment AI
• Deployer checklist — Article 26
• Human oversight — Article 14
• EU AI Act and GDPR overlap
• AI bias audit for HR systems

Sources

• Regulation (EU) 2024/1689, Articles 4, 13, 25, 26, 72, 73, 99, Annex III(4) — EUR-Lex: eur-lex.europa.eu/eli/reg/2024/1689/oj
• Regulation (EU) 2016/679 (GDPR), Articles 22, 30, 35, 83 — EUR-Lex: eur-lex.europa.eu/eli/reg/2016/679/oj
• European AI Office — High-risk AI systems guidance: digital-strategy.ec.europa.eu