GDPR and Assessment Tools: What HR Really Needs to Know

Somewhere on almost every assessment vendor’s website, you’ll find it: “GDPR-compliant.” Often with a little shield icon next to it. Reassuring, right?

Unfortunately, that label means about as much as “contains ingredients” on a food package. Technically accurate. Substantively close to nothing.

This article explains what you as an HR professional actually need to know and check – without legal jargon, but without false reassurance either.

• GDPR and Assessment Tools: What HR Really Needs to Know
• You’re the controller. Not the vendor.
• Legal basis: Consent sounds fair. But it often isn’t.
• The DPA: The document nobody wants to read
• US servers: When data crosses the Atlantic
• Automated decisions: The right candidates barely know they have
• EU AI Act: The new dimension
• What “GDPR-compliant” on a vendor website actually means

Reading Time: 6 Min.

“Delegating the GDPR question to the vendor doesn’t solve it – it just means you keep the responsibility for the outcome.”

You’re the controller. Not the vendor.

This is the point that surprises most people – and the one most underestimated.

GDPR distinguishes between the controller (who decides why and how data is processed) and the processor (who carries out the processing technically). As an employer running candidates through an assessment tool, you decide: which people are assessed, for what purpose, with which tool. That makes you the controller – with all the obligations that come with it.

The vendor only processes on your behalf. So if something goes wrong – a data breach, a missing legal basis, an unlawful data transfer – the responsibility sits with you.

An important grey area: Some vendors also use candidate data for their own purposes – for example, to build norm groups or train their models. In that case, they’re no longer a pure processor but potentially a joint controller under Art. 26 GDPR. That’s a legally different situation. Read the vendor’s privacy policy carefully – or have a lawyer do it when in doubt.

Legal basis: Consent sounds fair. But it often isn’t.

Many organizations resolve the legal basis question with a checkbox: “I agree to the processing of my data.” Intuitively that makes sense – the candidate gives their consent, everything’s clean.

The problem: in a recruitment context, consent under Art. 7 GDPR is only valid if given freely. And a candidate who knows that declining ends their application isn’t really giving free consent. Supervisory authorities tend to agree.

The more common and robust bases in hiring contexts are performance of a contract (Art. 6(1)(b) – processing is necessary for the decision about entering into a contract) or legitimate interests (Art. 6(1)(f) – with a corresponding balancing test). Which basis applies depends on the specific assessment and its role in the process. What matters is: you need to choose one and document it.

The DPA: The document nobody wants to read

A Data Processing Agreement (DPA) under Art. 28 GDPR is mandatory as soon as a vendor processes personal data on your behalf. Without a DPA, you cannot lawfully use the platform. Full stop.

Most vendors have standard agreements – often as a PDF download or buried in their terms of service. That’s formally sufficient. But a look inside is worthwhile: a valid DPA must include at minimum:

• Exact subject matter and purpose of processing
• Instruction-binding of the vendor
• Rules on sub-processors
• Deletion obligations after contract end
• Support obligations for data subject rights

If these points are missing or vaguely worded – red flag.

US servers: When data crosses the Atlantic

Many assessment platforms run on US cloud infrastructure – AWS, Azure, or Google Cloud in US data centers. That’s not a disqualifier, but it creates requirements.

Since the Schrems II ruling (2020), data transfers to the US without adequate safeguards are unlawful. Valid solutions are EU Standard Contractual Clauses (SCCs) combined with a Transfer Impact Assessment, or a vendor certified under the EU-US Data Privacy Framework (available since 2023).

Ask directly: Where are servers located? Are SCCs in place? Is the vendor DPF-certified? A serious vendor answers without hesitation.

Automated decisions: The right candidates barely know they have

Art. 22 GDPR gives individuals the right not to be subject to a decision based solely on automated processing that significantly affects them. A hiring decision clearly qualifies.

In practice: if an AI-powered tool automatically screens out a candidate – without a human reviewing the decision – that’s problematic. Candidates also have the right to an explanation: why was this decision made?

An assessment tool that generates recommendations and results for a human to then evaluate is fine. The red line is fully automated rejections without human review.

EU AI Act: The new dimension

Since 2024, the EU AI Act applies – and it has direct consequences for AI-based assessment tools.

AI systems used for hiring decisions are explicitly classified as high-risk applications in the AI Act (Annex III, point 4a). For vendors, this means: technical documentation, human oversight, transparency toward affected individuals, registration in an EU database, and – from August 2026 – a conformity assessment.

For you as HR: ask your vendor whether their tool falls under the AI Act and how they meet the high-risk requirements. A vendor who can’t or won’t answer that question is not a good partner.

Important: the AI Act doesn’t apply to all assessment tools. A simple personality questionnaire without algorithmic decision logic probably doesn’t fall under it. The line is drawn at systems that actively evaluate, rank, or filter candidates – on an AI basis.

What “GDPR-compliant” on a vendor website actually means

Back to the shield icon from the start. What does it actually mean?

Usually: that the vendor has a privacy policy, offers a DPA, and doesn’t send data completely unsecured. That’s the minimum requirement – not full compliance.

What to ask instead:

• Where is data stored, and is there a complete DPA?
• What legal basis does the vendor recommend for use in a recruitment context?
• Are there third-country transfers – and how are they safeguarded?
• How does the vendor support data subject rights (access, deletion)?
• Does the tool fall under the EU AI Act – and if so, how is compliance ensured?

The PEATS Guides document for each evaluated vendor whether a DPA is available, where data is stored, and whether bias tests exist. That doesn’t replace legal advice – but it gives you an informed basis before deploying a tool.

Note: This article provides general information on data protection aspects in the assessment context. It does not replace individual legal advice.