Skip to content
Insights
8 min read

Anatomy of an ATS: why your recruitment system already binds you (even though the AI Act has been postponed)

Your company almost certainly operates an ATS that filters and scores candidates. The postponement of the AI Act's high-risk obligations to 2027 does not exempt you: Spanish employment and data-protection law already binds you today. Anatomy of a high-risk system that almost no one has classified.

  • Topics:
  • EU AI Act
  • Annex III
  • Employment
  • HR
  • Compliance

The postponement of the EU AI Act's high-risk obligations to December 2027 has produced, in many boards, a sense of relief. That is a mistake. If your company uses an ATS —an Applicant Tracking System, the software that receives, filters and ranks candidates—, you operate a system the European legislator classifies as high risk (Annex III, category 4: employment). And the uncomfortable part: much of what it obliges does not depend on the AI Act's calendar. It binds you today.

What an ATS is, and why you almost certainly run one

An ATS receives, screens, scores and manages applications. Almost every mid-sized company uses one —from a vendor—, and many embed algorithmic CV ranking, matching, video-interview analysis or screening chatbots. The question is not whether there is AI in your recruitment process, but who has classified it.

Why it is Annex III (category 4: employment)

Annex III(4) of Regulation (EU) 2024/1689 places in the high-risk tier AI systems intended for: (a) recruitment and selection —targeting job ads, filtering applications, evaluating candidates—; and (b) decisions on working conditions, promotion, termination, task allocation or performance evaluation. An ATS that ranks or scores CVs falls squarely under (a).

And the Art. 6(3) exception —the "narrow procedural task" that would take a system out of the high-risk tier— is to be read strictly and expressly excludes profiling: an ATS that profiles candidates is not saved by it.

What does not wait for the AI Act (and already binds you)

Even if the AI Act's high-risk obligations arrive in 2027, three obligations apply today, regardless of that calendar:

  1. Spanish Workers' Statute, art. 64.4.d (the "Ley Rider", 2021). The works council has the right to be informed of the parameters, rules and instructions on which the algorithms or AI systems are based that affect decisions on access to and retention of employment, working conditions and profiling. If you have worker representation and an algorithmic ATS, this transparency is already enforceable —since 2021—.
  2. GDPR and art. 22 of the LOPDGDD — automated decisions. If an application is rejected by a decision based solely on automated processing, with a significant effect, the candidate has the right to human intervention, to express their view and to contest it. Screening that rejects without human review falls squarely here.
  3. AI Act, Art. 5 — prohibited practices (in force since February 2025, NOT postponed). Emotion recognition in the workplace is prohibited. If your process analyses emotions in video interviews, that has not been postponed: it is already prohibited.

Plainly: the postponement moves the administrative high-risk regime (CE marking, conformity assessment, registration) to 2027; it does not touch algorithmic transparency in employment, data protection, or the prohibitions.

What will arrive with the AI Act (2027, provisional)

When the high-risk regime applies, your ATS will require: effective human oversight (Art. 14); compliance with the deployer's obligations (Art. 26) —using it per instructions, monitoring its operation and, a key point, informing worker representatives and affected workers before putting it into use (Art. 26.7), which overlaps with Workers' Statute 64.4.d—; and operating within a system whose conformity assessment and registration have been carried out by the provider. Sixteen extra months are to govern it well, not to ignore it.

The three traps

"It's the vendor's, not ours." Art. 26 is clear: deployer status does not transfer to the provider. If you operate the ATS under your authority, you assume the obligations —both under the AI Act and under Workers' Statute 64.4.d—.

"It only ranks, it doesn't decide." The GDPR art. 22 line is not "is there a human at the end?", but whether the human intervention is real or a rubber stamp. A recruiter who validates a list already ranked by the algorithm, with no effective capacity to review it, does not save the decision.

"It's not AI, it's keyword filtering." The Art. 3 definition is broad. A ranking trained on the hiring history —learning to replicate past patterns, biases included— is exactly the risk the rule targets. The internal label does not change the regulatory classification.

The questions the board must be able to answer

  1. Which recruitment system(s) with an algorithmic component do we operate, and from which vendor?
  2. Have we informed worker representatives of the algorithm's parameters (Workers' Statute 64.4.d)?
  3. Is there effective human intervention in rejections (GDPR art. 22)?
  4. Do we use emotion analysis at any point in the process? (If so: review it now — Art. 5.)
  5. Is it documented who the deployer is and their reporting line?

The decision to take now

The AI Act postponement is no excuse to look away: the ATS is the textbook case of a high-risk system that almost no one has classified, and whose most enforceable obligations —the Spanish ones— are already in force. Taking the inventory and informing worker representatives does not require waiting until 2027; it requires a board conversation this quarter.

To take it to the board: the Annex III checklist (PDF) — free to use, no sign-up. And to understand why the deadline moved but the duty did not: the evolution of the AI Act's timeline.

Sources: Regulation (EU) 2024/1689 (Annex III.4; arts. 3, 5, 6, 14, 26); Spanish Workers' Statute, art. 64.4.d (Law 12/2021); GDPR (Regulation (EU) 2016/679) and art. 22 of the LOPDGDD. Last updated: 17 June 2026.