HireSift
DETry for free
Recht & Compliance

AI Screening and Data Protection in Austria: What Employers Need to Know

HireSiftApril 22, 20267 Min read
AI Screening and Data Protection in Austria: What Employers Need to Know

You're using AI to screen CVs — or you're considering it. Good move. AI screening saves time and helps you find the right candidates faster. But in Austria, there are specific data protection rules you need to get right before going live. This article explains the key points in plain language.

Austria has implemented the GDPR and added its own national rules through the Data Protection Act (Datenschutzgesetz / DSG). In some areas, Austrian law goes further than the EU minimum standard. Add employment law on top — and you have a clear framework you need to work within.

For you as an employer, this means three things:

  1. You need a legal basis for every data processing activity
  2. You must inform applicants transparently about how their data is used
  3. Fully automated decisions are only allowed under specific conditions

In recruiting, you'll typically rely on Art. 6(1)(b) GDPR — processing is necessary for the performance of a pre-contractual relationship (i.e., the application process). In plain English: when someone applies for a job, you're allowed to process their data to assess the application.

However, the data minimisation principle applies. You may only process data that's genuinely necessary for the hiring decision. An AI tool that scores candidates based on their date of birth, photo, or home address is likely stepping outside legitimate boundaries — none of that is typically needed to assess job fit.

Practical tip: Configure your AI tool to analyse only job-relevant data: qualifications, work experience, specific skills. Filter out everything else.

Automated Decision-Making: What's Allowed?

Article 22 GDPR is the key provision here. It gives applicants the right not to be subject to a decision based solely on automated processing, if that decision has a significant effect on them.

What does this mean in practice?

An AI score that automatically decides who gets rejected or invited — with no human review — is problematic. An AI score that gives a recruiter a recommendation, with the recruiter making the final call, is generally fine.

The distinction seems minor but is legally significant. Your process needs to document that a human makes the final decision.

HireSift is built this way: the AI generates rankings and scores, but the recruiter decides. That aligns with GDPR requirements.

Transparency: What Applicants Need to Know

You're required to inform applicants that you use AI tools. This typically goes into your privacy notice and the application flow.

The information must include:

  • What data is being processed?
  • For what purpose is AI being used?
  • How long will data be stored?
  • What rights does the applicant have?

In Austria, there's an additional obligation: applicants can request information about the logic of an AI system if it directly affects them. You need to be able to explain how the score is calculated — at least in general terms.

Practical tip: Add a dedicated section about AI use to your applicant privacy notice. Keep it short and clear — no legal jargon.

Special Categories of Data — Stay Away

Article 9 GDPR lists categories of data that require a higher level of protection:

  • Health data
  • Racial or ethnic origin
  • Religious beliefs
  • Trade union membership
  • Political opinions

Your AI tool must not process these categories — even implicitly. That sounds obvious, but it's tricky in practice: photos in CVs can reveal ethnic characteristics, names can indicate origin. Well-configured AI systems explicitly exclude these signals from their analysis.

Practical tip: Ask your AI provider directly which data fields are used for analysis and which are explicitly excluded. Get that in writing.

Works Council and AI Rollout

If you have a works council (Betriebsrat) in Austria, you need their agreement before introducing AI tools that monitor or evaluate employees — including systems that assess candidates before potential hiring.

§ 96 of the Labour Relations Act (ArbVG) requires co-determination for AI-based monitoring and evaluation systems.

What this means for you:

  • Engage the works council early
  • Explain how the tool works and what it evaluates
  • Conclude a works agreement (Betriebsvereinbarung) before rollout

Without a works agreement, the works council can challenge the system — even retroactively.

Data Processing Agreements: Getting the Contract Right

If you're using an external AI tool (SaaS, cloud service), you're not processing applicant data yourself — you're sharing it with a data processor. This requires a Data Processing Agreement (DPA) under Art. 28 GDPR.

The DPA must cover:

  • Which data is being transferred?
  • For what purpose is it processed?
  • Where is data stored (EU? USA?)?
  • How is it deleted?

Particularly relevant: many US-based SaaS tools store data on US servers. Post Schrems II, this is problematic if adequate protection isn't guaranteed. HireSift processes and stores data in the EU — that issue doesn't arise.

Don't Forget Data Deletion

Applicant data can't be kept indefinitely. In Austria, deletion within 6–7 months after the end of the recruitment process is standard practice — long enough to cover potential anti-discrimination claims (§ 29 GlBG), which expire by then.

If an applicant actively consents, you can retain their data for a talent pool — but only for the agreed period and purpose.

Practical tip: Set up automatic deletion routines. Most HR tools support this. Manual processes get forgotten — and that can be costly.

Summary: Your Data Protection Checklist for AI Screening

✅ Legal basis for data processing established (Art. 6(1)(b) GDPR)
✅ AI does not make fully automated decisions — human makes the final call
✅ Privacy notice includes reference to AI use
✅ No processing of special categories of data (Art. 9 GDPR)
✅ Works council involved (if applicable)
✅ DPA with AI provider in place
✅ EU data storage confirmed
✅ Deletion routines for applicant data configured

Conclusion

AI-powered recruiting is legal in Austria — but only with the right legal framework in place. The good news: the requirements are manageable. You need transparency with applicants, a human in the final decision role, and a DPA with your provider.

HireSift is designed to meet these requirements: EU hosting, transparent score logic, no automated rejection. If you want to make sure your recruiting is data-protection compliant, try HireSift free — no credit card, no contract.

Less screening. More hiring.

HireSift analyzes 100 CVs in minutes — with two transparent scores, EU AI Act compliant, no credit card required.

Try free for 7 days

Related Articles

EU Data Sovereignty in Recruiting: What Every Employer Needs to Know
Recht & Compliance

EU Data Sovereignty in Recruiting: What Every Employer Needs to Know

Storing candidate data in US-based cloud tools? That's a real legal risk. Here's what EU data sovereignty means for your hiring process and how to protect yourself.

April 22, 20267 Min