EU AI Act and HR in Spain: What Every Employer Must Do Now

Spanish employers are using artificial intelligence in their HR operations at a scale and speed that the law has now caught up with.

CV screening tools rank thousands of candidates without human review. Performance evaluation platforms assign scores that influence promotion and dismissal decisions. Employee productivity monitoring software tracks activity in real time. Recruitment chatbots conduct initial interview screening. AI-powered scheduling systems allocate tasks based on predicted performance profiles.

None of this is prohibited. But all of it — under the EU AI Act — is either already regulated, actively monitored, or subject to comprehensive compliance obligations that Spanish employers must meet.

The employment and workforce management category is one of eight sectors explicitly listed in Annex III of the EU AI Act as high-risk. This is not an interpretation or a grey area. The regulation names it directly. Every Spanish employer using AI in hiring, performance management, or workforce decisions is operating in the regulation's highest-compliance tier.

Some of those obligations are already in force. One critical obligation — worker notification — applies regardless of when the Digital Omnibus is adopted. The prohibited AI practices that apply to the workplace have been illegal since February 2025. And Spain's national employment law layer adds requirements that apply on top of the EU framework.

This guide covers exactly what Spanish employers must do, what is already required today, and how to build an HR AI compliance programme that satisfies both AESIA and Spain's labour law framework simultaneously.

Get trained on EU AI Act obligations for HR professionals. The Compliance with the EU AI Act and Ethics in AI certification from the Spanish Compliance Institute covers every obligation in this guide — including human oversight, FRIA workshops, and Spain's specific regulatory context. Currently ~~€79.99~~ €49.99. Join 89+ professionals already certified.

Which HR AI Systems Are High-Risk Under the EU AI Act?

Annex III of the EU AI Act, Section 4, defines employment-related AI systems that carry high-risk classification. The language is precise and broad.

Category (a) — Recruitment and Selection AI:

AI systems intended to be used for:

• Placing targeted job advertisements — algorithmic systems that determine who sees which job postings
• Analysing and filtering job applications — CV screening software, ATS systems with AI ranking features, automated application scoring
• Evaluating candidates — video interview analysis tools, personality or cognitive assessment AI, candidate ranking systems

Category (b) — Workforce Management AI:

AI systems intended to be used to:

• Make decisions affecting terms of work-related relationships — AI informing contract terms, working hours, or employment conditions
• Decisions on promotion or termination — any AI that informs or recommends advancement or dismissal
• Allocate tasks based on individual behaviour or personal traits — workforce scheduling systems using AI-based profiling, algorithmic task distribution platforms
• Monitor and evaluate the performance and behaviour of persons in work relationships — productivity tracking software, activity monitoring tools, AI-based performance evaluation

What this means in practice:

If your organisation uses any of the following, you are likely operating a high-risk AI system:

• An Applicant Tracking System (ATS) with AI ranking, scoring, or filtering features
• CV screening software that automatically ranks or filters candidates
• Video interview analysis platforms that score tone, language, or behaviour
• Personality or cognitive assessment tools that feed into hiring decisions
• Performance management software that generates scores or rankings
• Productivity monitoring software generating outputs used in evaluations
• AI-powered task scheduling or allocation systems
• Recruitment chatbots that influence candidate progression

The classification depends not on what the tool is called but on what it does and what decisions it informs. A tool labelled "efficiency analytics" that produces outputs used in performance reviews is a high-risk AI system for performance monitoring purposes.

What Is Already Illegal in Spanish Workplaces Today 

Before discussing compliance requirements for high-risk systems, employers must address what is already illegal. Article 5 prohibited practices have been enforceable since 2 February 2025 — over 15 months ago at the time of publication.

In the HR and workplace context, these practices are already banned:

Emotion Recognition Systems in the Workplace

AI systems that infer the emotional states of employees — through facial expression analysis, voice pattern analysis, physiological indicators, or any other means — during working hours are prohibited. This applies regardless of the stated purpose: productivity monitoring, wellbeing assessment, stress detection, or engagement tracking.

This catches a wide range of tools. Interview analysis platforms that score candidate "confidence" or "enthusiasm" through facial or voice analysis are prohibited. Employee wellbeing monitoring tools that infer stress levels from communication patterns are prohibited. Productivity monitoring platforms with emotion analysis features are prohibited.

The fine for deploying a prohibited AI system reaches up to €35 million or 7% of global annual turnover — the EU AI Act's maximum penalty tier. If your organisation is using any tool with these features, the priority action is immediate audit and, if confirmed prohibited, decommissioning.

Biometric Categorisation Based on Sensitive Characteristics

AI systems that categorise individuals based on race, ethnicity, sexual orientation, political beliefs, or other sensitive characteristics using biometric data are prohibited. This applies in contexts where assessment tools use image analysis in ways that could produce sensitive categorisations.

Covert Manipulation

AI systems that manipulate individuals through subliminal techniques, exploiting psychological vulnerabilities, are banned. This may apply to recruitment tools using psychological profiling techniques designed to exploit behavioural tendencies rather than assess genuine competence.

Spain-specific enforcement context: The AEPD issued 847 sanctioning resolutions in 2023 — the highest volume of any data protection authority in the EU — and has made workplace AI a priority enforcement area. In December 2024, the AEPD fined the National Professional Football League €1,000,000 for a biometric recognition system. Spanish employers should not assume prohibited practice enforcement will wait for national AI law to pass.

For the full list of prohibited AI practices with specific workplace examples, see: 8 AI Practices That Are Already Illegal in Spain Under the EU AI Act.

Article 26(7): The Worker Notification Obligation Already in Force

This is the obligation that leading employment law firms have flagged as an absolute priority for 2026 — and the one most Spanish employers have not yet addressed.

Article 26(7) of the EU AI Act states:

"Before putting into service or using a high-risk AI system at the workplace, deployers who are employers shall inform workers' representatives and the affected workers that they will be subject to the use of the high-risk AI system."

This obligation applies regardless of whether the Digital Omnibus extends the high-risk technical compliance deadlines. Employment law experts widely consider worker notification to be already applicable under existing EU employment law frameworks, and it will be unambiguously enforceable once Spain's national AI law passes.

What the notification must cover:

Worker representatives — In Spain, this means works councils (comités de empresa), legally required in companies with 50 or more employees, and trade union delegates where applicable. The notification must explain clearly which AI system is being deployed, how it works, what data it processes, what decisions it informs, and what rights employees have.

Affected workers individually — Employees subject to the AI system must be personally informed with sufficient detail to understand how it affects their employment situation.

The timing requirement: Notification must happen before putting the AI system into service. Deploying a high-risk HR AI system and informing workers afterwards does not satisfy the obligation.

Spain's additional layer: The Spanish Workers' Statute (Estatuto de los Trabajadores) grants employee legal representatives the right to be informed about the parameters, rules, and instructions of algorithms or AI systems when these affect employment conditions. This right exists independently of the EU AI Act under Royal Decree-Law 9/2021 and subsequent interpretations. Works councils can request detailed information about AI systems, and employers are legally required to provide it.

The practical implication: Spanish employers who have already deployed high-risk HR AI systems without informing works councils or affected employees should address this immediately — under both Article 26(7) and existing Spanish labour law.

The Full Compliance Obligations for HR AI Deployers 

For Spanish employers operating as deployers of high-risk HR AI systems, the full set of obligations under Articles 26 and 14 includes:

Use Systems Per Provider Instructions (Article 26(1))

Deployers must use high-risk AI systems strictly in accordance with the provider's instructions for use. If your CV screening platform's instructions specify it should be used for initial filtering only — not final selection decisions — using it to make final decisions without human review places responsibility on your organisation as deployer. Review the instructions for every HR AI system you deploy and document that you are using it as intended.

Assign Qualified Human Oversight (Articles 14 and 26(2))

High-risk HR AI systems must operate under effective human oversight. The oversight individual must have:

• Sufficient understanding of the system's capabilities and limitations
• Competence to interpret outputs correctly without over-reliance
• Authority to override the system's recommendations
• Ability to halt the system's operation entirely when required

An HR manager who approves whatever the screening algorithm recommends without independent assessment does not satisfy this requirement. Oversight must be genuine, documented, and exercised by a qualified individual. Our complete guide to EU AI Act compliance covers the human oversight standard in detail.

Inform Individuals Affected by AI Decisions (Article 26(11))

Deployers must inform individuals subject to high-risk AI systems. In HR contexts this means:

• Job candidates must be informed that AI is used in their application process
• Employees subject to AI-driven performance evaluation must know the AI's role
• Workers subject to AI-based monitoring must know it is happening and how outputs are used

Retain Automated Logs for Six Months (Article 26(5))

Automatically generated logs from high-risk HR AI systems must be retained for a minimum of six months, sufficient to trace operation, identify anomalies, and support investigation of biased outputs.

Maintain a Risk Management System (Article 9)

An ongoing risk management system must identify, analyse, and monitor risks throughout the system's operational lifecycle. For HR AI, this means regular review of outputs for discriminatory patterns in hiring outcomes, performance score distributions, or task allocation — not only a one-time deployment assessment.

Conduct a Data Protection Impact Assessment (Article 26(9))

For HR AI systems processing personal data — which is almost all of them — deployers must conduct a DPIA under GDPR Article 35 using the provider's technical documentation. This is required by both the EU AI Act and Spain's AEPD, which demands a DPIA for any AI system processing personal data in Spain.

Employees' Rights Under the EU AI Act 

The EU AI Act creates specific rights for individuals affected by high-risk AI systems — rights that HR departments must be prepared to handle.

Right to Explanation (Article 86)

Individuals subject to high-risk AI decisions can request an explanation of the main factors behind that decision. A rejected candidate can ask why. An employee who did not receive a promotion informed by AI performance data can ask what factors were weighted.

This right is enforceable. Spain's labour law already places the burden of proof in discrimination claims on the employer to demonstrate decisions were not based on discriminatory grounds. An AI system whose output cannot be explained is a significant legal liability in this context.

Right Not to Be Subject to Solely Automated Decisions

GDPR Article 22 already prohibits decisions based solely on automated processing that produce legal or significant effects. The EU AI Act's human oversight requirements reinforce this. Spanish employers must ensure HR AI systems inform — not replace — human decision-making.

Right to Be Informed

Workers and candidates have the right to know when AI is used in decisions affecting them. This is proactive — your recruitment communications, offer letters, and employee handbooks should clearly state where and how AI is used.

Spain's National Employment Law Laye

Spanish employment law creates obligations that apply on top of — and in some cases independently of — the EU AI Act.

Workers' Statute (Estatuto de los Trabajadores)

Legal representatives of employees are entitled to be informed about the parameters, rules, and instructions of algorithms or AI systems when these affect employment conditions. This right was introduced by Royal Decree-Law 9/2021 and applies across all sectors. Works councils can demand this information, and employers must provide it.

Organic Law 3/2007 on Equality Between Women and Men

Spain requires employers to audit algorithms and AI systems to detect biases that could produce gender discrimination. This obligation exists independently of the EU AI Act and applies to all companies operating in Spain. Companies with more than 50 employees must have equality plans that address AI systems potentially producing gender-discriminatory outcomes.

Law 15/2022 on Equal Treatment and Non-Discrimination

Law 15/2022 prohibits algorithmic discrimination based on race, ethnic origin, disability, religion, age, and sexual orientation. It includes specific provisions on algorithmic bias and transparency for AI systems used in contexts that could produce discriminatory outcomes.

Works Councils and Prior Consultation

Companies with 50 or more employees must have works councils. The introduction of any new technology significantly affecting employment conditions requires prior consultation with the works council — independently of Article 26(7). For new HR AI deployments, works council consultation is a legal prerequisite across both frameworks.

Spain Prohibits Algorithmic Discrimination

Under Organic Law 3/2007 (as amended in 2022), Spain specifically prohibits algorithmic discrimination in labour contexts and requires audits to detect biases. This is an active, enforceable obligation that labour authorities (Inspección de Trabajo) coordinate with AESIA in enforcing.

The AEPD's Role: Data Protection Meets HR AI

The AEPD is not AESIA, but in the HR AI space their mandates overlap significantly. The AEPD is one of the most active data protection authorities in Europe by enforcement volume.

Key AEPD positions on HR AI:

• The AEPD requires a DPIA for every AI system processing personal data in Spain — stricter than the GDPR's "likely high risk" threshold. For HR AI, a DPIA is always required.
• Approximately 18% of AEPD cases involve employee monitoring — the agency applies strict standards on employer monitoring rights under Spain's Workers' Statute.
• In July 2025, the AEPD confirmed it is already empowered to act against AI systems violating GDPR even before Spain's national AI law passes.
• The AEPD and AESIA increasingly coordinate investigations where AI compliance and data protection obligations overlap.

An employee monitoring AI system — even one that is not prohibited — requires documented legal basis under GDPR, a DPIA, a proportionality assessment, prior notice to employees, and all Article 26 compliance obligations. Failing any layer creates exposure to both regulators simultaneously.

For a complete guide to dual GDPR and EU AI Act compliance for Spanish organisations, see: EU AI Act vs GDPR in Spain: What Your Business Must Do to Comply With Both.

You Cannot Outsource Your Compliance Liability to Your Vendor

This is one of the most persistent misunderstandings in HR AI compliance. Spanish employers frequently assume that their HR tech vendor's EU AI Act compliance covers their use of the system. It does not.

Providers (vendors) have their own obligations: technical documentation, conformity assessments, risk management systems, CE marking where required.

Deployers (employers) have separate, independent obligations: human oversight, worker notification, log retention, risk monitoring, DPIA, and individual transparency. These apply regardless of how compliant the vendor is.

Even with a fully compliant vendor, you as employer must independently satisfy:

• Article 26(7) worker notification before deployment
• Article 14 human oversight with qualified, trained staff
• Article 26(11) individual transparency to candidates and employees
• Article 26(5) six-month log retention
• Article 26(9) DPIA under GDPR
• Article 4 AI literacy for all HR staff using the system
• Ongoing bias monitoring under Article 9

Your vendor contract should require provision of technical documentation, instructions for use, and Article 13 transparency information. Contractual clarity with HR tech providers is a compliance requirement.

A Practical HR AI Compliance Checklist for Spanish Employers 

Immediate Priorities (Already Required Today)

• Audit all HR AI tools for prohibited practices Review every HR tool for emotion recognition, covert surveillance, or biometric categorisation by sensitive traits. Any tool with these features must be audited and, if confirmed prohibited, decommissioned immediately. Prohibition has been in force since February 2025.
• Classify all HR AI tools by risk level For each tool, determine whether it falls under Annex III Section 4. Any system that screens candidates, ranks applications, evaluates performance, monitors behaviour, or informs employment decisions is likely high-risk.
• Notify works councils and employee representatives Under Article 26(7) and Spain's Workers' Statute, works councils must be informed before any high-risk HR AI system is deployed or continues in use.
• Inform affected candidates and employees Ensure recruitment communications, privacy notices, and employee-facing documentation state clearly when and how AI is used in employment decisions.
• Ensure Article 4 AI literacy training for all HR staff All HR staff using AI tools require documented, role-appropriate training. See our Article 4 literacy guide.

Near-Term Priorities (Before High-Risk Deadline)

• Assign qualified human oversight for each high-risk HR AI system Designate a specific individual with competence, training, and authority to interpret outputs, override recommendations, and halt the system. Document the assignment.
• Complete DPIAs for all HR AI systems processing personal data Required by the AEPD for every AI system processing personal data in Spain.
• Implement six-month log retention Ensure automated logs from high-risk HR AI systems are retained and accessible for the required minimum period.
• Review vendor contracts Require technical documentation, instructions for use, and Article 13 information from all HR AI vendors.
• Establish ongoing bias monitoring Set up a mechanism to review HR AI outputs regularly for discriminatory patterns across gender, age, ethnicity, and other protected characteristics.
• Conduct a FRIA if required Public sector employers and private companies providing public employment services must complete a Fundamental Rights Impact Assessment before deploying high-risk HR AI. See our complete FRIA guide.

Protect Your Organisation and Your Employees

HR AI compliance in Spain operates at the intersection of the EU AI Act, GDPR, Spain's Workers' Statute, equality law, and labour law. The consequences of non-compliance are regulatory fines — and individual harm to candidates and employees whose opportunities are affected by AI systems that were never properly governed.

The Compliance with the EU AI Act and Ethics in AI certification equips HR professionals, compliance officers, and employment lawyers with the knowledge to navigate this landscape:

• Full EU AI Act deployer obligations — risk classification, worker notification, human oversight, documentation
• Spain-specific regulatory context — AESIA, AEPD, Workers' Statute, equality law, works council obligations
• FRIA workshop — step-by-step framework for public sector HR deployers
• Annex IV templates — ready to use in vendor due diligence
• 15 hours of on-demand expert training with formal assessment and verified digital certificate

Enrol Now and Get Certified →

Continue Reading: Related Guides in This Series

• Ethical AI and EU AI Act Compliance: The Professional's Complete Guide for Spain 
• 8 AI Practices That Are Already Illegal in Spain Under the EU AI Act
• How to Write a Fundamental Rights Impact Assessment (FRIA) Under the EU AI Act
• EU AI Act vs GDPR in Spain: What Your Business Must Do to Comply With Both
• EU AI Act Article 4: How to Build an AI Literacy Programme for Your Organisation
• AESIA: Spain's AI Regulator Explained — What It Means for Your Business
• What to Expect From an EU AI Act Audit: A Step-by-Step Walkthrough for Spanish Organisations