← UPPER Resources · Ask UPPER

Is AI Sourcing GDPR-Compliant?

By Alex Mercer, Chief Technology Officer · 2026-05-20 · 7 min read

AI sourcing can be GDPR-compliant under the legitimate interests basis (Article 6(1)(f)), provided the system collects only necessary data, informs candidates of processing, applies human review before any material decision, and honors deletion requests. A privacy-by-design system that does all four is compliant. One that runs fully automated decisions at scale without disclosure is not.

This question matters more than most people in recruiting realize — and the honest answer is: it depends entirely on how the system is built and operated. AI sourcing is not inherently GDPR-compliant or non-compliant. The regulation applies based on how personal data is collected, processed, stored, and used, regardless of whether AI is involved. Where AI sourcing creates specific GDPR risk is in three areas: automated decision-making at scale, data retention, and the absence of meaningful human review.

The Legal Basis: Legitimate Interests

Under GDPR Article 6, any processing of personal data requires a lawful basis. For recruiting outreach, the most commonly applied basis is legitimate interests (Article 6(1)(f)): a recruiter or employer has a legitimate interest in identifying qualified candidates for open roles. This basis holds when the candidate's data is publicly available (published LinkedIn profiles, public professional pages), the outreach is directly relevant to their professional background, and the processing does not override the candidate's rights and freedoms.

This is why targeted sourcing outreach to professionals based on their public professional profiles is generally considered compliant under legitimate interests — the interest is real, proportionate, and the candidate has implicitly signaled professional availability by maintaining a public profile. However, legitimate interests is not a blanket pass. It requires a documented Legitimate Interests Assessment (LIA) and breaks down if processing becomes excessive, opaque, or disregards candidate opt-outs.

The Four GDPR Requirements That Actually Bite in AI Sourcing

1. Transparency: GDPR Article 13/14 requires that candidates be informed that their data is being processed, what it is being used for, and who is doing it. An AI sourcing system that silently profiles candidates without any disclosure in the outreach message is non-compliant. The fix is straightforward: initial outreach messages must include a brief privacy notice or link to a privacy policy that covers the sourcing activity.

2. Data minimization: Only data that is necessary for the stated purpose (identifying candidates for a specific role) should be collected. AI systems that aggregate extensive personal data beyond professional qualifications — pulling in personal social accounts, location data beyond general geography, or non-professional information — violate data minimization principles.

3. Automated decision-making: GDPR Article 22 gives individuals the right not to be subject to decisions based solely on automated processing that significantly affects them. In recruiting, this means that a system cannot automatically advance or reject candidates based solely on AI scoring without any human review of the decision. A system that hands back a ranked shortlist for a human recruiter to evaluate and decide on satisfies this requirement. A system that auto-rejects candidates without human review does not.

4. Right to erasure: Candidates have the right to request deletion of their data. Any AI sourcing system must have a functioning opt-out and deletion mechanism that actually processes and removes data, not just flags the request.

UK GDPR and the PECR Layer

For UK candidates post-Brexit, UK GDPR mirrors EU GDPR requirements, with the Privacy and Electronic Communications Regulations (PECR) adding an additional layer for automated electronic messages. The UK Information Commissioner's Office (ICO) has indicated that for automated bulk email outreach, explicit consent may be required under PECR even when legitimate interests covers the underlying data processing. This is an area of active regulatory development — teams sourcing heavily in the UK should monitor ICO guidance and consider consent-based outreach as the safer default.

The Practical Compliance Framework

A GDPR-compliant AI sourcing operation rests on four pillars: (1) documented legitimate interests assessment for each sourcing use case; (2) privacy disclosure in every initial outreach message; (3) genuine human review before any candidate progresses or is rejected; (4) a functioning opt-out mechanism with actual data deletion. These are not theoretical requirements — enforcement has been active. The French data protection authority (CNIL) fined multiple recruiting platforms between 2022 and 2024 for non-compliant candidate data processing.

How UPPER Approaches Compliance

UPPER's sourcing engine is designed with privacy by design as a first principle. Every outreach message includes appropriate disclosure, opt-outs are processed and honored, and the system's output is always a ranked shortlist for human review — not an automated accept/reject decision. The human recruiter decides; UPPER does the digging. That architecture is not just good ethics — it is compliant architecture. Read more on how UPPER approaches responsible AI in recruiting.

References

  1. Pin: Automated Candidate Outreach Guide — CAN-SPAM, TCPA, GDPR/PECR breakdown
  2. EU GDPR: Article 6 — Lawfulness of processing (legitimate interests)
  3. EU GDPR: Article 22 — Automated individual decision-making
  4. UK ICO: Guidance on legitimate interests in recruitment

Read the interactive version: Is AI Sourcing GDPR-Compliant?