GDPR Art. 6 & 9
Employee data requires explicit legal basis
Processing employee and candidate data under GDPR requires a clear legal basis for each purpose — hiring decisions, performance reviews, payroll, disciplinary processes. Special category data (health, disability, union membership) requires even stricter justification under Art. 9. Any AI tool involved in these processes must stay within the documented legal basis.
What already applies: The GDPR principles (purpose limitation, necessity, data minimization) apply in full. Fully automated individual decisions under Art. 22 GDPR (e.g. a fully automated applicant rejection without human review) require specific legal bases.
How anymize addresses it
- Purpose limitation through separate projects and workspaces per HR use case
- Data minimization via the anonymization pipeline — frontier models never see personal identifiers
- Logging of decision support for evidentiary purposes (audit log)