A fundamental rights impact assessment template for recruitment

If you deploy AI in recruitment, you may need to complete a fundamental rights impact assessment, known as a FRIA, before you put the system into use. This article explains what a FRIA is under the EU AI Act, when a recruitment deployer has to do one, and gives you a template structure to work from. It is a practical orientation, not legal advice; for your specific situation, speak to your own advisers.

What is a FRIA?

A fundamental rights impact assessment is a structured assessment that certain deployers of high-risk AI systems must carry out before putting the system into use. Its purpose is to identify the risks the system poses to the fundamental rights of the people affected, and to define the measures that manage those risks. The obligation sits in Article 27 of the EU AI Act. [Source: artificialintelligenceact.eu, Article 27, accessed 2026-06-18.]

Because recruitment and selection AI is listed as high-risk under Annex III, hiring is squarely the kind of use case the FRIA is aimed at. The assessment forces you to think, before you go live, about who could be harmed, how, and what you will do about it.

Who has to do a FRIA, and when?

Article 27 targets specific categories of deployer of high-risk systems, including bodies governed by public law and certain private operators providing public services, together with deployers of particular Annex III systems. The exact set of deployers caught, and how it maps onto a private-sector employer, is precisely the kind of point to confirm with your advisers rather than assume. [Source: artificialintelligenceact.eu, Article 27, accessed 2026-06-18.]

The timing rule is clear, though: where a FRIA is required, you do it before first use. The high-risk obligations covering hiring currently apply from 2 August 2026, though a provisional Digital Omnibus agreement reached on 7 May 2026 would defer stand-alone Annex III systems to 2 December 2027 and is not yet adopted, so as of 18 June 2026 the 2 August 2026 date still stands. [Source: Gibson Dunn, EU AI Act Service Desk, accessed 2026-06-18.]

A recruitment FRIA template

A FRIA is not a fixed national form, so the structure below is a working template you can adapt. It assembles the elements Article 27 calls for into a recruitment shape. Treat each row as a section to complete and keep with your records.

Section	What to record for a hiring deployment
1. System and purpose	The hiring tool, what it does (screen, rank, score, parse), and the precise stage of your process where it is used.
2. Period and frequency of use	How long you intend to use the system and how often, for example continuous applicant screening versus a one-off campaign.
3. People affected	The categories of people the system touches: candidates, internal applicants, and any groups likely to be over-represented or under-represented.
4. Specific risks of harm	The risks to fundamental rights, in particular the risk of discrimination against protected groups, exclusion, or unfair scoring, with how each could arise.
5. Human oversight measures	The oversight arrangement: who reviews outputs, their competence and authority, and how they can question and overrule the system.
6. Mitigations and governance	The measures that reduce each identified risk, including bias monitoring, data-quality controls, and the candidate-facing transparency you provide.
7. Complaints and redress	What happens when something goes wrong: the internal governance, the escalation route, and how an affected candidate can raise a concern.

Where you already hold a data protection impact assessment for the same processing, you can reuse and reference the overlapping analysis rather than duplicate it.

Two practical tips on filling it in. First, be concrete about the people affected in section 3: "candidates" is too broad to be useful, whereas "graduate applicants for customer-facing roles, where the talent pool skews younger" lets you reason about real risk. Second, in section 4 do not write "low risk" and move on. Name the mechanism by which harm could occur, for example "the model was trained on past hires, who under-represent a protected group, so it may down-rank similar candidates," because the mitigation only makes sense once the mechanism is explicit. A FRIA that records vague reassurance is worse than none, since it documents that you looked and saw nothing.

How does a FRIA relate to existing assessments?

If your hiring AI processes personal data, you likely already think about a GDPR data protection impact assessment. The FRIA and the DPIA are not the same instrument, and one does not automatically discharge the other, but they overlap heavily for a hiring tool. Running them together, with the FRIA focused on fundamental-rights harm and the DPIA on data-protection risk, avoids doing the same analysis twice.

Where KimonRecruit fits

Much of what a recruitment FRIA asks you to evidence is exactly what a well-built platform generates as you hire. Outcome monitoring across Equality Act 2010 characteristics supports the "specific risks of harm" section, replayable scoring supports the oversight and governance sections, and candidate-facing transparency supports the redress section. None of that completes the FRIA for you, but it means the evidence behind each section is produced as a by-product of running the process, rather than reconstructed later.

Part of: EU AI Act and recruitment.

For how the FRIA differs from a DPIA, read DPIA vs FRIA in hiring. For the oversight section in depth, see human oversight requirements for AI in hiring.

Start the template early. The assessment is far easier to complete honestly before you have committed to a tool than to retrofit once it is already live.