Executive Summary — Compliance officer briefing
AI system name
HireIQ v2.4.1
Risk class
High-risk — Annex III(4)(a)
Regulatory framework
EU AI Act (EU) 2024/1689
Mandatory compliance from
August 2026 (Art. 6(2))
Overall conformity status
Substantially compliant
Pending items
2 (ISO cert; EUAIO registration)
Risk management reviews
Quarterly — last: Jan 2025
Post-market monitoring
Active since Oct 2024
Training dataset records
2,142,007 (verified)
Active deployer clients
47 organisations
GDPR DPIA completed
Yes — Jan 2025
Serious incidents FY2024
0 reportable
Compliance assessment
As AI Act Compliance Officer appointed pursuant to Example B.V.'s internal AI Governance Policy (Art. 17 QMS implementation), I confirm that this Technical Documentation Package, version 1.2, addresses all mandatory elements of Annex IV of Regulation (EU) 2024/1689 and reflects the compliance status of HireIQ v2.4.1 as at the date of issuance. The system achieves substantial conformity with the requirements of Chapter III, Section 2 (Arts. 8–15) of the Regulation. Two items remain pending: (i) ISO 9001:2015 formal certification of the Quality Management System (internal compliance is achieved; external certification audit scheduled June 2025); (ii) registration in the EU AI systems database (Art. 47/71) pending the EUAIO making the database operational (expected Q4 2025). Neither pending item reflects a gap in substantive conformity; both are procedural/administrative steps dependent on external timelines. I assess the residual risk to fundamental rights and safety arising from HireIQ v2.4.1 as Low-Medium following implementation of all documented mitigation measures. I have no recommendation to suspend or restrict the system's operation pending completion of the two pending items. — Dr. A. Schmidt, AI Compliance Officer, Example B.V., 3 March 2025.
DPO co-endorsement
I co-endorse this Technical Documentation Package in my capacity as Data Protection Officer, specifically in respect of the GDPR-AI Act intersection analysis in Section 7 and the DPIA summary in Section 15. The DPIA for HireIQ candidate data processing (ref. DPIA-HireIQ-2025-001) was completed under my oversight and the findings are accurately summarised herein. I confirm that HireIQ's processing of candidate personal data is, in my assessment, lawful, proportionate, and subject to adequate safeguards. — M. van Dam, DPO, Example B.V., 3 March 2025.
Table of Contents
Preamble
Regulatory framework and documentation obligations
Art. 11 + Annex IV; provider vs. deployer role; applicability
Section 1
Provider identity and system identification
Annex IV Point 1 — KvK, system version, risk class
Section 2
General description of the AI system
Annex IV Points 1 & 2 — architecture, pipeline, outputs
Section 3
Training data governance
Art. 10 — provenance, anonymisation, bias audit, split
Section 4
Risk management system
Art. 9 — FMEA methodology; 4 identified risks; mitigations
Section 5
Transparency, human oversight, and accuracy
Arts. 13–15 — IFU, candidate notice, Art. 14 design, metrics
Section 6
Conformity assessment and compliance status
Art. 43 + Annex VI — full Arts. 8–15 compliance table
Section 7
GDPR intersections and fundamental rights impact
Art. 22 GDPR; data minimisation; FRIA; rights framework
Section 8
Post-market monitoring plan
Art. 72 — metric tracking, alerting, annual report, serious incidents
Section 9
Serious incident reporting procedure
Art. 73 — 15-day notification; classification; investigation
Section 10
Deployer compliance obligations
Art. 26 — contractual requirements; DPA; training mandate
Section 11
Quality management system overview
Art. 16–17 — ISO 9001 alignment; change control; audit cycle
Section 12
Model performance monitoring methodology
Precision@k, parity indices, drift detection, benchmark cadence
Section 13
Model card — detailed performance documentation
Annex IV Point 2 — per-category metrics; known limitations
Section 14
Change management and version control
Art. 16(2) — material vs. minor changes; re-assessment triggers
Section 15
GDPR DPIA summary
Art. 35 GDPR; DPO sign-off; candidate data; Art. 22 analysis
Section 16
EU Declaration of Conformity (draft)
Art. 47 + Annex V — DoC template; pending MSA registration
Appendix I
Annex IV point-by-point compliance mapping
Point 1–7 cross-reference to document sections
Appendix II
Detailed risk register
All identified risks; inherent/residual ratings; control evidence
Appendix III
Document version history
v1.0 to v1.2 — changes, approvals, review cycle
Preamble — Regulatory framework and documentation obligations
Regulation (EU) 2024/1689 of the European Parliament and of the Council of 13 June 2024 laying down harmonised rules on artificial intelligence VERIFIED (the EU AI Act, hereafter “the Regulation”) establishes a risk-based regulatory framework for AI systems placed on or put into service in the internal market. Article 11 of the Regulation VERIFIED, read in conjunction with Annex IV, VERIFIED requires Providers of High-Risk AI Systems to draw up and maintain technical documentation demonstrating that the AI system meets the requirements set out in Chapter III, Section 2 of the Regulation (Arts. 8–15) VERIFIED prior to placing the system on the market or putting it into service. For the purposes of this Documentation, “Provider” has the meaning given in Art. 3(3) of the Regulation VERIFIED: a natural or legal person that develops an AI system or a general-purpose AI model and places it on the market or puts it into service under its own name or trademark. “High-Risk AI System” has the meaning established by Art. 6 VERIFIED read with Annex III. VERIFIED “Deployer” has the meaning given in Art. 3(4) of the Regulation. VERIFIED
HireIQ v2.4.1, developed and operated by Example B.V., shall be treated as a High-Risk AI System pursuant to Art. 6(2) VERIFIED read in conjunction with Annex III, Section 4(a) of the Regulation, VERIFIED which designates as high-risk those AI systems intended to be used for the recruitment or selection of natural persons, in particular to place targeted job advertisements, to analyse and filter job applications, and to evaluate candidates (EUR-Lex verified). This Technical Documentation has been prepared accordingly and covers all matters specified in Annex IV, Points 1–7. VERIFIED Example B.V. accepts this classification without reservation and has designed all system controls, documentation, and operational procedures in conformity with Chapter III, Section 2 obligations.
Where the term “Provider” is used, it refers to Example B.V. in its capacity as the entity that has developed HireIQ and makes it available to B2B Deployer clients. Where the term “Deployer” is used, it refers to the employer organisations that deploy HireIQ within their HR processes. Example B.V. acknowledges that it assumes Provider obligations under Chapter III, Section 2 of the Regulation and, in circumstances where it also operates HireIQ for its own internal HR screening, simultaneously assumes Deployer obligations under Art. 26 of the Regulation. VERIFIED This dual capacity is documented in Section 10.
Section 1 — Provider identity & system identification (Annex IV, Point 1)
The following particulars identify the provider and the AI system in accordance with Annex IV, Point 1 of the Regulation.
Provider name
Example B.V.
Legal form & registration
Besloten Vennootschap (B.V.) — KvK 12 34 56 78, Amsterdam
Registered address
Fictielaan 1, 1000 AA Amsterdam, Netherlands
Contact for AI Act matters
compliance@examplebv.example (IANA-reserved — illustrative)
System version
v2.4.1 (build 20250108)
System type
ML-based candidate screening and ranking platform; NLP-driven CV analysis; structured interview scoring
Intended purpose
AI-assisted shortlisting of job candidates based on structured CV parsing, skills matching, and standardised assessment scoring — decision-support tool only
Risk classification
High-risk — Annex III, Section 4(a): AI in employment, worker management & access to self-employment — recruitment and candidate selection
Deployer type
B2B SaaS — HR departments and recruitment teams at SME clients; also used internally by Example B.V. (dual provider/deployer)
EU AI Act applicability
Art. 6(2) + Annex III(4)(a): mandatory compliance from August 2026 for high-risk systems. Voluntary early compliance commenced January 2025.
EU representative (if non-EU)
N/A — Example B.V. is established within the European Union (Netherlands)
Section 2 — General description of the AI system (Annex IV, Points 1 & 2)
High-risk classification rationale — Art. 6(2) & Annex III(4)(a)
HireIQ v2.4.1 falls within the scope of the high-risk category established by Art. 6(2) and Annex III, Section 4(a) of the Regulation. The system produces ranked shortlists of candidates that directly influence which individuals advance through the recruitment process. Although the final hiring decision rests with a human recruiter in accordance with the Art. 14 human oversight requirement, the AI output constitutes a significant determining factor in candidate selection, consistent with the definition of "intended purpose" in Art. 3(12) and the interpretative guidance issued by the European AI Office on the scope of Annex III employment-related applications. Example B.V. accepts this classification without reservation and has designed all system controls, documentation, and operational procedures accordingly.
Core functionality
HireIQ processes structured and unstructured candidate data — CVs, cover letters, application form responses, and structured assessment scores — through a three-stage pipeline: (i) document parsing and entity extraction; (ii) skills and experience matching against a configurable job requirements model; (iii) composite scoring and ranked candidate shortlist generation. The system does not make autonomous hiring decisions; it produces a ranked shortlist with confidence intervals that is presented to a human recruiter for review.
ML model architecture
Primary model: fine-tuned BERT-based transformer (distilBERT-base-uncased, fine-tuned on approximately 2.1 million anonymised CV-to-job-outcome pairs). Secondary model: gradient-boosted decision tree (XGBoost v1.7.6) for structured assessment scoring. Ensemble weighting: 60% NLP model / 40% structured scoring; configurable per deployment by deployer client within defined bounds. Model training environment: PyTorch 2.1 on AWS SageMaker (eu-central-1).
Input data types
CV text (structured & unstructured)Cover letter textApplication form responsesOnline assessment scores (numerical)Years of experience (extracted)Education qualifications (extracted)Skills keywords (extracted)Job description (comparator)
Data explicitly excluded
Candidate name, gender, nationality, age, date of birth, photograph, and address are stripped from input data prior to model inference via a pre-processing anonymisation module (v1.1.4). This stripping is enforced at the API layer and is not configurable by deployers. The system cannot access or infer these attributes; any field in the CV matching a configurable PII detection pattern (gender pronouns, name field, nationality identifiers) is redacted to a [REDACTED] token prior to submission to the scoring models.
Output format
Ranked candidate shortlist (configurable top-N, default top-20); per-candidate composite score (0–100 scale); per-dimension sub-scores with natural language explanation; confidence interval per score; flagging of candidates near score boundaries (±5 points of shortlist cut-off) for mandatory recruiter attention. All output is presented within the HireIQ recruiter dashboard; no output is transmitted externally without explicit recruiter action.
Deployment architecture
Multi-tenant SaaS deployment on AWS eu-central-1 (Frankfurt); model inference on GPU instances (g4dn.xlarge); API gateway with rate limiting and authentication; recruiter dashboard via web application; native integrations with major ATS platforms (Workday, Greenhouse, Personio) via OAuth 2.0; data encrypted at rest (AES-256) and in transit (TLS 1.3). No model training occurs on deployer client data absent explicit written consent and a separate Data Processing Agreement.
Section 3 — Training data governance (Art. 10 & Annex IV, Point 2(d))
Article 10 of the Regulation establishes mandatory data governance requirements for high-risk AI systems. Training, validation, and testing data must be subject to data governance and management practices; must be relevant, representative, free of errors, and complete; and must, to the best extent possible, be free of discriminatory content or patterns that could lead to prohibited discrimination under Art. 5(1)(a) GDPR or applicable anti-discrimination law (including Council Directive 2000/43/EC on racial equality, Directive 2000/78/EC on equal treatment in employment, and Art. 21 of the Charter of Fundamental Rights of the European Union). The following documentation addresses each Art. 10 obligation.
Dataset origin
Primary training corpus: 2,142,007 anonymised CV-to-outcome pairs sourced from six European B2B HR platform providers between 2019–2024 under data licensing agreements. Each provider warranted that data was obtained with appropriate legal basis under GDPR and that data subjects were notified of potential commercial use in accordance with applicable privacy notices. Secondary corpus: 480,000 synthetic CV records generated using a template-based augmentation pipeline to supplement underrepresented occupational categories.
Data anonymisation
All real-person training records were anonymised prior to receipt by Example B.V.: names replaced with occupational role tokens; dates of birth replaced with decade cohort markers (e.g., "born 1980s"); addresses reduced to NUTS-2 regional codes; nationalities and gender markers stripped. The anonymisation methodology and its application were independently verified by DataVeritas B.V., Amsterdam (audit report ref. DVB-ANON-2024-0042), an accredited data audit firm, confirming k-anonymity ≥ 5 across the dataset with respect to re-identification risk.
Geographic & sectoral coverage
Training data covers 18 EU member states (weighted by labour market size); 31 occupational categories (ISCO-08 sub-major groups); 12 industry sectors. Underrepresented groups (defined as <3% of total records for a given occupation/sector combination) were supplemented via synthetic augmentation to a minimum of 5% representation. Coverage gaps are documented in the Model Card (ref. MC-HireIQ-v2.4-2025).
Bias evaluation (Art. 10(2)(f))
Pre-training bias audit conducted using IBM AI Fairness 360 (open-source toolkit, v1.3.2) and independently verified by DataVeritas B.V., Amsterdam — an accredited AI audit firm (audit report ref. DVB-BIAS-2024-0071). Protected attributes evaluated: gender (inferred from pronouns in synthetic data), age cohort, nationality-coded text patterns, disability-indicating language. Disparate impact metric (four-fifths rule) applied per EEAC guidance: all evaluated protected groups achieved a disparate impact ratio >0.80 against the majority group. Training records exhibiting a >10% differential in positive outcome correlation with protected attribute proxies were excluded from the training set (14,802 records removed; documented in DE-HireIQ-2025-003).
Validation & test split
Train: 80% (1,713,606 records); Validation: 10% (214,200 records); Test: 10% (214,201 records). No overlap between splits; stratified sampling applied to ensure proportional representation of occupational categories and geographic distribution across all three splits. Holdout test set was not used during training or hyperparameter tuning.
Section 4 — Risk management system (Art. 9 & Annex IV, Point 2(c))
Article 9 of the Regulation mandates that providers of high-risk AI systems establish, implement, document, and maintain a risk management system throughout the entire lifecycle of the AI system. This system must constitute an ongoing iterative process, revised upon the availability of further information throughout the system lifecycle. The risk management system must identify and analyse known and reasonably foreseeable risks to health, safety, and fundamental rights; estimate and evaluate risks arising from the intended use and reasonably foreseeable misuse; adopt appropriate risk management measures; and test the AI system for these purposes. The following documents Example B.V.'s risk management system for HireIQ v2.4.1.
Risk identification methodology
Risks were identified through: (i) structured FMEA (Failure Mode and Effects Analysis) workshop (January 2025, 3 sessions, 8 participants including engineering, legal, HR domain experts, and an external fundamental rights consultant); (ii) review of published regulatory guidance and risk literature, including the European Commission's High-Level Expert Group on AI Ethics Guidelines for Trustworthy AI (2019), the European Union Agency for Fundamental Rights AI and Fundamental Rights Checklist (2024), EDPB Guidelines 02/2022 on Article 6(1)(b) GDPR, and the European Commission's AI Office published guidance on Annex III system classification; (iii) red-team testing using adversarial CV inputs; (iv) post-deployment monitoring data from v2.3.x (12 months, 47 deployer clients).
Risk R-01 — Discriminatory shortlisting
Description: Model may inadvertently encode proxy discrimination — e.g., penalising CVs mentioning maternity leave, non-EU university names, or disability-indicating language — resulting in unfair exclusion of candidates from protected groups contrary to Directive 2000/78/EC and Art. 21 EU Charter. Inherent risk: High. Mitigation: PII stripping at preprocessing; bias metrics monitored monthly against live distribution; deployer-configurable sensitivity thresholds with documented minimum bounds; recruiter dashboard displays 'parity alert' where shortlist gender or age distribution deviates >15% from applicant pool. Residual risk: Medium (post-mitigation).
Risk R-02 — Over-reliance by deployers
Description: Deployers (employer clients) may treat HireIQ output as a definitive ranking rather than as a decision-support tool, reducing meaningful human review and violating the Art. 14 human oversight requirement. Inherent risk: High. Mitigation: Mandatory human-review confirmation step before any candidate rejection is recorded in the system; deployer onboarding training includes mandatory module on Art. 14 obligations; DPA with deployers explicitly prohibits automated decision-making for hiring without human review; recruiter dashboard includes persistent disclaimer: "HireIQ scores are indicative. Final selection decisions must be made by a qualified human recruiter." Deployer override logging captures all cases where recruiter deviates from AI ranking. Residual risk: Low-Medium.
Risk R-03 — Model drift
Description: As labour market conditions and job requirements evolve, the model's performance and fairness metrics may degrade over time, leading to inaccurate or biased outputs without detection. Inherent risk: Medium. Mitigation: Continuous performance monitoring with automated alerts at 5% degradation from validation baseline; quarterly fairness metric evaluation against updated labour market benchmarks; mandatory model re-evaluation trigger at any 10% drift in primary performance metric (precision@k). Residual risk: Low.
Risk R-04 — Data subject rights violation
Description: Candidates assessed by HireIQ may exercise GDPR rights (Art. 15 access, Art. 22 automated decision challenge) that the deployer is unable to satisfy without provider cooperation; alternatively, candidates may be assessed without adequate transparency information (Art. 13/14 GDPR, Art. 13(1) EU AI Act). Inherent risk: Medium. Mitigation: Provider-supplied standardised candidate transparency notice (available in 7 EU languages) included in deployer implementation package; per-candidate explanation logs retained 6 months for Art. 15/22 response; DPA with deployers allocates Art. 13 transparency obligation to deployer; provider maintains data subject request processing SLA of 10 business days. Residual risk: Low.
Section 5 — Transparency, human oversight, and accuracy (Arts. 13–15)
Instructions for use (Art. 13(3))
Comprehensive Instructions for Use documentation (IFU v2.4, 48 pages) provided to all deployers upon contract execution and made available in the HireIQ deployer portal at all times. IFU covers: (i) system capabilities and limitations; (ii) intended use cases and prohibited use cases; (iii) human oversight requirements and recommended practices; (iv) how to interpret AI output and confidence scores; (v) how to exercise human override; (vi) data subject transparency notice implementation guide; (vii) contact procedures for reporting anomalies; (viii) applicable regulatory requirements for deployers under Art. 26 EU AI Act. IFU is updated with each minor or major version release.
Candidate-facing transparency
Art. 50(1) and (3) EU AI Act and the broader transparency principle require that natural persons subject to AI-assisted decisions be informed. Example B.V. supplies deployers with a standardised "AI-Assisted Screening Notice" (available in EN, DE, NL, FR, IT, ES, DA) for inclusion in job application forms. The notice discloses: the use of AI in candidate screening; the nature of the AI's role (ranking and shortlisting, not final decision); the deployer's contact point for AI-related queries; the candidate's right to request human review of any AI-influenced decision. Deployer contractual terms require this notice to be displayed at the point of application.
Explainability per candidate
For each assessed candidate, HireIQ generates a structured explanation record comprising: (i) the per-dimension subscores (skills match, experience relevance, assessment performance, application completeness); (ii) the three most positively and three most negatively weighted factors in the composite score; (iii) a plain-language summary (auto-generated, recruiter-editable). This explanation is accessible to the recruiter in the dashboard and can be provided to candidates upon a GDPR Art. 15 access request or an Art. 22(3) challenge to an automated decision. Explanation records are retained for 6 months from the date of assessment.
Limitations disclosure (Art. 13(3)(b))
The IFU, the deployer dashboard, and the candidate notice all disclose the following known limitations: (i) the model performs best for occupational categories well-represented in training data; occupational categories with <1% training representation are flagged as 'limited coverage' and are subject to a mandatory recruiter review override; (ii) the model cannot assess candidate motivation, cultural fit, or interpersonal characteristics — these dimensions are outside system scope; (iii) the model's scoring is sensitive to CV writing style and formatting; candidates are encouraged to use standard formats; (iv) accuracy degrades for CVs containing significant non-EU educational credentials — these are flagged for manual recruiter assessment.
Human oversight measures (Art. 14(3))
The system is designed to ensure that human recruiters understand the system's capabilities and limitations (Art. 14(3)(a)); can ignore, override, or reverse AI output at any stage without penalty or system limitation (Art. 14(3)(b)); can intervene in the operation of the system in real time (Art. 14(3)(d)); and can decide not to use the AI output (Art. 14(3)(e)). Override actions are logged with a timestamp and the reason code selected by the recruiter.
Human-in-the-loop design
No candidate may be rejected solely on the basis of HireIQ output. The system enforces a mandatory 'human confirmation' workflow: before a candidate status is changed to 'rejected' for any candidate with a score above the 30th percentile of the applicant pool, the recruiter must confirm the action and select a documented reason. Candidates near the shortlist boundary (within ±5 score points of the configured cut-off) are prominently flagged in the dashboard for additional recruiter attention. The system cannot autonomously send rejection communications; this action requires explicit recruiter initiation.
Deployer staff training requirement
Art. 26(6) EU AI Act requires deployers to ensure that human reviewers have adequate AI literacy and competence to oversee the AI system. Example B.V. mandates completion of the HireIQ Deployer Training Programme (approx. 3 hours; available in 7 EU languages) as a contractual condition of system access. Training covers: AI system limitations; how to read and interpret HireIQ output; human oversight obligations; escalation procedures; candidate rights. Completion certificates are issued and logged by the platform; deployers must ensure all recruiters using the system hold a valid certificate.
Stop functionality (Art. 14(4))
Deployer administrators can disable HireIQ scoring for any live vacancy at any time via a single toggle in the vacancy settings. Once disabled, all new applications are routed to unassisted human review. The system cannot be re-enabled for a vacancy without a deployer administrator action. Example B.V.'s technical support team can remotely disable the system for a specific deployer instance within 4 hours of a written request, and system-wide within 30 minutes in the event of a confirmed safety or fundamental rights concern.
Performance metrics
Primary metric: Precision@20 (proportion of top-20 AI shortlist candidates who were ultimately interviewed by deployer): 0.78 on holdout test set; 0.74 average across live deployers (trailing 6-month monitoring data). Kendall's τ (rank correlation with expert human recruiter panels): 0.66 on validation set. False negative rate (qualified candidates below shortlist cut-off): 12.4% on test set — documented limitation disclosed in IFU. All performance metrics are evaluated separately per occupational category and reported in the quarterly performance report to deployers.
Robustness to adversarial inputs
Red-team testing (conducted November 2024 by external security team) evaluated robustness to: (i) keyword stuffing — CV artificially inflated with job description keywords; (ii) format manipulation — unusual CV structures designed to confuse parsing; (iii) prompt injection in cover letter text fields. Results: keyword stuffing produces a measurable but bounded score inflation (max. +8 points); format manipulation triggers 'low parse confidence' flag and automatic routing to human review; prompt injection attempts have no effect on model output (text fields are tokenised at word level; model does not execute instructions). Findings documented in penetration test report (ref. PT-EXB-2024-HireIQ-01).
Cybersecurity measures (Art. 15(5))
Model weights stored in encrypted format (AES-256); access restricted to two senior engineers via HSM-backed key management; no model weights exposed via API. API endpoints protected by OAuth 2.0 + API key with rate limiting; anomalous query patterns trigger automated alert. Quarterly penetration testing (CREST-accredited firm). Vulnerability disclosure programme active (security@examplebv.example — illustrative); critical vulnerabilities patched within 72 hours per policy. SOC 2 Type II certified infrastructure.
Continuous monitoring (Art. 72)
Post-market monitoring plan (ref. PMM-HireIQ-2025-001) is active. Metrics tracked monthly: Precision@20; gender parity index across shortlists; age distribution of shortlisted candidates vs. applicant pool; false negative rate; deployer override rate. Automated alerts triggered at defined thresholds. Annual performance report published to deployers. Any serious incident (as defined in Art. 3(49)) involving HireIQ output is reported to the market surveillance authority within 15 days per Art. 73.
Section 6 — Conformity assessment & compliance status (Art. 43 & Annex IV, Point 7)
Article 43 of the Regulation governs the conformity assessment procedure for high-risk AI systems. For high-risk AI systems listed in Annex III, Section 4 (employment and HR), providers must follow the internal control procedure set out in Annex VI, unless an EU technical standard has been adopted and harmonised standards apply. The following table documents the compliance status against all mandatory requirements of Chapter III, Section 2 of the Regulation (Arts. 8–15), as assessed at the time of issuance of this document.
| Article | Requirement | Implementation summary | Status | Evidence reference |
|---|
| Art. 8 | Compliance with requirements — general | System designed in accordance with Arts. 9–15; this document constitutes the primary compliance evidence per Art. 11 + Annex IV | Compliant | This document; QMS-EXB-2025-01 |
| Art. 9 | Risk management system | FMEA-based risk register maintained; 4 identified risks with documented mitigations; residual risk assessment completed; quarterly review cycle active | Compliant | RM-HireIQ-2025-001; Section 4 above |
| Art. 10(1)–(3) | Data governance — training data quality | 2.14M record dataset with documented provenance; anonymisation independently audited by DataVeritas B.V. (ref. DVB-ANON-2024-0042); bias evaluation with IBM AI Fairness 360 (ref. DVB-BIAS-2024-0071); train/val/test split documented; 14,802 records excluded for bias risk | Compliant | DG-HireIQ-2025-001; DataVeritas audit refs. DVB-ANON-2024-0042 & DVB-BIAS-2024-0071; Section 3 above |
| Art. 10(5) | Processing special categories for bias detection | Art. 10(5) permission invoked for bias evaluation only; inferred protected attribute data used exclusively for fairness testing; not used in production model inference; documented justification in file | Compliant | DP-ART10(5)-EXB-2025-001; DPO sign-off 14/01/2025 |
| Art. 11 + Annex IV | Technical documentation | This document addresses all 7 points of Annex IV; maintained under version control; updated on each major/minor release; available to supervisory authority on request | Compliant | This document (KTV-AIACT-2025-EXB-001 v1.2) |
| Art. 12 | Record-keeping — logging | Per-inference logs retained 12 months; per-candidate explanation records retained 6 months; deployer access logs retained 18 months; automated log generation enforced at system level; logs immutable once written | Compliant | LOG-HireIQ-2025-001; AWS CloudTrail configuration |
| Art. 13 | Transparency and information to deployers | IFU v2.4 (48 pages); candidate transparency notice (7 languages); dashboard limitation disclosures; limitations documented per Art. 13(3)(b); provider identity displayed in deployer UI | Compliant | IFU-HireIQ-v2.4; CTN-HireIQ-2025-001; Section 5.1 above |
| Art. 14 | Human oversight | Mandatory human confirmation for rejections; override logging; boundary flagging; mandatory deployer training programme; stop functionality; no autonomous hiring decisions possible | Compliant | UX-HireIQ-2025-001; Training programme completion logs; Section 5.2 above |
| Art. 15(1)–(3) | Accuracy and robustness | Precision@20 = 0.78 (test), 0.74 (live); Kendall τ = 0.66; red-team adversarial testing completed November 2024; performance degradation alerts at 5% threshold | Compliant | Perf-HireIQ-v2.4-2025; PT-EXB-2024-HireIQ-01; Section 5.3 above |
| Art. 15(4)–(5) | Cybersecurity | Model weights encrypted; API rate limiting; OAuth 2.0 + API key auth; quarterly CREST-accredited penetration testing; vulnerability disclosure programme; SOC 2 Type II | Compliant | PT-EXB-2024-HireIQ-01; SOC2-EXB-2024; Section 5.3 above |
| Art. 16 + 17 | Quality management system | ISO 9001:2015-aligned QMS in place; AI Act-specific procedures documented; DPO and AI Act Compliance Officer appointed; internal audit cycle (annual); non-conformity process active | Partial — ISO certification in progress (target Q3 2025) | QMS-EXB-2025-01; Certification audit scheduled June 2025 |
| Art. 72 | Post-market monitoring | PMM plan active; monthly metric monitoring; quarterly performance reports to deployers; annual report to be filed with national market surveillance authority; serious incident reporting procedure documented (15-day notification per Art. 73) | Compliant | PMM-HireIQ-2025-001; Section 5.3 above |
| Art. 49 | EU Declaration of Conformity | EU Declaration of Conformity drafted; to be signed and registered upon national market surveillance authority guidance on registration procedures for Annex III systems (procedure under development by Member States) | Pending — awaiting MSA registration portal (expected H2 2025) | DoC-HireIQ-v2.4-DRAFT; Legal counsel review completed |
| Art. 47 | EU database registration | Registration in EU AI systems database (Art. 71) is required for high-risk systems under Annex III upon the database becoming operational; Example B.V. monitors EUAIO database launch and will register upon availability (expected Q4 2025) | Pending — EUAIO database not yet operational | EUAIO monitoring log; compliance calendar entry Q4 2025 |
Section 7 — GDPR intersections & fundamental rights impact assessment
The EU AI Act does not supersede or replace GDPR obligations. High-risk AI systems processing personal data remain subject to both frameworks simultaneously. The following summarises the key GDPR obligations applicable to HireIQ v2.4.1 in addition to EU AI Act compliance. A full DPIA under Art. 35 GDPR has been conducted (ref. DPIA-HireIQ-2025-001, signed off by DPO 20 January 2025) in respect of HireIQ's processing of candidate personal data, which constitutes large-scale processing of personal data that is likely to result in a high risk to rights and freedoms per Art. 35(1) GDPR and the EDPB's DPIA criteria list.
Legal basis (Art. 6 GDPR)
Provider (Example B.V.) processing: Art. 6(1)(b) — processing necessary for provision of the contracted service; Art. 6(1)(f) — legitimate interest in service improvement (model performance monitoring using aggregated, pseudonymised inference logs). Deployer processing: Art. 6(1)(b) — processing of candidate data necessary for the recruitment process (performance of steps prior to entering into employment contract, per Recital 44 GDPR); or Art. 6(1)(a) — consent where required under national law. Responsibility for deployer-side legal basis is allocated to the deployer in the DPA per Art. 28(3)(a) GDPR.
Art. 22 GDPR — automated decision-making
Art. 22(1) GDPR prohibits solely automated individual decisions that produce legal or similarly significant effects. HireIQ is designed to operate as a decision-support tool; the final hiring or rejection decision is always made by a human recruiter. The system enforces this by design (see Art. 14 above). Accordingly, Art. 22(1) GDPR is not engaged for standard deployments. Where a deployer configures the system in a manner that bypasses human review (a breach of contractual terms), the deployer assumes sole liability for the resulting Art. 22 violation; the provider's DPA includes explicit prohibition on such use.
Data minimisation (Art. 5(1)(c))
Only data directly relevant to the assessment of candidate suitability for a specific vacancy is processed by HireIQ. PII not relevant to job performance (name, gender, age, nationality, address, photograph) is stripped at the preprocessing stage and is never seen by the model. Deployers are contractually prohibited from submitting data beyond what is necessary for the stated vacancy purpose. This design satisfies Art. 5(1)(c) GDPR data minimisation and supports alignment with the bias prevention requirements of Art. 10 EU AI Act.
Data subject rights (Arts. 15–22)
Candidates are data subjects of both the deployer (primary controller for recruitment) and Example B.V. (sub-processor under the deployer's DPA). Rights requests received by Example B.V. directly are forwarded to the relevant deployer within 48 hours. Example B.V. supports deployer response to Art. 15 access requests by providing per-candidate explanation records upon request. Art. 17 erasure requests are processed via the deployer, who instructs Example B.V. as sub-processor; deletion is executed within 10 business days. Candidate data is not retained by Example B.V. beyond 6 months from the date of assessment (explanation records) or 12 months (aggregated inference logs, pseudonymised).
Fundamental rights impact assessment
A Fundamental Rights Impact Assessment (FRIA) was conducted in accordance with the EU AI Act's Annex VI guidance and the FRA's AI and Fundamental Rights checklist (European Union Agency for Fundamental Rights, 2024). Rights assessed: dignity (Art. 1 EU Charter); non-discrimination (Art. 21); data protection (Art. 8); effective remedy (Art. 47). Key findings: (i) no processing of Art. 9 GDPR special categories in production; (ii) human oversight design preserves effective remedy for candidates who disagree with AI assessment; (iii) transparency notices satisfy Art. 8 Charter informational requirements; (iv) non-discrimination risk rated medium prior to mitigation, low-medium post-mitigation. FRIA report ref. FRIA-HireIQ-2025-001.
Section 8 — Post-market monitoring plan (Art. 72 EU AI Act)
Article 72 of the Regulation requires providers of high-risk AI systems to proactively collect and review data concerning the performance of their systems throughout the post-deployment lifecycle. The post-market monitoring plan must be proportionate to the nature of the AI technology and the risks of the high-risk AI system. The following plan documents Example B.V.'s post-market monitoring architecture for HireIQ v2.4.1, effective from the date of commercial deployment (first deployer: 1 October 2024). The plan is reviewed annually and updated following any significant change in system functionality or identified risk profile.
Performance metrics
1. Precision@20 (primary performance metric): Proportion of AI-shortlisted candidates (top-20) who were ultimately advanced to interview by deployer recruiters, measured across all deployers on a 30-day rolling basis. Baseline: 0.74 (live deployment average, trailing 6 months). Alert threshold: <0.68 (8.1% degradation from baseline). Action threshold: <0.62 (16.2% degradation — triggers mandatory re-evaluation). Collection: aggregated from deployer interview-outcome events via anonymised telemetry; no candidate names transmitted.
2. Recruiter override rate: Proportion of AI shortlist positions reversed by recruiter action (candidate added below AI cut-off, or highly ranked candidate rejected). Baseline: 18.3% (FY2024 live average). Alert threshold: >30% (sustained 3-month average) — may indicate recruiter distrust or model-deployer context mismatch; triggers deployer outreach. Collection: override events logged in deployer dashboard audit trail; aggregated monthly.
3. Boundary case resolution: Proportion of 'boundary flagged' candidates (within ±5 points of shortlist cut-off) where recruiter reviewed explanation and added the candidate. Tracked to assess the effectiveness of boundary flagging in preventing qualified candidate exclusion. Target: >40% of boundary cases reviewed with explanation accessed. Collection: explanation-record access events logged.
Fairness monitoring metrics
1. Gender parity index: Ratio of estimated female-presenting vs. male-presenting candidates in AI shortlists across all deployers, compared to applicant pool distribution. Estimated via optional deployer-reported aggregate data (deployers with >50 applications per vacancy). Alert: shortlist ratio deviates >15% from applicant pool ratio sustained 2 months. Note: individual-level gender attribute is not processed; parity is assessed at aggregate statistical level.
2. Age distribution index: Distribution of estimated age cohorts (decade markers from training data inference; not directly processed in production) in shortlisted candidates vs. applicant pool. Alert: median age of shortlisted candidates deviates >5 years from median of applicant pool for any deployer-vacancy pair.
3. Education type distribution: Proportion of candidates with non-EU university credentials in shortlists vs. applicant pool. Alert: candidates with non-EU credentials shortlisted at <70% the rate of EU-equivalent credential holders across the same vacancy type for any sustained 3-month period.
4. Occupational category coverage: Monthly review of vacancies falling in categories with <1% training data representation ('limited coverage' flags). Target: 100% of limited-coverage vacancies trigger mandatory recruiter review override.
Data collection architecture
All monitoring data is collected via the HireIQ platform telemetry pipeline (AWS CloudWatch → S3 → Athena aggregation layer). No candidate-identifiable data is included in monitoring aggregates; all metrics are computed at vacancy-population level. Deployers are informed of monitoring data collection in the Instructions for Use (IFU v2.4 Section 9.2) and in the DPA. Monitoring data is processed by Example B.V. in its capacity as data controller for its own legitimate interest in system quality and safety monitoring (Art. 6(1)(f) GDPR).
Alert handling procedure
Level 1 alert (metric deviates beyond alert threshold): automated notification to AI Compliance Officer; 5 business day investigation; deployer notified if deployer-specific issue identified. Level 2 alert (metric at action threshold): emergency review by AI Compliance Officer + DPO + CTO; system may be suspended for affected deployer segment pending investigation; Board notified within 2 business days. Level 3 (potential serious incident per Art. 3(49)): Art. 73 procedure activated — see Section 9.
Annual report structure
An annual post-market monitoring report is published to all active deployer clients within 90 days of the end of each calendar year (first report due: 31 March 2025 for FY2024). Report includes: (i) aggregate performance metric trends (Precision@20, override rate, boundary case resolution); (ii) fairness index data with trend analysis; (iii) incidents and near-misses recorded during the period; (iv) changes made to the system in the period and rationale; (v) identified risks and new risk additions to the risk management system; (vi) planned enhancements for the coming period; (vii) any regulatory guidance or supervisory authority correspondence received. The annual report is also made available to the national market surveillance authority upon request per Art. 72(4).
FY2024 monitoring highlights
Period covered: 1 October 2024 – 31 December 2024 (Q4 — first deployment). Precision@20 range: 0.71–0.77 across deployers (average 0.74). Recruiter override rate average: 18.3%. 0 Level 1 or Level 2 alerts triggered. 0 serious incidents recorded. 1 minor performance anomaly detected in Occupational Category 23 (legal/paralegal roles) — investigation concluded: category underrepresentation in training data; Category 23 flagged as 'limited coverage' and mandatory review override applied system-wide. Limitation disclosed in updated IFU v2.4 (released December 2024). Fairness indices within bounds throughout period.
Section 9 — Serious incident reporting procedure (Art. 73 EU AI Act)
Article 73 of the Regulation requires providers of high-risk AI systems to report any serious incident to the market surveillance authority of the Member State where the incident occurred without undue delay and in any event within 15 days of becoming aware of it. A "serious incident" is defined in Art. 3(49) as any incident or malfunction of a high-risk AI system that directly or indirectly leads to (a) the death of a person or serious damage to a person's health, property or the environment; (b) a serious and irreversible disruption of the management and operation of critical infrastructure; or (c) a violation of obligations under EU law intended to protect fundamental rights. Article 73(5) permits the notification to be provided in stages where complete information is not available within the 15-day window.
Incident classification criteria
Category A — Serious incident (Art. 3(49)) — mandatory 15-day notification: HireIQ output directly causes or materially contributes to: systematic discriminatory exclusion of a protected group (Art. 21 EU Charter violation) at scale (>100 candidates); serious professional harm to an individual resulting from AI-influenced hiring decision (e.g., false accusation embedded in assessment explanation accessed by multiple employers); material disruption of deployer recruitment operations affecting >500 candidates simultaneously due to system failure.
Category B — Significant anomaly — internal escalation, regulatory notification if pattern confirmed: Fairness metric at Level 2 action threshold sustained >1 month; systematic bias in output for a specific occupational category confirmed by independent audit; model performance below action threshold confirmed for >2 deployers.
Category C — Minor incident — internal record only: Single-deployer performance anomaly investigated and resolved; near-miss event (potential Category A/B issue identified and mitigated before candidate impact); candidate complaint investigated and resolved; individual recruiter error in interpreting HireIQ output (not attributable to system deficiency).
Art. 73 notification content
Where a Category A serious incident is identified, the following information is reported to the competent market surveillance authority (in the Netherlands: Rijksinspectie Digitale Infrastructuur (RDI), the designated national AI supervisory authority under the Dutch implementation of the AI Act Market Surveillance arrangements): (i) provider identity and system details; (ii) incident description — nature, duration, affected deployer(s), number of data subjects affected; (iii) root cause analysis (preliminary if final not yet available — final report within 30 days); (iv) immediate containment measures taken; (v) remediation plan and timeline; (vi) whether data subjects have been or will be notified (including under applicable GDPR Art. 33/34 obligations). Simultaneous notification to the AP (Dutch DPA) where the incident involves personal data breach elements per Art. 33 GDPR.
Incident log FY2024
No Category A or Category B incidents in FY2024. One Category C near-miss recorded (October 2024): Deployer client NL-014 configured vacancy with unusually narrow skills requirement that inadvertently created a high rate of exclusion for one occupational sub-category; identified via override rate alert; deployer contacted within 1 business day; vacancy configuration corrected; 7 additional candidates manually reviewed by deployer recruiter. No candidate suffered material harm; incident documented as NM-HireIQ-2024-001.
Section 10 — Deployer compliance obligations (Art. 26 EU AI Act)
Article 26 of the Regulation imposes direct obligations on deployers of high-risk AI systems in addition to the provider's obligations under Art. 16. Example B.V. implements these deployer obligations through contractual provisions in the HireIQ Subscription Agreement and Data Processing Agreement, as well as through technical design constraints that make non-compliant use architecturally impossible or contractually impermissible. The following summarises the Art. 26 obligations and how Example B.V. implements them in the deployer relationship.
| Art. 26 obligation | Obligation description | Implementation mechanism | Contractual enforcement | Status |
|---|
| Art. 26(1) | Use AI system in accordance with IFU | IFU v2.4 provided at onboarding; deployer signs acknowledgement of IFU receipt and binding nature; IFU accessible in deployer portal at all times | Subscription Agreement Clause 8.1 — "Deployer shall use the AI system only in accordance with the Instructions for Use"; non-compliance is a material breach entitling termination | Implemented |
| Art. 26(2) | Assign human oversight to competent persons | Platform access requires completion of HireIQ Deployer Training Programme; certificate stored in platform; access blocked if certificate expired (>12 months) | DPA Clause 5.3 — "Deployer shall ensure all individuals accessing HireIQ hold a valid and current HireIQ training certificate"; deployer must maintain training completion records | Implemented |
| Art. 26(3) | Suspend or interrupt use if safety/rights concerns | Deployer administrator has single-toggle vacancy-level and system-level disable; Example B.V. can remotely disable within 4 hours on written request | DPA Clause 6.1 — deployer obligated to suspend use immediately upon identifying a potential serious incident; notification to Example B.V. required within 24 hours | Implemented |
| Art. 26(5) | Notify provider of serious incidents | Deployer portal includes 'Incident Report' submission form; automated routing to AI Compliance Officer; acknowledgement within 4 business hours | DPA Clause 6.2 — deployer must report any suspected serious incident (Art. 3(49)) to Example B.V. within 3 business days; provider then assesses Art. 73 notification obligation | Implemented |
| Art. 26(6) | Ensure appropriate AI literacy of staff | Mandatory training programme (approx. 3 hours; 7 EU languages); covers AI limitations, output interpretation, human oversight obligations, candidate rights; annual recertification required | DPA Clause 5.4 — "Deployer warrants that it will ensure all HR personnel using HireIQ complete the training programme before first use and recertify annually" | Implemented |
| Art. 26(7) | Implement transparency to affected persons | Example B.V. supplies AI-Assisted Screening Notice (7 languages) and implementation guide; deployer contractually required to display notice at point of job application; compliance audit right reserved | DPA Clause 7.1 — "Deployer shall include the Screening Notice in all vacancy application forms where HireIQ is active"; failure to disclose is a material breach | Implemented |
| Art. 26(8) | Conduct own DPIA where required by GDPR | Example B.V. provides a Deployer DPIA Template (ref. DPIA-TMPL-HireIQ-2025) and guidance on conducting a DPIA for deployer-specific candidate data processing; guidance notes that deployers with >250 employees or large-scale recruitment must conduct a DPIA under Art. 35 GDPR | DPA Clause 4.3 — deployer represents that it has conducted or will conduct a DPIA as required; Example B.V. provides reasonable assistance with DPIA upon request | Implemented |
Section 11 — Quality management system overview (Arts. 16–17 EU AI Act)
Articles 16 and 17 of the Regulation require providers of high-risk AI systems to implement a quality management system that ensures their AI systems comply with the Regulation throughout the product lifecycle. The QMS must cover: (i) regulatory compliance strategy; (ii) data management procedures; (iii) change management; (iv) risk management integration; (v) post-market monitoring integration; (vi) documentation management; (vii) resource management and competence. The QMS must be documented and proportionate to the size of the provider organisation and the nature of its AI activity.
QMS framework
Example B.V.'s QMS for HireIQ is aligned with ISO 9001:2015 (Quality Management Systems — Requirements) and ISO/IEC 42001:2023 (AI Management System Standard), adapted for the specific requirements of Art. 17 EU AI Act. The QMS encompasses: (a) AI governance policy (Example B.V. AI Governance Policy v2.0, approved by Board 1 December 2024) establishing principles for responsible AI development; (b) AI risk management procedure (PROC-RM-001) implementing Art. 9 requirements; (c) Data governance procedure (PROC-DG-002) implementing Art. 10 requirements for training and validation data; (d) Change management procedure (PROC-CM-003) governing version releases and re-assessment triggers; (e) Post-market monitoring procedure (PROC-PMM-004) implementing Art. 72; (f) Incident management procedure (PROC-INC-005) implementing Art. 73; (g) Documentation management procedure (PROC-DOC-006) ensuring all Annex IV documentation is current and version-controlled.
Roles and responsibilities
AI Act Compliance Officer (Dr. A. Schmidt): overall accountability for Arts. 8–17 compliance; QMS maintenance; annual QMS review; AI Office liaison. DPO (M. van Dam): GDPR-AI Act intersection; DPIA oversight; data governance sign-off. CTO (B. Smeets): technical implementation accountability; Art. 15 cybersecurity; model update approvals. AI Ethics Committee: cross-functional committee (AI Compliance Officer, DPO, Head of Product, External Expert) meeting quarterly to review risk management findings, fairness data, and escalations. External advisors: legal counsel (van Doorne N.V.) for regulatory interpretation; DataVeritas B.V. for independent bias and anonymisation audits.
Internal audit cycle
Annual internal audit of QMS compliance conducted by AI Compliance Officer and an independent internal auditor (rotated from Finance or Legal function to ensure independence from AI product team). Audit scope: all Art. 9–15 requirements; QMS procedure adherence; documentation currency; training compliance; incident log review. Audit report presented to Board within 30 days of completion. External certification audit: ISO 9001:2015 certification by accredited certification body (Bureau Veritas — scheduled June 2025); ISO/IEC 42001:2023 consideration for FY2026.
Non-conformity management
Non-conformities identified in internal audits or post-market monitoring are recorded in the NCR register (Non-Conformity Report register), assigned to a responsible owner, given a root-cause analysis, and a corrective action plan with target completion date. NCRs are tracked monthly by the AI Compliance Officer; escalated to the AI Ethics Committee if unresolved beyond 90 days. All NCRs are reviewed at the annual QMS review and incorporated into the following year's audit scope.
Section 12 — Model performance monitoring methodology
Primary metric — Precision@k
Precision@k measures the proportion of the AI's top-k ranked candidates who were subsequently advanced to interview by a deployer recruiter. Example B.V. uses Precision@20 as the primary deployment metric (k=20 matches the default shortlist size). Ground truth labels are collected from deployer interview-outcome events with a 90-day lag (time allowed for deployer to complete interview cycle). Precision@20 is computed per deployer, per occupational category, and at aggregate platform level. Monthly reporting. Confidence interval: ±0.03 at 95% confidence level based on historical sample variance.
Rank correlation — Kendall's τ
To validate that the AI ranking is meaningfully correlated with human expert assessment, Kendall's rank correlation coefficient (τ) is computed against expert human recruiter panel rankings on a stratified sample of 200 vacancy-cycles per quarter. The expert panel independently ranks a random sample of applications (blinded to AI scores) and τ is computed against the corresponding AI ranking. Target: τ >0.60. Current average: 0.66. Computed quarterly; reported in annual performance report.
Drift detection
Model drift is detected using a Population Stability Index (PSI) computed monthly on the distribution of composite scores across new applications, compared to the baseline distribution from the test set. PSI <0.10: stable (no action); PSI 0.10–0.25: monitoring alert (investigation required); PSI >0.25: significant drift (model re-evaluation mandatory, potentially triggering Art. 16(2) change management procedure). Additionally, individual feature distributions (skills keyword frequencies, experience year distributions) are monitored for distributional shift using the Kolmogorov-Smirnov test (significance threshold: p <0.05 after Bonferroni correction for multiple testing).
Fairness evaluation benchmarks
Benchmark 1 — Four-fifths rule (80% rule): Shortlist selection rate for protected group >= 80% of the rate for the most advantaged group. Applied at aggregate level across gender (estimated), age cohort (estimated), and education credential type. Computed monthly. Benchmark 2 — Counterfactual fairness probe: Quarterly adversarial test inserting synthetic CVs identical in skills/experience but differing in gender-indicator names (e.g., 'Marie Schmidt' vs. 'Thomas Schmidt' — held constant for other attributes). Score differential >5 points on identical CVs triggers investigation. Benchmark 3 — Disparate impact score distribution: Kolmogorov-Smirnov test on score distributions between demographic groups (estimated) — statistically significant difference triggers review.
Section 13 — Model card: HireIQ v2.4.1 (Annex IV, Point 2)
A model card provides a standardised summary of the AI system's intended use, performance, limitations, and appropriate contexts. This model card is prepared per the Annex IV, Point 2 requirements and in alignment with the model card methodology of Mitchell et al. (2019) as adapted for the EU AI Act context.
High-coverage categories (≥5% training)
Software Engineering · Precision@20: 0.82Sales & Account Management · 0.79HR & People Operations · 0.81Financial Analyst · 0.78Customer Success · 0.76Project Management · 0.77Data Science/ML · 0.83Marketing & Growth · 0.75
Medium-coverage categories (1–5% training)
Healthcare Professionals · Precision@20: 0.68Legal / Paralegal · 0.61 ⚠ Limited coverage flagSkilled Trades · 0.66Research & Academia · 0.65Public Administration · 0.67
Known limitations — all categories
(1) Motivation and soft skills: Model cannot assess candidate intrinsic motivation, interpersonal communication style, or cultural fit — these dimensions are outside model scope and should be assessed via human interview. (2) Non-EU credentials: Model performance degrades for non-EU academic credentials where there are fewer than 50 training examples for that institution type; affected candidates are flagged for manual review. (3) CV length bias: Longer CVs with more keywords receive marginally higher NLP sub-scores; recruiter dashboard includes a "CV length normalised score" view to mitigate this. (4) Assessment score calibration: Where deployers use non-standard assessment tools (not pre-calibrated for HireIQ integration), score weights are reduced and labelled "uncalibrated assessment" in the dashboard. (5) Language bias: System performs best on CVs in English, German, Dutch, French; accuracy for CVs in other EU languages (Italian, Spanish, Danish) is approximately 8–12% lower (Precision@20) and is disclosed as a limitation.
Prohibited use cases
The following uses of HireIQ are explicitly prohibited by contractual terms and are technically constrained where technically feasible: (1) Automated rejection of candidates without human review (technical constraint: mandatory human confirmation workflow); (2) Use for assessing existing employees for disciplinary action or dismissal — system is designed exclusively for candidate recruitment screening; (3) Repeated assessment of the same candidate for the same vacancy type without updated input data (system tracks candidate-vacancy pairs; alerts on duplicate assessment within 6 months); (4) Use as the sole basis for any decision producing legal effects or similarly significant effects on candidates (Art. 22 GDPR prohibition; also IFU contractual requirement); (5) Use in sectors or occupational categories for purposes other than recruitment selection (e.g., use for credit assessment, insurance risk, or law enforcement — entirely outside system scope and contractually prohibited).
Section 14 — Change management and version control (Art. 16(2) EU AI Act)
Article 16(2) requires providers to have a systematic approach to managing changes to their high-risk AI systems, particularly where changes may affect the system's compliance with the Regulation. The Regulation distinguishes between changes that constitute a "substantial modification" under Art. 3(23) — which may require a new conformity assessment — and minor changes that can be managed within the existing documentation framework. The following procedure governs all changes to HireIQ.
Major version (x.0.0)
Definition: Change to core model architecture; complete retraining on new dataset; fundamental change to scoring methodology; addition or removal of a primary input data type; change to human oversight workflow design. Assessment requirement: Full re-assessment under Annex IV (new technical documentation or comprehensive update); new DPIA if data processing changes materially; FMEA risk management re-run; fairness audit by external auditor (DataVeritas B.V.); AI Ethics Committee approval before deployment; updated DoC. Deployer notification: 90 days advance notice; mandatory re-training for deployers.
Minor version (x.y.0)
Definition: Model fine-tuning on additional data (same data type/schema); performance optimisation not affecting scoring methodology; addition of new occupational category coverage; UI/UX improvements to recruiter dashboard; integration of new ATS platform. Assessment requirement: Updated technical documentation sections; bias metrics re-evaluated on updated model; AI Compliance Officer sign-off; DPO sign-off if data processing changes; updated IFU if usage guidance changes. Deployer notification: 30 days advance notice; training re-certification if IFU material changes.
Patch version (x.y.z)
Definition: Bug fix; security patch; infrastructure configuration change; performance monitoring configuration update; no change to model weights, scoring logic, or training data. Assessment requirement: Internal review by CTO; regression testing confirming no change to output distribution (PSI <0.05 pre/post-patch); AI Compliance Officer notification. Documentation updated only where patch resolves a documented non-conformity. Deployer notification: Release notes in deployer portal within 24 hours of deployment.
Version history (current)
v1.0 (March 2024) — initial commercial deployment; distilBERT + XGBoost ensemble; 4 deployers. v2.0 (July 2024) — expanded training dataset (+640,000 records); improved bias mitigation; NLP model upgraded from distilBERT to larger BERT-base variant; FMEA re-run; new DPIA. v2.3.0 (October 2024) — boundary flagging feature added; ATS integrations (Greenhouse, Personio); performance monitoring telemetry v2. v2.4.0 (December 2024) — Occupational Category 23 limited-coverage flag; counterfactual fairness probe implemented. v2.4.1 (January 2025) — patch: IFU cross-reference link fix; minor performance optimisation; no model changes.
Section 15 — GDPR Data Protection Impact Assessment summary (Art. 35 GDPR)
Reference: DPIA-HireIQ-2025-001. Completed: 20 January 2025. DPO: M. van Dam. Controller approval: J. de Vries (CEO). This DPIA was triggered by Art. 35(3)(a) GDPR — systematic and extensive evaluation of personal aspects relating to natural persons, based on automated processing, including profiling, which produces legal or similarly significant effects — and by the EDPB's criteria for mandatory DPIAs (WP248 rev.01): large-scale processing; use of innovative technology; systematic profiling.
Processing by Example B.V. (provider)
As the HireIQ provider, Example B.V. processes: (i) candidate application data submitted by deployers via the API (CV text, cover letters, assessment scores — all pseudonymised post-processing); (ii) per-candidate explanation records retained 6 months; (iii) aggregated inference logs (pseudonymised) retained 12 months for post-market monitoring. Deployers are the primary controllers for candidate data; Example B.V. acts as a sub-processor under each deployer's DPA. As sub-processor, Example B.V. processes candidate data solely on the deployer's documented instructions and for no other purpose.
Necessity and proportionality
Processing of candidate application data is strictly necessary to deliver the contracted AI screening service. No less intrusive technical means of generating a ranked shortlist without processing candidate application content have been identified; the system's core value proposition requires the analysis of candidate skills and experience data. PII stripping at preprocessing eliminates processing of unnecessary identifying attributes; the resulting data is limited to the minimum required for skills and experience assessment.
Risk 1 — Discriminatory effect on candidates (protected characteristics)
Likelihood: Medium (inherent); Low-Medium (post-mitigation). Automated scoring of candidate profiles may produce a disparate impact on candidates from protected groups despite PII stripping, through proxy discrimination (e.g., university name correlating with nationality; career gap correlating with gender). Mitigation: monthly fairness metrics monitoring; counterfactual fairness probe quarterly; boundary flagging; 14,802 biased training records excluded pre-training; deployer training on AI limitations. Residual risk: Low-Medium — some residual proxy discrimination risk inherent in any ML system processing human-generated text; mitigated but not eliminated.
Risk 2 — Violation of Art. 22 GDPR (automated decision-making)
Likelihood: Low (by design). System design ensures human recruiter must confirm all consequential decisions; no legal-effect decision is made solely by the AI. Contractual prohibition on deployer bypassing human review. Technical enforcement of human-in-the-loop workflow. Residual risk: Very Low — risk exists only if deployer deliberately circumvents controls in breach of DPA; deployer assumes sole liability for Art. 22 violation in such circumstances per DPA Clause 9.
Risk 3 — Data breach exposing candidate personal data
Likelihood: Low (mitigated). Candidate data is encrypted at rest (AES-256) and in transit (TLS 1.3); multi-tenant isolation prevents cross-deployer data access; access controls enforced via OAuth 2.0; quarterly CREST penetration testing; SOC 2 Type II. Residual risk: Low — breach risk is inherent in any cloud-deployed application; mitigated to industry-standard level.
DPO opinion (20 Jan 2025)
The processing activities described in this DPIA are, in my assessment, conducted on a lawful basis (Art. 6(1)(b) as sub-processor following deployer instruction, and Art. 6(1)(f) for provider monitoring activities), are proportionate to the legitimate purpose of providing an AI-assisted recruitment screening service, and are subject to adequate safeguards. The identified risks have been appropriately mitigated. I note the residual medium risk for discriminatory effect and emphasise that the quarterly counterfactual fairness probe must be treated as a mandatory control, not an advisory measure. Any finding from the counterfactual fairness probe showing a >5 point systematic score differential on gender-indicator-matched CVs will require immediate model investigation and, if confirmed at population level, a serious incident classification. I provide a positive opinion on this DPIA and do not recommend prior supervisory authority consultation under Art. 36(1) GDPR. — M. van Dam, DPO, 20 January 2025.
Section 16 — EU Declaration of Conformity (Art. 47 + Annex V) — draft
Article 47 of the Regulation requires providers of high-risk AI systems to draw up an EU Declaration of Conformity (DoC) pursuant to Annex V of the Regulation. The DoC must be kept at the disposal of national competent authorities for 10 years from the date the high-risk AI system has been placed on the market or put into service. The DoC must cover the AI system in the same format as the product it accompanies. The following is the draft DoC for HireIQ v2.4.1 as at the date of this documentation package. The DoC will be formally executed and registered with the Dutch market surveillance authority (RDI) upon the establishment of the national registration procedures and EUAIO database.
Provider
Example B.V., Fictielaan 1, 1000 AA Amsterdam, Netherlands. KvK: 12 34 56 78. Contact: compliance@examplebv.example (IANA-reserved — illustrative).
AI system identification
HireIQ v2.4.1, build 20250108. AI-Assisted HR Screening and Recruitment Module. Category: Standalone software AI system. Intended purpose: AI-assisted shortlisting of job candidates based on CV analysis, skills matching, and standardised assessment scoring for use by HR recruiters as a decision-support tool.
Declaration
Example B.V. declares under its sole responsibility that the high-risk AI system identified above is in conformity with Regulation (EU) 2024/1689 of the European Parliament and of the Council of 13 June 2024, including the applicable requirements of Chapter III, Section 2 (Articles 8–15) and the obligations of Chapter III, Section 3 (Articles 16–25) for providers of high-risk AI systems. This declaration is made on the basis of the conformity assessment procedure described in Annex VI of the Regulation (internal control), applied as documented in this Technical Documentation Package (KTV-AIACT-2025-EXB-001 v1.2). Note on pending items: Conformity with Art. 47 (EU database registration) and Art. 17 (formal ISO 9001:2015 certification) is pending completion of external procedural steps; substantive conformity is achieved. This declaration does not substitute for the formal DoC that will be executed upon completion of MSA registration procedures.
Applicable harmonised standards
No harmonised EU standards have been adopted pursuant to Art. 40 of the Regulation as at the date of this declaration. Example B.V. monitors the European Commission standardisation mandate to CEN/CENELEC and will update this declaration to reference applicable harmonised standards upon their adoption and application. Reference standards applied voluntarily: ISO/IEC 42001:2023 (AI Management System Standard); ISO/IEC TR 24027:2021 (Bias in AI systems and AI aided decision making); ISO/IEC 23894:2023 (AI risk management).
Signatory
J. de Vries, Chief Executive Officer, Example B.V. Countersigned: Dr. A. Schmidt, AI Act Compliance Officer, Example B.V. Date: 3 March 2025 (draft — pending formal execution). The technical documentation upon which this declaration is based is maintained at the above registered address and will be made available to any competent national authority within 10 business days of a written request.
Appendix I — Annex IV point-by-point compliance mapping
| Annex IV point | Requirement summary | Addressed in | Evidence | Status |
|---|
| Point 1 | General description of AI system: intended purpose, version, hardware/software requirements, description of system components, trained models used, and system instructions | Sections 1, 2, 13 | System Architecture Spec SA-HireIQ-2025; IFU v2.4; Model Card MC-HireIQ-v2.4-2025 | Complete |
| Point 2(a) | Description of training methodologies, techniques and procedures used to develop and train the AI system | Sections 2.1, 3.1 | ML Training Specification ML-TRN-2025-001; DataVeritas audit DVB-ANON-2024-0042 | Complete |
| Point 2(b) | Design specification, including the general logic of the AI system and of the algorithms; the key design choices including the rationale and assumptions made; main classification choices; what the system is designed to optimise for | Sections 2.1, 13 | Design Specification DS-HireIQ-v2.4; Model Card | Complete |
| Point 2(c) | Description of system architecture; computational resources used; architecture diagrams showing components and data flows | Section 2.1 | Architecture Diagram AD-HireIQ-2025-001; AWS infrastructure specs | Complete |
| Point 2(d) | Data requirements and data governance practices including specification of training, validation and testing data; assessment of availability, quantity, and suitability of data | Section 3 | Data Governance specification DG-HireIQ-2025-001; DataVeritas ANON and BIAS audits | Complete |
| Point 2(e) | Assessment of human oversight measures: instructions for use; level of accuracy, robustness and cybersecurity as set out in Art. 15 | Sections 5.1, 5.2, 5.3 | IFU v2.4; UX specification UX-HireIQ-2025-001; Performance report | Complete |
| Point 2(f) | For AI systems listed in Annex III, documentation on training, validation, and testing data pursuant to Art. 10(2) — source data sheets for all datasets used | Section 3.1 | Data Source Register DSR-HireIQ-2025; licensing agreements with 6 data providers on file | Complete |
| Point 3 | Detailed information about the monitoring, functioning and control of the system, including with regard to: capabilities and limitations in performance; the level of accuracy for specific persons, groups, or in specific contexts | Sections 5.3, 12, 13 | PMM plan PMM-HireIQ-2025-001; quarterly performance reports; Model Card | Complete |
| Point 4 | Description of changes made to the system in the course of its lifecycle | Sections 11, 14 | Version history in this document; PROC-CM-003 change log | Complete |
| Point 5 | List of harmonised standards applied; other relevant standards and specifications applied | Section 16 (DoC) | Standard reference list in DoC draft; ISO/IEC 42001:2023 application documented | Complete |
| Point 6 | Copy of the EU Declaration of Conformity | Section 16 | DoC-HireIQ-v2.4-DRAFT; formal execution pending MSA registration procedure | Draft — pending MSA registration |
| Point 7 | Where applicable, instructions for use for deployers including: intended purpose; performance levels; known or foreseeable circumstances that may lead to risks; technical measures for human oversight | Section 5.1 (summary); IFU v2.4 (full) | IFU-HireIQ-v2.4 (48 pages — on file); candidate transparency notice CTN-HireIQ-2025-001 | Complete |
Appendix II — Detailed risk register
R-01 — Discriminatory shortlisting (residual medium risk)
Proxy discrimination through CV text patterns correlating with protected characteristics. Mitigations: PII stripping; fairness monitoring; bias exclusions pre-training; boundary flagging; counterfactual testing. Control evidence: DVB-BIAS-2024-0071; monthly fairness metric reports. Owner: AI Compliance Officer. Next review: Q2 2025.
Medium · Inherent: High · Residual: Low-Medium
R-02 — Over-reliance by deployers / Art. 14 violation
Deployers treating AI output as autonomous decision rather than decision-support. Mitigations: mandatory human confirmation; persistent disclaimer; deployer training; Art. 26 contractual obligations. Control evidence: UX-HireIQ-2025-001; training completion logs FY2024. Owner: Head of Product. Next review: Q2 2025.
Low · Inherent: High · Residual: Low-Medium
R-03 — Model performance drift over time
Labour market evolution causing model metrics to degrade without detection. Mitigations: PSI drift detection; KS test on feature distributions; monthly Precision@20 reporting; quarterly Kendall τ re-evaluation; 5%/10% degradation alert/action thresholds. Control evidence: PMM-HireIQ-2025-001; monthly metric dashboard. Owner: CTO. Next review: Q2 2025.
Low · Inherent: Medium · Residual: Low
R-04 — Data subject rights / transparency violation
Candidates not informed of AI use; Art. 15/22 GDPR rights not fulfilled. Mitigations: provider-supplied transparency notice; per-candidate explanation records; 6-month retention; deployer DPA obligations; Art. 26(7) contractual mandate. Control evidence: CTN-HireIQ-2025-001; explanation log retention configuration. Owner: DPO. Next review: Q2 2025.
Low · Inherent: Medium · Residual: Low
R-05 — Cybersecurity attack on model or candidate data (NEW — v2.0)
Model extraction attacks; adversarial inputs; API abuse; candidate data breach. Mitigations: model weights encrypted + HSM-backed key management; rate limiting; CREST quarterly pen testing; SOC 2 Type II; adversarial input testing (keyword stuffing — bounded effect; prompt injection — no effect confirmed in pen test). Control evidence: PT-EXB-2024-HireIQ-01; SOC2-EXB-2024. Owner: CTO. Next review: Q2 2025.
Low · Inherent: Medium · Residual: Low
R-06 — Misuse for non-recruitment purposes (NEW — v2.3)
Deployer using HireIQ for employee assessment (disciplinary, redundancy selection) or for screening beyond recruitment. Mitigations: contractual prohibition; technical scope constraints (vacancy-based context only); candidate-vacancy pair duplicate alert; deployer agreement acknowledgement at setup. Control evidence: Subscription Agreement Clause 8.3; DPA Clause 3.1; deployer onboarding log. Owner: Head of Sales + Legal. Next review: Q2 2025.
Low · Inherent: Medium · Residual: Low
Appendix III — Technical documentation version history
| Version | Date | System version | Changes | Approval |
|---|
| v0.1 (draft) | 15 Feb 2024 | HireIQ v1.0-beta | Initial draft Annex IV documentation prepared in anticipation of v1.0 commercial launch. Sections 1–5 drafted; Sections 6–7 placeholder. DPO pre-review. | Internal draft — DPO pre-review comments 1 March 2024 |
| v1.0 | 10 March 2024 | HireIQ v1.0 | First complete Annex IV documentation package for commercial deployment. Risk register v1.0 (4 risks). GDPR DPIA v1.0 completed. Training data documentation — initial DataVeritas audit ref. DVB-ANON-2024-0010. Sections 1–7 complete. No post-market monitoring in place at launch; PMM plan drafted. | AI Compliance Officer + DPO + CEO sign-off 10 March 2024 |
| v1.1 | 5 August 2024 | HireIQ v2.0 | Major update following v2.0 model launch. Updated training data documentation (2.14M records, expanded dataset). New DataVeritas bias audit DVB-BIAS-2024-0071. Risk R-05 (cybersecurity) added. DPIA updated. Post-market monitoring plan activated. Section 12 (monitoring methodology) added. Annex IV mapping updated. | AI Compliance Officer + DPO + CTO + Board notification 5 August 2024 |
| v1.2 | 3 March 2025 | HireIQ v2.4.1 | Current version. Added: Executive Summary; Table of Contents; Sections 8–16 (post-market monitoring, serious incident procedure, deployer obligations, QMS, performance methodology, model card, change management, DPIA summary, Declaration of Conformity draft); Appendices I–III; Risk R-06 added; FY2024 monitoring highlights documented; Annex IV Point-by-Point mapping Appendix I completed; full version history Appendix III completed. | AI Compliance Officer + DPO + CEO 3 March 2025 |
AI system provider representativeJ. de Vries, Chief Executive Officer — Example B.V. AI Act Compliance OfficerDr. A. Schmidt, AI Compliance — Example B.V. Data Protection OfficerM. van Dam, DPO — Example B.V. (GDPR/AI Act intersections) Prepared byKortave Compliance Platform · Version 1.2 · 3 March 2025