AI Audit Checklist for Employee Background Checker Under GDPR

AI systems used in employment screening — including background checks, candidate profiling, and suitability assessment — fall within the high-risk category under EU AI Act Title III. Document this classification formally, with reference to the specific use case, the data categories processed, and the decision types supported. This document becomes part of your technical documentation file. In your technical documentation, you must describe the system's intended purpose, its operational boundaries, and the categories of persons whose fundamental rights may be affected. You must also identify the specific Annex III, point 4 use cases that apply, such as recruitment, selection, or ongoing employment decisions. List every data category the system processes — including biometric, psychometric, or behavioural data — and explain how each contributes to the final decision. Clearly state whether the system supports, overrides, or replaces human judgment. This document serves as the anchor for all subsequent compliance activities, including risk management, data governance, and conformity assessment. It must be version-controlled, traceable, and aligned with the actual deployment environment.

Why: Deploying a high-risk AI system without completing mandatory conformity assessment requirements under EU AI Act Title III constitutes a violation of the regulation. The classification decision is not optional — it triggers a specific set of obligations that must be met before the system goes live.

EU AI Act (Regulation (EU) 2024/1689), Title III — High-Risk AI Systems; Article 6 — Classification rules for high-risk AI systems; Annex III, point 4

Map every data category the system processes — criminal records, employment history, educational credentials, identity documents, reference data — to a named lawful basis under GDPR Article 6(1). Legitimate interest, legal obligation, and consent have different operational consequences: legitimate interest requires a balancing test documented in writing; consent requires freely given, specific, informed, unambiguous agreement that cannot be conditioned on employment. Do not use a single blanket basis for all categories.

Why: Processing without a lawful basis is among the most serious GDPR violations. Background check data frequently includes special categories of data (criminal records, health indicators) that require additional bases under GDPR Article 9. Absence of documented lawful basis leaves the organisation with no defence in a DPA investigation.

GDPR (Regulation (EU) 2016/679), Article 6(1) — Lawfulness of processing

Criminal conviction data, health-related information, and trade union membership are special categories under GDPR. Many background checking systems inadvertently capture these through unstructured text fields, reference interview summaries, or third-party database queries. Audit every data input to the AI model and confirm each has a specific legal basis beyond Article 6(1). The CNIL has addressed these categories in its Referential relating to the processing of personal data for HR management purposes (Référentiel relatif aux traitements de données à caractère personnel mis en œuvre aux fins de gestion du personnel), published in 2020, which sets out expectations for lawful basis and data minimisation in HR data processing.

Why: Processing special category data without an explicit legal basis under GDPR Article 9 carries the same maximum penalty exposure as Article 5 violations — up to €20 million or 4% of global annual turnover. National DPAs including the CNIL actively enforce this in HR contexts.

GDPR (Regulation (EU) 2016/679), Article 9 — Processing of special categories of personal data; CNIL, Référentiel relatif aux traitements de données à caractère personnel mis en œuvre aux fins de gestion du personnel, 2020

Define in writing the specific purposes for which the background check AI may process data, and confirm that output scores, flags, or profiles will not be reused for other purposes such as performance management, promotion decisions, or redundancy selection. This restriction must be built into the system's data access controls, not merely stated in a policy document. Implement technical controls that prevent output data from being written to general HR system fields accessible for other processes. Where the system is integrated with a broader HR platform, document and technically enforce the boundary between background check outputs and other HR data pools.

Why: GDPR's purpose limitation principle under Article 5(1)(b) prohibits processing personal data for purposes incompatible with those originally specified. Reusing background check outputs for other employment decisions without re-establishing lawful basis and transparency is a distinct violation, not covered by the original legal basis.

GDPR (Regulation (EU) 2016/679), Article 5(1)(b) — Purpose limitation

Conduct a field-by-field review of every input variable the AI model uses. For each field, confirm: is this data necessary to achieve the stated purpose, or is it collected because it is available? Common over-collection in background check AI includes full address history beyond what is legally required, social media profile data, and extended family information. Remove any input variable that cannot be directly linked to a documented purpose.

Why: GDPR Article 5(1)(c) requires that personal data be adequate, relevant, and limited to what is necessary. The EDPB's AI Auditing Checklist (June 2024) specifically includes data minimisation as an audit dimension for AI systems. Over-collection is a common risk area in DPA audits of HR systems.

GDPR (Regulation (EU) 2016/679), Article 5(1)(c) — Data minimisation; EDPB AI Auditing Checklist, SPE Programme, June 2024

GDPR Article 35 requires a DPIA before processing that is likely to result in high risk. AI-driven background checks meet all three EDPB criteria triggering mandatory DPIA: systematic evaluation of personal aspects, processing of sensitive data, and automated decision-making with legal or similarly significant effects. The DPIA must be initiated prior to processing — conducting it retrospectively after deployment is a violation in itself, not a remediation.

Why: Under GDPR Article 35, failure to conduct a DPIA before high-risk processing begins is itself an infringement. The Article 29 Working Party's Guidelines on Data Protection Impact Assessment (WP 248 rev.01), adopted by the EDPB, confirm that employment AI systems conducting systematic personal evaluation require a DPIA without exception. Conducting a DPIA retrospectively, after live processing has begun, does not remedy the original failure — it documents it.

GDPR (Regulation (EU) 2016/679), Article 35 — Data protection impact assessment; Article 29 Working Party, Guidelines on Data Protection Impact Assessment (WP 248 rev.01), adopted by the EDPB; EDPB AI Auditing Checklist, SPE Programme, June 2024

A GDPR-compliant DPIA for this system must include: (1) a systematic description of the processing operations and their purposes, including the AI model's logic and the types of decisions it supports or automates; (2) an assessment of the necessity and proportionality of the processing relative to its purpose; (3) an assessment of the risks to data subjects' rights and freedoms; and (4) the measures envisaged to address those risks. Many DPIAs produced for HR AI systems fail on element one — they describe the business case, not the processing operations or the model's logic.

Why: A DPIA that does not contain all required elements is not a DPIA under GDPR — it is a document that creates the appearance of compliance without providing it. DPA audit findings frequently cite incomplete DPIAs as a primary violation, distinct from the underlying processing issue.

GDPR (Regulation (EU) 2016/679), Article 35(7) — Required content of DPIA

Where a DPO has been designated, GDPR Article 35(2) requires that the controller seek their advice and document that advice within the DPIA. The DPO's role here is substantive — they must review the identified risks, the proposed mitigations, and the necessity assessment. A DPO signature on a completed document does not satisfy this requirement if they were not involved in the assessment process. Keep a dated record of DPO consultation meetings.

Why: Failure to consult the DPO in a mandatory DPIA context is a specific procedural infringement under GDPR Article 35(2). It also undermines the DPO's ability to perform their function under Article 39, creating secondary liability exposure.

GDPR (Regulation (EU) 2016/679), Article 35(2) — DPO consultation in DPIA

If the DPIA concludes that residual risks remain high after mitigation measures have been applied — particularly where the AI system makes or strongly influences decisions that could result in rejection of candidates — GDPR Article 36 requires prior consultation with the competent DPA before processing begins. In France, this means the CNIL. In Italy, the Garante. Document the outcome of this consultation and integrate any DPA recommendations into the system design before go-live.

Why: Proceeding with processing that carries unmitigated high residual risk without prior DPA consultation is a violation of GDPR Article 36. The DPA can prohibit the processing entirely. Discovering this post-launch, after live data has been processed, creates both a violation and a potential mandatory breach notification scenario.

GDPR (Regulation (EU) 2016/679), Article 36 — Prior consultation

GDPR Article 35(9) requires that, where appropriate, the controller seeks the views of data subjects or their representatives on the intended processing. For employee background checking, this typically means consulting employee representatives (works councils, trade union representatives where present) or conducting structured consultation with candidate groups. Document the method used, who was consulted, what views were expressed, and how those views influenced the DPIA findings. Opting not to consult requires documented justification.

Why: Omitting data subject views from the DPIA process, where appropriate, is a specific procedural deficiency under GDPR Article 35(9). It also weakens the overall DPIA as a risk assessment instrument — candidates and employees routinely identify risks that technical teams miss.

GDPR (Regulation (EU) 2016/679), Article 35(9) — Seeking views of data subjects

A DPIA is not a one-time document. Establish and document the conditions that require a DPIA review: model retraining with new data categories, expansion of the system to new jurisdictions, changes to the decision types the AI supports, integration of new data sources. A practical implementation tip: add DPIA review as a mandatory gate in your AI system change management process, using the same workflow you apply to production code deployments. Tools like OneTrust or Nymity support DPIA versioning with audit trails.

Why: A DPIA that was accurate at launch but has not been updated after material system changes no longer satisfies GDPR Article 35. If the system changes and the DPIA does not, any new risks introduced by those changes are unassessed and undocumented — which DPAs treat as equivalent to no DPIA at all for the changed functionality.

GDPR (Regulation (EU) 2016/679), Article 35 — Data protection impact assessment; EDPB AI Auditing Checklist, SPE Programme, June 2024

GDPR Article 22 prohibits solely automated decisions that produce legal or similarly significant effects on data subjects, unless specific exceptions apply. For an employee background checker, 'significant effect' includes rejection decisions, conditional employment offers, and security clearance determinations. Map every decision workflow: which decisions does the AI output directly trigger, and which require documented human review? The distinction between 'AI recommends, human decides' and 'AI decides, human can override' is legally material — document which applies to each decision type in the system.

Why: If the system produces solely automated decisions with legal or similarly significant effects without a valid Article 22 exception (contractual necessity, legal authorisation, or explicit consent), every such decision is unlawful under GDPR. This is not a technical misconfiguration — it is a violation attached to each individual decision output.

GDPR (Regulation (EU) 2016/679), Article 22 — Automated individual decision-making, including profiling

Human oversight must be more than a policy statement. Implement it as a technical requirement: the system must require a documented human review action before any adverse employment decision is finalised. In practice, this means building an explicit approval gate in the HR workflow — not an automatic pass-through. The reviewing human must have access to the AI's reasoning output, not just its final score or flag. Implement audit logging that records who reviewed each decision, when, and what action they took. EU AI Act Article 14 establishes the human oversight obligations for high-risk AI systems, requiring that deployers assign oversight to individuals with the necessary competence, training, and authority. Article 9, which governs the risk management system, provides the broader framework within which human oversight measures are established and maintained.

Why: EU AI Act Article 14 mandates human oversight as a primary obligation for high-risk AI systems. If oversight is documented in policy but not enforced technically, a DPA audit or EU AI Act supervisory inspection will find the control ineffective — which is treated equivalently to the control not existing.

EU AI Act (Regulation (EU) 2024/1689), Article 14 — Human oversight; Article 9 — Risk management system; GDPR (Regulation (EU) 2016/679), Article 22

GDPR Article 22(3) requires that where Article 22(2) exceptions apply, the controller implements suitable measures including at minimum: the right to obtain human intervention, to express the data subject's point of view, and to contest the decision. Build a documented escalation path: who receives a contest request, what information they receive, what the response timeline is, and how the outcome is recorded. Test this path before go-live — not in theory but by running actual test cases through the process.

Why: Providing this right only in the privacy notice without an operational mechanism to exercise it is not compliance — it is a documented failure. DPA enforcement practice indicates a distinction between stated rights and exercisable rights: a right that exists on paper but cannot practically be exercised is not treated as a functioning safeguard.

GDPR (Regulation (EU) 2016/679), Article 22(3) — Safeguards for automated decision-making

EU AI Act Articles 13 and 26 establish transparency and information obligations for high-risk AI systems. Article 13 requires that high-risk AI systems be designed to enable deployers to understand the system's capabilities and limitations. Article 26 sets out the obligations of deployers, including ensuring that individuals are informed when they are subject to a high-risk AI system. Combined with GDPR Articles 13 and 14, candidates must be informed: that an AI system is used in background screening, what logic it applies, what data it uses, what types of decisions it supports, and what their rights are. This disclosure must occur before processing — not buried in a contract appendix delivered at the point of signing. Implement this as a standalone, plain-language notice. Implementation tip: use a layered notice structure — short summary of AI use at the top, full technical detail accessible via link or appendix.

Why: EU AI Act Articles 13 and 26 require transparency for high-risk AI systems. GDPR Articles 13–14 require this information as part of the privacy notice. Failing to inform data subjects about AI use in employment decisions is both a GDPR transparency violation and a potential EU AI Act infringement.

EU AI Act (Regulation (EU) 2024/1689), Article 13 — Transparency and provision of information to deployers; Article 26 — Obligations of deployers of high-risk AI systems; GDPR (Regulation (EU) 2016/679), Articles 13–14

Human oversight is only meaningful if the reviewer understands what the AI is telling them. Verify that the system produces output that a non-technical HR professional can interpret and act on: not just a score or flag, but an explanation of which factors contributed to that output and what their relative weight was. If the model is a black box producing only a numerical score, the human reviewer cannot exercise meaningful oversight — and the oversight control is ineffective. If the current model cannot produce this output, this is a design deficiency that must be resolved before go-live.

Why: The EDPB's AI Auditing Checklist (June 2024) and EU AI Act Article 14 both require that human oversight mechanisms be effective — not nominal. An explainability gap that makes oversight practically impossible is treated by regulators as equivalent to no oversight. It also undermines the data subject's right to a meaningful explanation under GDPR Article 22(3).

EU AI Act (Regulation (EU) 2024/1689), Article 14 — Human oversight; Article 9 — Risk management system; EDPB AI Auditing Checklist, SPE Programme, June 2024

Employment AI systems that produce systematically different outcomes across protected characteristics — gender, age, nationality, disability status — create discrimination liability under EU employment law independent of GDPR. Conduct a pre-deployment bias assessment: test model outputs across demographic groups using representative test data. Document the methodology, the metrics used (e.g., demographic parity, equalised odds), the results, and the mitigations applied where disparities are found. This assessment should be repeated after every model update. The relevant EU instruments establishing protected characteristics in employment are Directive 2000/78/EC (Employment Equality Directive) and Directive 2006/54/EC (Gender Equality Directive), alongside applicable national law.

Why: Discriminatory outcomes from AI employment tools create liability under Directive 2000/78/EC, Directive 2006/54/EC, and national implementing legislation, in addition to GDPR violations for processing that produces unlawful profiling effects. The EU AI Act's risk management requirements under Article 9 explicitly include assessment of risks to fundamental rights, which includes the right to non-discrimination.

EU AI Act (Regulation (EU) 2024/1689), Article 9 — Risk management system; EDPB AI Auditing Checklist, SPE Programme, June 2024; Directive 2000/78/EC — Employment Equality Directive; Directive 2006/54/EC — Gender Equality Directive

The EU AI Act requires high-risk AI systems to have a risk management system that runs as a continuous iterative process throughout the system's lifecycle — not a one-time assessment. Document: identified risks to health, safety, and fundamental rights; risk mitigation measures adopted; residual risks accepted and why; the process for updating this document when the system changes. This is distinct from the GDPR DPIA — both must exist. Placing this control in Phase 3 reflects its operational nature: the risk management system must be live and functioning from the point of deployment, not merely drafted as a pre-deployment artifact.

Why: EU AI Act Article 9 is a mandatory conformity requirement. Without a documented and operational risk management system, the system cannot lawfully remain in service as a high-risk AI system. This is not an advisory recommendation — it is an ongoing gate.

EU AI Act (Regulation (EU) 2024/1689), Article 9 — Risk management system

EU AI Act Title III requires high-risk AI system providers to maintain technical documentation demonstrating compliance with the regulation's requirements. For an employee background checker, this file must include: a general description of the system and its intended purpose; the design specifications and development methodology; the training data used and data governance procedures; the validation and testing methodology and results; the risk management system documentation; the monitoring and post-market surveillance plan; and the human oversight measures implemented. This is a living document — it must be updated whenever the system changes materially.

Why: Absence of required technical documentation is a standalone violation of the EU AI Act for high-risk systems. Supervisory authorities can request this documentation at any time. A system operating without it cannot demonstrate conformity, regardless of whether the underlying technical design is actually compliant.

EU AI Act (Regulation (EU) 2024/1689), Title III — High-Risk AI Systems

The EU AI Act requires that providers of high-risk AI systems draw up an EU Declaration of Conformity — a document in which the provider takes responsibility for the system's compliance with the regulation. This must be signed by an authorised representative, reference the specific system and version, list the applicable requirements it conforms to, and be updated when the system is substantially modified. Keep this document alongside the technical file. Do not conflate this with the GDPR DPIA — they are separate instruments serving different regulatory frameworks.

Why: Placing a high-risk AI system into service without a Declaration of Conformity is a direct infringement of the EU AI Act. It also signals to any auditor or supervisory authority that the conformity assessment process was not completed — which triggers deeper investigation.

EU AI Act (Regulation (EU) 2024/1689), Title III — High-Risk AI Systems

Document the sources of training data used to develop the background checking model, the quality criteria applied, and the steps taken to ensure the training data is representative of the population the system will be applied to. If the model was procured from a third-party vendor, obtain this documentation from the vendor as part of the procurement process — do not assume it exists. Absence of training data documentation is a common finding in EU AI Act technical file reviews and a direct risk factor for discriminatory outputs.

Why: EU AI Act requirements for high-risk systems include data governance as a core technical requirement. A system trained on unrepresentative or undocumented data cannot demonstrate that its outputs are free from discriminatory bias — which connects training data governance directly to the fundamental rights risk the EU AI Act is designed to mitigate.

EU AI Act (Regulation (EU) 2024/1689), Article 9 — Risk management system; Title III

ISO/IEC 42001 provides a management system framework for responsible AI development and deployment. Where your organisation has adopted or is pursuing this standard, ensure the technical documentation for the background checking AI is integrated into the management system's documentation structure — not maintained as a standalone file that diverges from the broader AI governance framework. Specifically, verify that the risk management documentation produced for EU AI Act compliance aligns with the ISO/IEC 42001 risk treatment methodology.

Why: ISO/IEC 42001 alignment, while not legally mandatory, provides a structured framework that strengthens the overall conformity case under the EU AI Act and supports DPA audits under GDPR. Divergence between the AI management system and the technical file creates inconsistencies that auditors will flag.

ISO/IEC 42001 — AI Management System standard; EU AI Act (Regulation (EU) 2024/1689), Article 9

If the AI system processes data in infrastructure located outside the EEA — cloud providers with data centres in non-EEA countries, third-party data verification services operating outside the EU — confirm the transfer mechanism in place: adequacy decision, Standard Contractual Clauses (SCCs), or Binding Corporate Rules. Document which mechanism applies to each data flow. Many mid-market background check systems rely on third-party data enrichment services based in the US or UK — each of these is a separate data transfer requiring a documented legal basis under GDPR Chapter V.

Why: International data transfers without a valid mechanism under GDPR Chapter V are unlawful. The Schrems II ruling and subsequent DPA enforcement actions have demonstrated that relying on vendor assurances without documented transfer mechanisms creates direct organisational liability. The CNIL and Italian Garante have both issued fines for undocumented international transfers.

GDPR (Regulation (EU) 2016/679), Chapter V — Transfers of personal data to third countries; European Commission Standard Contractual Clauses

Do not apply a single retention period to all background check data. Criminal record checks, reference verification, identity documents, and employment history data may have different retention justifications and therefore different periods. Document: the retention period, the justification (legal obligation, legitimate interest, contractual necessity), the review trigger, and the deletion mechanism. For unsuccessful candidates, retention of background check results beyond the recruitment period requires specific justification — 'we might need it' is not sufficient.

Why: GDPR Article 5(1)(e) requires that personal data be kept no longer than necessary for the purpose for which it was collected. Retaining background check data beyond the justified period is a storage limitation violation. DPA audits of HR systems routinely identify unlimited or undefined retention as a primary finding.

GDPR (Regulation (EU) 2016/679), Article 5(1)(e) — Storage limitation

Manual deletion processes fail. Document the technical implementation of deletion: which system holds each data category, what the deletion trigger is (date-based, event-based), what deletion means technically (hard delete vs. anonymisation), and how deletion is verified and logged. A practical implementation note: if background check data is ingested into the AI model as training data, confirm whether deletion of a data subject's records also requires model retraining. This is a real operational complexity that must be addressed before go-live, not after the first deletion request arrives.

Why: GDPR Article 17 (right to erasure) and Article 5(1)(e) (storage limitation) both require that data is not retained beyond its legitimate period. If deletion depends on a manual process, it is effectively unenforceable at scale. DPAs expect technical controls, not procedural commitments.

GDPR (Regulation (EU) 2016/679), Article 17 — Right to erasure; Article 5(1)(e)

Under GDPR Article 15, candidates and employees have the right to access the personal data held about them, including any AI-generated scores, flags, or profiles produced by your background check system. This means the system must be able to extract a complete, intelligible record of all data held about a specific individual — including the AI model's output and the inputs that generated it — within the 30-day response window mandated by GDPR Article 12. Test this with a synthetic DSAR before go-live. The response must be in plain language, not a raw database export.

Why: Failure to respond to a DSAR within 30 days is a direct GDPR violation under Article 12. Background check systems that cannot produce per-individual data extracts without significant engineering effort are operationally non-compliant from day one. DPAs treat DSAR failures as evidence of broader data governance deficiency.

GDPR (Regulation (EU) 2016/679), Article 15 — Right of access; Article 12 — Transparent information and communication

Where processing is based on legitimate interest, data subjects have the right to object. Define: who receives an objection, what assessment is performed, what the outcome criteria are, and what happens to the individual's background check process while the objection is being assessed. This process must be documented, tested, and operationally available — not a theoretical right buried in the privacy notice. The legitimate interest assessment (LIA) itself must be rigorous, not a form-filling exercise. For each data type, document the specific business need, why consent is not viable, why the processing is necessary, and the concrete safeguards in place. Include a genuine balancing test that weighs the business interest against the data subject's rights and reasonable expectations. This assessment must be reviewed and updated when the processing changes and must be available for supervisory authority inspection. When an objection is received, processing based on legitimate interest must stop unless you can demonstrate compelling legitimate grounds that override the data subject's interests, rights, and freedoms — the threshold in GDPR Article 21(1). That assessment must be performed by a qualified individual, not an automated system, and must be documented. If processing continues over the objection, that decision must be approved at an appropriate level and recorded. In the specific context of background checks, if an individual objects to the processing of their criminal record data and you cannot demonstrate compelling legitimate grounds, you must cease that processing. Your operational procedures must account for this possibility and define how the hiring workflow proceeds in that scenario.

Why: GDPR Article 21 creates an enforceable individual right. An organisation that cannot demonstrate an operational process for handling objections to AI-driven employment processing cannot defend its use of legitimate interest as a lawful basis. The absence of this process undermines the entire lawful basis structure built in Phase 1.

GDPR (Regulation (EU) 2016/679), Article 21 — Right to object

Background check AI systems frequently produce richer output data than the decision requires — detailed scoring breakdowns, risk sub-scores, confidence intervals — that are stored persistently even when the downstream decision only required a pass/fail flag. Audit what the system stores as output and compare it to what is actually used in employment decisions. Delete or suppress output fields that are not used in downstream decisions. This is particularly relevant where AI outputs feed into integrated HR platforms with broad access permissions.

Why: GDPR's data minimisation principle applies to the full data lifecycle, including system-generated outputs. Storing detailed AI-generated profiles beyond what the employment decision requires is an over-retention violation, independent of the input data minimisation assessment conducted in Phase 1.

GDPR (Regulation (EU) 2016/679), Article 5(1)(c) — Data minimisation

The EDPB published a dedicated AI Auditing Checklist in June 2024 as part of its Support Pool of Experts (SPE) Programme. This is the supervisory authority's own methodology for auditing AI systems — using it as your internal audit framework aligns your compliance review with the standard your DPA will apply if they audit you. Integrate this checklist into your annual compliance review cycle. Assign specific checklist sections to named reviewers. Document outcomes and remediation actions.

Why: Using the EDPB's own audit methodology demonstrates procedural good faith in any enforcement context. It also ensures that internal audits surface the same issues a DPA audit would find — which is the point of an internal audit. Organisations that use home-grown audit frameworks that miss EDPB checklist dimensions cannot claim comprehensive compliance review.

EDPB AI Auditing Checklist, SPE Programme, June 2024

Model performance in production diverges from test performance over time as the applicant population, the data sources, and the background checking context change. Implement monitoring that tracks: the distribution of AI output scores week-over-week, the rate of adverse decisions by demographic group, the rate at which human reviewers override AI recommendations, and any correlation between override patterns and protected characteristics. Tools such as WhyLabs, Evidently AI, or custom dashboards built on model output logs can support this. Review these metrics monthly at minimum.

Why: An AI system that was fair at deployment can become discriminatory as its operating context shifts. Without production monitoring, discriminatory drift goes undetected until a data subject complaint or DPA investigation surfaces it — by which point the harm has already occurred across potentially hundreds of employment decisions.

EU AI Act (Regulation (EU) 2024/1689), Article 9 — Risk management system; EDPB AI Auditing Checklist, SPE Programme, June 2024

Background check data — criminal records, identity documents, employment histories — is among the most sensitive personal data an organisation holds. Define a breach response procedure that covers: detection triggers, internal escalation path, DPA notification timeline (72 hours under GDPR Article 33), data subject notification criteria (Article 34), and remediation steps. The procedure must account for the AI-specific breach scenarios: unauthorised model access, training data exfiltration, output data exposure through HR system integration. Test the procedure with a tabletop exercise before go-live and annually thereafter.

Why: GDPR Article 33 requires notification to the supervisory authority within 72 hours of becoming aware of a breach. Article 34 requires direct notification to affected individuals where the breach is likely to result in high risk. Background check data breaches almost always meet the high-risk threshold — meaning both DPA notification and individual notification are required.

GDPR (Regulation (EU) 2016/679), Article 33 — Notification to supervisory authority; Article 34 — Communication to data subjects

Three triggers require a full compliance review, not just a monitoring check: (1) the AI model is retrained on new data or with changed architecture; (2) the system is expanded to cover new geographies, new decision types, or new employee populations; (3) the applicable regulatory framework changes materially — including EU AI Act implementing acts, EDPB guidelines updates, or national DPA guidance updates. Assign a named owner for tracking each of these triggers. Build this review requirement into the organisation's change management process.

Why: Compliance assessments conducted at a point in time do not automatically remain valid as the system or the regulatory environment changes. A DPIA or technical documentation file that has not been updated following material changes is treated by DPAs as an expired compliance instrument.

GDPR (Regulation (EU) 2016/679), Article 35 — DPIA review obligation; EU AI Act (Regulation (EU) 2024/1689), Article 9

Every background check output the AI produces, every human review action taken on that output, and every override or escalation decision must be logged with a timestamp, the reviewing user's identity, and the outcome. This audit trail serves three functions: it demonstrates effective human oversight in any regulatory review; it enables retrospective analysis of decision patterns for bias assessment; and it supports DSAR responses under Article 15. Retention of the audit log itself should match your records retention policy and be clearly scoped in the DPIA.

Why: Without an audit log, claims of human oversight are unverifiable. DPA audits and EU AI Act supervisory inspections will request evidence of oversight — assertions in policy documents without supporting logs will not satisfy this requirement. The audit log is also the primary evidentiary asset in any individual complaint investigation.

EU AI Act (Regulation (EU) 2024/1689), Article 9 — Risk management system; GDPR (Regulation (EU) 2016/679), Article 5(2) — Accountability principle

Many background checking AI systems pull data from third-party sources: credit reference agencies, criminal record databases, identity verification services. Each of these is a data processor or joint controller relationship that requires a documented data processing agreement under GDPR Article 28. Review these contracts annually to confirm: the processor is only processing data on documented instructions, adequate security measures are in place, the processor notifies you of breaches, and sub-processor chains are documented and approved.

Why: Controller liability for processor non-compliance is explicit under GDPR Article 82. If a third-party data source used by the AI system suffers a breach or processes data outside the agreed scope, the controller (your organisation) bears joint liability. Annual contract review is the minimum governance control that demonstrates due diligence.

GDPR (Regulation (EU) 2016/679), Article 28 — Processor obligations; Article 82 — Right to compensation

HR staff who regularly interact with AI background check outputs are often the first to notice systematic anomalies — patterns of surprising results, demographic skew, or outputs that contradict well-known candidate profiles. Build a formal internal channel for flagging these concerns: a named contact, a structured intake form, a documented review process, and a feedback loop to the team responsible for the model. This is distinct from the data subject contest mechanism built in Phase 3 — it is an internal quality and ethics control, not a rights mechanism.

Why: Internal challenge mechanisms are recognised by the EU AI Act's risk management framework as an effective control for high-risk AI systems. They also provide early warning of bias or performance issues before they accumulate into a pattern detectable in demographic parity metrics or a data subject complaint to a DPA.

EU AI Act (Regulation (EU) 2024/1689), Article 9 — Risk management system