Development of Artificial Intelligence Systems: CNIL Recommendations for GDPR Compliance

On July 22, 2025, CNIL published valuable recommendations to ensure AI development respects GDPR and fundamental rights.

Here are the key takeaways we see as most relevant for our work in tech recruitment:

Clear purpose: Every AI project must have a defined and legitimate purpose. When we connect developers with clients, we emphasize clarity on why data is being used and how it supports the project.

Transparency of roles: Defining who is the data controller, who is the processor. In our hiring processes, we ensure developers understand whether they act for the client or via our agency when handling data in AI projects.

Proper legal basis: Consent, contractual need, or legitimate interest. We encourage both clients and candidates to always evaluate whether data use is necessary, proportionate, and explainable to the people affected.

Data minimization: Collect only what is strictly necessary. In our agency, we apply this to candidate profiles: we keep information lean, anonymize when possible, and recommend anonymized test data for technical assessments.

Reasonable retention: No endless storage. We set clear timelines for how long candidate data is kept and make sure it’s deleted or anonymized once its purpose is fulfilled.

Clear information: People must know how their data is used. We commit to making sure every candidate understands the purpose of processing and their rights to access, correct, or delete data.

Security and risk management: Tech recruitment also means safeguarding data. We require secure testing environments (encryption, access controls, audit trails), and encourage developers to perform DPIAs (Data Protection Impact Assessments) when building AI systems that handle sensitive or large-scale data.

For us, these recommendations highlight what should guide our sector: helping clients build strong AI teams while ensuring data privacy is never compromised.

Building trust in recruitment and in technology goes hand in hand. Ethical hiring practices and responsible AI aren’t just legal obligations, they’re a competitive advantage.

Read more (in French): https://www.cnil.fr/fr/developpement-des-systemes-dia-les-recommandations-de-la-cnil-pour-respecter-le-rgpd