Search for:

In brief

Artificial intelligence (AI) systems can help improve work processes, yet they also carry the risks of liability, penalties, and reputational damage. Companies deploying AI must understand their responsibilities and obligations under the current regulatory frameworks within the EU and the anticipated requirements of the EU AI Act. Particularly for the HR department, it is prudent for HR managers to implement the following basic principles regarding AI.


  1. Introduction of standardized AI rules
  2. Compliance with data protection
  3. Compliance with the co-determination rights of the workforce
  4. Risks of non-compliance
  5. Recommendation

Introduction of standardized AI rules

Before implementing AI, companies need to carefully plan their AI strategy and introduce internal company guidelines on AI. These guidelines should be set out in a corporate-wide AI policy and should include, among others, the following rules:

  • The use of AI should only be permitted following the completion of AI introductory training. Employees should only be allowed to continue using AI after completing AI training courses as prescribed by the company.
  • Employees may only use AI systems approved by the company and only for business purposes.
  • AI may only be used for certain tasks, e.g., creating tables and texts, revising presentations, summarizing articles, and creating LinkedIn posts.
  • Employees should ensure that end products or work results produced by AI are clearly labeled as being generated by AI.
  • Employees should not input business secrets, confidential information and personal data into the AI system.
  • Employees must check AI-generated content for accuracy and compliance with applicable laws. If they are unclear about whether the content is compliant, employees must seek the opinion of the legal department.
  • Employees using AI are required to consult with the legal department before publishing AI-generated content to ensure compatibility with IP rights, personal rights, and trademark rights.

Compliance with data protection

AI should only be used in the workplace if the company implements a comprehensive data security strategy. To be compliant with data protection laws, companies must take the following steps before implementing AI systems:

  • The company must assess the types of data categories that AI can process and ensure that the processing is based on a specific legal basis. For non-sensitive data, processing can usually be justified on grounds of legitimate interest. However, when processing sensitive data (e.g., health data, data on trade union membership, information on the origin or sexual orientation, etc.), the processing must be based on a regulation provided by law or a collective agreement (e.g., on the basis of payroll obligations or to fulfill reporting obligations to authorities) or alternatively be based on a works council agreement.
  • Furthermore, data processing via AI must serve a specific and legitimate purpose (e.g., organizing working timetables and shift schedules, organizing employee absences) and may only take place if necessary to achieve that purpose.
  • The company must also inform employees about the data that is being processed, the purpose of the data processing, the means used for the data processing, and the legal basis for the processing.
  • Depending on the technical capabilities of the AI system, the company must also carry out a data protection impact assessment. This is particularly necessary if the impact of AI on the workforce is difficult to assess.
  • When transferring employee data to third parties (e.g., the AI software is not hosted on the company’s local servers or if the company allows group companies to access employee data), the company is also obliged to agree terms with third parties on protecting customer and employee-related data. There are further obligations to consider when transferring data to third countries.
  • If AI systems enable automated decision-making in HR management, the company must ensure that the automated decision-making process is only a preliminary process and that the final decision is made by a human being.

In addition, employees can submit requests to the company for information about their personal data being processed. If necessary, employees can escalate their concerns to the data protection authority.

Compliance with the co-determination rights of the workforce

  • A company must obtain the works council’s consent via a works council agreement before implementing AI models.
  • Where there is no competent works council, a company needs to obtain the individual contractual consent of the employees if the AI system is invasive.
  • Where there is a competent works council, companies must proactively inform the works council about the following before using AI for the first time: the data categories of the processed employee data,.the software used, the specific programs installed, any evaluation and processing procedures (e.g., the possibility of linking, duplicating, changing data), and any recipients of this data.
  • Furthermore, the works council has a right to be consulted and advised on the health effects of the AI system on the workforce. The works council can also request access to the AI system.

Risks of non-compliance

Penalties: Employees can initiate a complaint against their employer for breaches of data protection obligations. If the data protection authority confirms the existence of violations, this may trigger administrative fines of up to EUR 20 million or up to 4% of the annual global turnover, whichever is higher.

Damages and discrimination cases: Employees have the right to sue for damages if there are data protection violations and discriminatory AI results and to initiate discrimination proceedings before the authorities and courts.

Injunctions: In the event of non-compliance with co-determination rights, the works council can enforce the deactivation of the AI system via a court ruling, in some cases even via a preliminary injunction.

Reputational damage: Companies will not only be exposed to financial and legal risks. As proceedings before administrative authorities and courts are open to the public, it can also trigger reputational damage.


Several steps must be taken before implementing any AI systems to leverage their potential while ensuring HR compliance. These steps will also help organizations to prepare for their obligations under the EU AI Act. Not only is it necessary to introduce clear AI guidelines, but it is also vital to create awareness within the workforce regarding AI. This is the only way to prevent or at least reduce liability, penalties, and reputational damage. In addition, early engagement with the works council on the potential implementation of AI will help accelerate the implementation process of AI.

To access the German version, please click here


Philipp Maier is partner and head of the Baker McKenzie Employment Law Practice Group in Vienna. He joined Baker McKenzie Austria in 2009 as associate of the employment law practice group. Prior to that Philipp worked for several years in the employment law department of Freshfields Bruckhaus Deringer and in the litigation department of Wolf Theiss Rechtsanwälte. He also completed an internship at Aichelin Heat Treatment Systems (Detroit, USA).


Mag. Simone Liebmann-Slatin, MSc. joined Baker McKenzie as a partner in 2003. Since 2011, Ms. Liebmann-Slatin is a senior counsel in the Vienna office and is a member of the employment law practice group. She regularly delivers presentations on issues related to employment law in Austria, and is an active contributor to various publications, webinars and workshops.


Andrea Haiden is Senior Associate in Vienna and has over eight years of legal experience in Employment Law. She has a strong focus on multinational clients of all industrial levels and advises them on all aspects of employment law in domestic and international context alike.
Her fields of expertise concern employment and pension related work in transactional projects, including post-integration work, restructurings, negotiations with employee representative bodies, employment related compliance and litigation matters, cross-border employment and immigration, as well as compensation matters. Andrea Haiden is currently doing her dissertation on transactional aspects of pension schemes at the University of Vienna.

Write A Comment