HR AI That Knows When to Forget What It Learned

HR AI That Knows When to Forget What It Learned

A senior engineer was passed over for promotion. She filed a subject access request — her legal right under GDPR to see every piece of personal data her employer held about her. The HR AI had generated productivity scores, communication style profiles, and a predicted attrition probability. None of it had been disclosed to her. None of it had a legal basis she'd agreed to. The tribunal found against the employer. The HR AI was switched off the next day.

Your HR AI should know who your employees are — not who they used to be.

Most HR AI deployments in Europe are running in exactly the configuration that produced that tribunal outcome. The data is there. The legal basis isn't. The DPIA was never done. The employees don't know.

What Most Organizations Don't Know They're Holding

Performance data about an employee collected three years ago — when they were struggling through a difficult period — should not define an AI's recommendation about their promotion today. The HR AI that learns too well and forgets too slowly creates a permanent record of every low point, every absence, every rough review cycle. Old productivity signals, stale behavioral flags, and outdated performance dips train the model and sit in the data store long after any legitimate business purpose for them has expired.

GDPR doesn't only regulate data collection. It requires that personal data be kept for no longer than is necessary for the original purpose — and that employees be informed what data is held, and why, and for how long. GDPR Article 15 gives every employee the right to receive a copy of all personal data their employer holds. Article 22 gives them the right not to be subject to decisions based solely on automated processing that produce significant effects on them. Employment decisions — hiring, promotion, dismissal, performance review outcomes — clearly qualify.

Only 36% of organizations using AI for performance management have documented the legal basis for data processing under GDPR Article 6. 64% have not conducted a mandatory Data Protection Impact Assessment under GDPR Article 35, which is required before deploying any AI system for systematic employee profiling. And under EU AI Act Article 9, high-risk HR AI systems — which employment profiling tools are — must maintain complete technical documentation of their training data, decision logic, and human oversight mechanisms. Most current HR AI deployments in Europe have none of these documents.

Where the Compliance Gaps Actually Are

Amazon's AI recruitment screening tool was shut down in 2018 after it was discovered to systematically downgrade resumes from women — having learned gender bias from a decade of historical hiring data. The architecture failed because historical data encoded patterns that were both discriminatory and invisible until the tool had been running for years.

In 2022, Spain's data protection authority fined a major retailer 2.5 million euros for an HR AI that inferred sensitive employee characteristics — including health status — without valid legal basis under GDPR Article 9, which requires explicit consent for processing special-category data. The employer had not told employees their health-related signals were being used. The AI had derived them from behavioral patterns.

Four distinct legal risks compound each other in HR AI: automated decision-making rights under GDPR Article 22, mandatory DPIA requirements under Article 35, EU AI Act high-risk system requirements (conformity assessment, audit trail, documented human oversight), and national employment law protections — Germany's BDSG, France's CNIL guidelines, and Netherlands DPA algorithmic management rules. Each is manageable individually. Without an architecture designed for all four, together they create exposure that no single contract clause addresses.

The Specific Problem with Automated Decision-Making

Article 22 applies not just to fully automated decisions — it covers any decision where an AI recommendation is systematically followed without genuine human review. A manager who reads an AI performance summary and uses it as the basis for a dismissal — without independently reviewing the underlying evidence — may have made a decision "based solely on automated processing" in the legal sense, even though a human was technically in the loop.

Rubber-stamping an AI output doesn't create the human oversight GDPR Article 22 requires. The documentation that proves genuine review — a dated, signed record of what the human assessor reviewed and what independent judgment they applied — is what most HR AI deployments cannot produce when a labor court asks for it.

German and French labor courts are now hearing exactly these cases. Employment tribunal claims citing GDPR Article 22 violations are appearing in Arbeitsgerichte and Prud'hommes. The legal costs, settlements, and regulatory fines from a single well-argued case exceed three years of HR AI licensing. That exposure is addressable before it arrives.

The Architecture That Resolves It

Leeloo implements HR AI with configurable retention windows per data type. Real-time productivity signals expire after 90 days. Quarterly performance reviews are weighted and expire after 18 months. Annual review summaries are retained for the employee's tenure plus a legally-defined post-departure period. The retention schedule matches business purpose — and when the purpose expires, the data expires.

Subject access requests return all data in a structured format, including AI-generated outputs: productivity scores, behavioral profiles, attrition predictions — everything the system holds, surfaced to the employee in a readable format within the GDPR-required 30-day window. Human oversight workflows produce a dated, signed record that satisfies Article 22 requirements. The documentation required for EU AI Act conformity assessment is auto-generated from system logs.

Counter-intuitively, HR AI models trained on time-limited data windows — 12-18 months of performance signals rather than five-year histories — consistently outperform longer-history models on predicting current performance and retention risk. Recent performance is a better predictor than three-year-old performance. Forgetting appropriately produces better predictions, not just more compliant ones. Managers who work directly with an employee see the same person the AI sees with a 12-month window.

What Deployment Looks Like

Deployment runs at SL1 or SL2 depending on the organization's data sovereignty requirements. At SL1 — hybrid sovereign — employee data stays in the organization's jurisdiction, non-sensitive analytics use cloud processing, and the Router decides automatically based on data sensitivity. At SL2 — full data sovereign — everything runs on the organization's own infrastructure.

Eight to twelve weeks from contract to production. The DPIA documentation, the retention schedule configuration, the human oversight workflows, and the subject access request infrastructure are all included. The organization's legal team reviews the documentation. The DPA receives it when they ask. No vendor dependency problem.

What Becomes Possible After Compliance Is Solved

Once the legal infrastructure is in place, HR AI can be used for what it's genuinely good at: identifying employees whose trajectory suggests they're underused in current roles, flagging retention risks before they become exit conversations, and surfacing patterns across performance reviews that individual managers can't see because they're working with their own team's data.

An organization that can answer the regulator's questions before they're asked — here is our legal basis, here is the DPIA, here is the retention schedule, here is the audit trail for every AI-influenced employment decision — is one where HR AI is actually deployed across workflows rather than running in a single pilot that legal approved and everyone else is afraid to expand.

Stress test: an employee in Germany contests their dismissal, citing GDPR Article 22. Discovery reveals the organization's HR AI had processed behavioral data for 47 months without a retention schedule and without a DPIA. The employer can't produce documentation that a human genuinely reviewed the AI output before the dismissal decision. Labor court orders reinstatement and damages. The regulator opens a separate investigation.

With the architecture described above, the same challenge produces a different outcome. The retention schedule was configured at deployment. The DPIA was documented before the first inference ran. The human oversight workflow produced a dated, signed record at the time of the dismissal decision. The subject access request was fulfilled in two weeks. The regulator's investigation closes in a month.

That's not a future state. It's how the architecture runs today, at organizations that made this investment before the tribunal letter arrived.