Data Protection Impact Assessment

1. Description of Processing

Purpose of processing

Talenteria processes personal data to provide AI-powered recruitment services, including resume screening, candidate matching, AI interviews, and candidate analytics.

Nature of processing

Analyze resumes and applications against job requirements and configured criteria
Conduct structured AI interviews (voice, video, and/or text) and generate transcripts
Generate scores, summaries, and insights to support recruiter review

Data subjects

Job candidates (external applicants)
Internal employees (for internal mobility or assessments, where enabled)
Recruiters and hiring managers (limited account data)

Categories of personal data

Identification data (e.g., name, email, CV details)
Professional data (experience, skills, education)
Audio/video recordings and transcripts (AI interviews)
Assessment results and scores

Special categories of data

Talenteria does not intentionally process special categories of personal data. Any incidental special-category data provided by candidates is processed strictly under customer instructions.

2. Legal Basis for Processing

Customers (Data Controllers): Legitimate interest (recruitment and talent assessment) and/or candidate consent where required.
Talenteria (Data Processor): Processes personal data only on documented customer instructions (GDPR Art. 28).

3. Use of OpenAI and International Transfers

Where enabled, Talenteria transfers limited data to OpenAI as a sub-processor to perform AI processing (e.g., summarization, scoring, transcript analysis).

Data may be processed in the United States and other jurisdictions depending on OpenAI infrastructure.
Transfers are safeguarded via Standard Contractual Clauses (SCCs) and/or EU–U.S. DPF where applicable.
Talenteria uses zero-data-retention mode where available: data is processed transiently and is not used for model training.

4. Necessity and Proportionality

Processing is necessary to deliver the contracted recruitment automation features requested by customers.
Only the minimum data required is processed and transferred to subprocessors (data minimization).
Customers control what processing is enabled (e.g., AI interviews, analytics) and configure retention where applicable.
Human review is supported and expected before making hiring decisions.

5. Risks to Data Subjects

Risk	Description
Unauthorized access	Risk of exposure or unauthorized access to personal data due to compromise or misconfiguration.
International transfer risk	Risk related to processing outside the EU/EEA and potential access requests under non-EU laws.
Bias or unfair profiling	Risk that automated scoring or summaries could lead to unfair outcomes if used without appropriate oversight.
Transparency risk	Risk that candidates may not understand the role of AI in the process without clear notices.

6. Measures to Mitigate Risks

Technical measures

Encryption in transit and at rest
Role-based access controls (least privilege)
Audit logging and monitoring
Data minimization and configurable retention controls

Organizational measures

GDPR-compliant DPAs with customers and subprocessors
Sub-processor due diligence and ongoing oversight
Confidentiality obligations and security training
Incident response process aligned with breach notification duties

AI-specific safeguards

Structured criteria and consistent evaluation logic to reduce variability
Explainable outputs (scores, summaries, transcripts) and auditability
Human-in-the-loop: AI supports decisions; it does not replace reviewer judgment
No solely automated decisions with legal or similarly significant effects without human review

7. Conclusion

The processing activities conducted by Talenteria, including the use of OpenAI where enabled, are designed to comply with GDPR and applicable data protection requirements. Appropriate safeguards are in place to mitigate identified risks. Based on the current assessment, prior consultation with a supervisory authority is not required under GDPR Article 36.