Germany, Eyes

Germany Eyes Data Protection Relief for Small Firms as AI Recruiting Rules Take Effect in August

04.07.2026 - 07:55:14 | boerse-global.de

From August 2, 2026, German employers must label AI use in recruitment. The reform also tightens sick notes, extends fixed-term contracts, and outlines GDPR relief—pending EU approval until 2028.

German Reform Package: AI Act Deadlines, GDPR Easing, and Labor Law Changes
Germany - Germany Eyes Data Protection Relief for Small Firms as AI Recruiting Rules Take Effect in August 04.07.2026 - Bild: über boerse-global.de

A sweeping reform package adopted by the German federal government on 2 July 2026 touches everything from sick-leave attestations to fixed-term contracts, but the most immediate deadline for many employers is a transparency obligation under the EU's Artificial Intelligence Act that kicks in on 2 August 2026. From that date, companies must clearly label any use of AI when interacting with job candidates, including chatbots, emotion-recognition systems, or AI-generated content such as images and text.

The new requirements stem from Article 50 of the AI Act. For fully integrated AI systems already in place, a transitional period runs until 2 August 2028. The Omnibus VII package also adjusted deadlines for high-risk AI systems: standalone systems must comply by 2 December 2027, embedded systems by 2 August 2028. Some outright bans on practices involving deepfakes will apply from 2 December 2026.

According to the "Talent Trends Study 2026" by Michael Page, 67 percent of German job seekers already use generative AI in their applications, while 55 percent of employers deploy AI tools in recruiting. Among those companies, 79 percent report positive effects on writing job ads and 58 percent on screening résumés.

Parallel to the AI rules, the coalition committee has outlined plans to ease data-protection burdens under the General Data Protection Regulation for non-commercial activities, small and medium-sized enterprises, and low-risk data processing — for example, simple customer lists used by tradespeople. The package envisions a national data law code and a stronger consolidation of supervisory structures, as well as a reduction in the number of mandatory in-house data protection officers.

However, any relaxation of GDPR obligations requires approval at EU level, and the earliest possible implementation is 2028. Until then, current rules apply in full. Violations still carry penalties of up to €20 million or 4 percent of global annual turnover.

On the labour side, the 2 July reform introduces concrete changes. The telephone-based sick note will be abolished, replaced by a requirement for a medical certificate from the first day of illness. Falsified sick notes will face stiffer sanctions. For fixed-term contracts without a specific reason, the maximum duration rises to four years with up to six extensions allowed; the requirement for written form is dropped. For high earners, the reform promotes severance-package solutions to give employers more planning certainty in dismissal cases. Tax incentives aim to boost job mobility.

Labour courts received new guidance from the European Court of Justice in a ruling on 19 March 2026 (case C?526/24). The court clarified that even a first request for information under Article 15 of the GDPR can be considered abusive if the data controller can prove excessive or improper intent. Compensation for refused access is only available if actual harm has occurred.

Companies with 150 or more employees face additional documentation duties under the EU Pay Transparency Directive, with the first official reporting date for analysing the gender pay gap set at 7 June 2027. Software solutions are expected to help automate such analyses in a GDPR-compliant manner.

Despite the promised deregulation, data management remains a weak spot. Many HR departments still rely on manual processes, insecure Excel spreadsheets, or paper files, raising the risk of leaks and opacity. Specialists recommend a shift to centralised systems with clear permission concepts and regular staff training — human error, they note, is still the primary cause of data breaches.

en | boerse | 69684940 |