top of page
group1111 (1).webp
image (19).webp

Your knowledge, your workflows, your GPT – build your personal HR AI in just a few steps.

image (20).webp
image (18).webp
image (17).webp

How Do I Build A GPT?

Workflow

Ellipse (7).webp

No-Code: Custom GPT in the ChatGPT Builder

Step 1 – Open & set base

  • Go to Explore GPTs → Create.

image (41).webp

  • Enter a name, description, persona and optionally upload an icon. 

image (40).webp

Step 2 –  Knowledge & Skills

  • Upload PDF/Docs under Knowledge (e.g. Policies, FAQ, Playbooks). OpenAI Help Center

  • Activate appropriate capabilities/tools (e.g. web browsing, file uploads, custom actions). 

image (39).webp

Step 3 –  (Optional) Actions for external APIs

  • Upload PDF/Docs under Knowledge (e.g. Policies, FAQ, Playbooks). OpenAI Help Center

  • Activate appropriate capabilities/tools (e.g. web browsing, file uploads, custom actions). 

image (38).webp

Step 4 – Test & Publish

  • Test in the Create tab, adjust the instructions (guidelines help).

  • Publish privately, via link, or publicly (depending on your plan). 

Data protection notice

GPTs with actions can send inputs to third-party APIs – only use sources you trust

    • Responsible party within the meaning of the GDPR: You as a company/HR team are always responsible for data processing, even if a GPT or an external API is integrated.

    • Check legal basis: Processing of candidate/employee data only on the basis of:

    • Art. 6 (1) (b) GDPR (contract/initiation, e.g. application),

    • Art. 6 (1) (f) GDPR (legitimate interest, balancing required),

    • Art. 6 (1) (a) GDPR (consent – ​​e.g. talent pool).

    • List of processing activities: Document GPT use as a processing operation.

    • Do not upload sensitive data that is not absolutely necessary for the GPT use case (health, religion, trade union membership – Art. 9 GDPR).

    • Pseudonymization/Anonymization: Where possible, replace names, contact details or unique IDs with placeholders.

    • Observe the purpose limitation: Use data only for the specifically described HR process (e.g. applicant communication), do not “reuse” it for other purposes.

    • Inform candidates/employees:

    • That an AI system is used.

    • Which data is processed.

    • Whether data is transmitted to third parties (e.g. APIs, cloud services).

    • Supplement Privacy Notice (Art. 13/14 GDPR).

    • Create internal guidelines for HR teams (how and for what purposes GPTs may be used).

    • Data processing agreement (Art. 28 GDPR): If the GPT provider or an API processes personal data on behalf of the data subject, you need a data processing agreement.

    • Prefer EU servers / EU data rooms: Check whether data is processed in the EU (keyword: data transfer to third countries).

    • Subprocessors: Clarify which other providers might have access.

    • Restrict access rights: Only authorized HR employees may use GPTs.

    • Logging & Reporting: Document which data is processed and when.

    • Regular deletion: Delete data in the GPT context when its purpose no longer applies.

    • Data encryption: Both for uploads (TLS) and for stored documents.

    • Only connect tested systems (e.g. ATS/HRIS with GDPR-compliant contracts).

    • Always include the privacy URL in GPT Actions.

    • Data sharing with third-party APIs: Candidates should be informed about this; for sensitive data, consent may be obtained.

    • Use domain restrictions (only allow your own systems).

    • Right to information (Art. 15 GDPR): Candidates/employees can request to know whether and how their data has been processed in the GPT.

    • Correction & deletion (Art. 16, 17 GDPR): Ensure that incorrect data can be corrected and data that is no longer needed can be deleted.

    • Right of objection (Article 21 GDPR): In particular when processing is based on “legitimate interest”.

    • Observe BDSG: Special rules for employee data processing (§ 26 BDSG).

    • Co-determination of the works council: If a works council exists, it must be involved (e.g. when introducing new IT systems that affect employee data).

    • Data protection officer: If appointed, involve early in the GPT implementation.

Disclaimer: The information provided here regarding data protection and GDPR in connection with AI-supported HR tools is for general information purposes only. It does not constitute legal advice and cannot replace individual legal review or consultation. Implementation and application of this information is at your own risk. No liability is assumed for the completeness, timeliness, and accuracy of the content.
We expressly recommend that you carefully review the legal requirements (including GDPR and BDSG) when processing personal data – especially that of applicants and employees – and seek professional legal advice if in doubt.

Group (17).webp

Subscribe To The Hrstack.Io Newsletter And Don’t Miss Any HR Tech Trends.

bottom of page