Skip to content
K W
EU AI Act: Not High Risk

Employee Self-Service Agent

An employee self-service portal that answers questions instead of handing over forms - handling subject access requests, leave, sickness and payslips under GDPR, CCPA and the ADA, accessible to WCAG 2.1 AA, with the chatbot openly identifying itself as AI.

Self-service HR portal: GDPR Art. 12-17 Subject Access Request, UK GDPR/DPA 2018, CCPA/CPRA, ADA Title III + WCAG 2.1 AA accessibility - leave/sickness/payslip with eIDAS e-signature.

Analyse your process

A selection from over 5,000 projects in 25 years of software development

Airbus Volkswagen Shell Renault Evonik Vattenfall Philips KPMG

A self-service portal that answers questions and meets the law in every jurisdiction

The portal handles the full range of employee self-service - leave, sickness, payslips, address and bank changes, and data-subject requests - while meeting the duties that govern each: the access, erasure and portability rights under GDPR and CCPA, the WCAG 2.1 AA accessibility standard the ADA and EU law require, and the eIDAS signing rules. The chatbot identifies itself as AI under the EU AI Act and never makes a decision with legal effect on its own.

Outcome: A genuine answer-capable portal resolves 60 to 80 percent of routine HR inquiries without a ticket, freeing 12 to 18 minutes per case and saving on the order of USD 135,000 to 190,000 a year per 2,000 employees. The compliance side matters just as much: a missed 30-day access-request deadline becomes a regulator complaint, and an inaccessible portal invites an ADA Title III class action. By automating the access-request clock, the cross-system erasure cascade and WCAG conformance, the agent closes the gaps that fragmented forms leave open - before a regulator or a claimant finds them.

86% Rules Engine
14% AI Agent
0% Human

The agent breaks self-service into twelve rule-based procedural decisions and two AI-assisted intent indicators, with no mandatory human gate for routine operation - though sensitive topics are routed to a specialist - each carrying its statutory basis, an audit trail and an appeal path.

A self-service portal that misses a 30-day access-request deadline or fails an accessibility test turns routine HR admin into a regulator complaint.

Running an employee self-service portal across borders means meeting four bodies of law at once. Under the GDPR the portal has to serve subject access, erasure and portability requests, and never make a fully automated decision, with fines reaching 4 percent of group revenue; UK GDPR and the ICO carry the same weight, including a 30-day deadline for access requests. California’s CCPA/CPRA and the other US state privacy laws add a parallel right to know, delete and correct, backed by state attorneys general and a private right of action. Accessibility law - the ADA Title III rule, the UK Equality Act and the EU European Accessibility Act - requires the portal to meet WCAG 2.1 AA. And the EU AI Act requires the chatbot to identify itself as AI. For a large or upper-mid-market employer, a single self-service interaction can engage all four regimes at once.

Where the exposure adds up

The exposure stacks across regimes. GDPR fines and ICO penalties reach 4 percent of turnover, and a missed 30-day access-request deadline draws a complaint to the relevant data-protection authority. California’s CCPA carries per-violation penalties, state attorney-general enforcement and a private right of action for breaches, with the other state laws adding their own variations. ADA Title III accessibility failures carry civil penalties and, as the Domino’s Pizza and Winn-Dixie cases showed, class-action exposure. The EU AI Act can fine a transparency breach by the chatbot. And a contested electronic signature can put a transaction’s validity in dispute. Fragmented forms let each of these risks grow unnoticed; automating the access-request clock, the erasure cascade, WCAG conformance and the chatbot’s self-identification closes them.

Twelve rule-based decisions, two AI indicators

The agent breaks self-service into fourteen micro-decisions, each recording its step, its question, who decides, the statutory reasoning, an audit trail and an appeal path. Twelve are rule-based: verifying identity; setting the access scope by role; running subject access requests against the 30-day clock; handling rectification, erasure and portability; selecting the right electronic-signature level; delivering payslips and pay-information rights; calculating leave; processing sickness; running transactional changes such as address and bank details; keeping the chatbot transparent under Article 50; holding the portal to WCAG 2.1 AA; and logging everything for the records of processing. Two are AI-assisted indicators: classifying the inquiry to route it, and detecting sensitive topics. There is no mandatory human gate for routine operation, but a grievance, harassment, retaliation or whistleblower disclosure is routed to a specialist - the model classifies, it does not decide.

Why document portals are not enough at four parallel jurisdictions

Most organisations already have document portals. Yet ticket volume remains high. The reason is almost always the same: the portal does not answer questions - it offers forms. Anyone wanting to know whether special leave for a move also applies to an intra-city move finds a PDF of the company policy on the portal. But no answer. Anyone wanting to know their accrued holiday balance finds a leave request form but not the actual balance. Anyone wanting to exercise their GDPR Art. 15 right of access finds a generic privacy policy but no DSAR workflow with 30-day response calendar. The difference between a document portal and a self-service agent is the difference between a library and an advisor. Both have the same knowledge. But only one understands the question and gives an answer that fits the specific situation. Anyone who receives a correct, source-referenced answer within seconds no longer opens a ticket. In projects with genuine answer-capable self-service systems, HR ticket volume regularly drops by more than half. The remaining inquiries are those that require human judgement - and they finally get the attention they deserve.

The harder cases

The harder scenarios are handled explicitly. A cross-border access request is consolidated under GDPR Article 15, UK GDPR and CCPA’s Right to Know, with third-party data and privileged communications redacted and the 30-day clock running. Mobile accessibility is held to WCAG 2.1 AA across native iOS and Android apps, tested with screen readers and keyboard navigation. The chatbot operates under the EU AI Act’s transparency rules, grounding its answers in verified policy documents, citing sources and escalating below a confidence threshold. A self-service whistleblower channel meets the EU Whistleblower Directive, UK PIDA and the US SOX regime, with protected reporting and five-year retention. And an employee who works across jurisdictions can fall under several privacy regimes at once, which the agent reconciles, including the cross-border transfer safeguards GDPR Chapter V requires.

How it connects to your systems

The agent works through the HR, self-service and chatbot platforms companies already run. It connects via API to the major HCM suites - Workday, SAP SuccessFactors, Oracle HCM and ADP - and to mid-market systems such as BambooHR, Personio, ServiceNow and Microsoft Viva. Where a company runs an LLM-powered HR assistant - ChatGPT Enterprise, Glean, Claude Enterprise or a Slack bot - the agent grounds it in policy documents and holds it to the EU AI Act’s transparency rules. Specialised self-service and engagement tools round out the mix. The agent passes work to the employee-data, employee-relations and audit agents where their input is needed.

Micro-Decision Table

Who decides in this agent?

14 decision steps, split by decider

86%(12/14)
Rules Engine
deterministic
14%(2/14)
AI Agent
model-based with confidence
0%(0/14)
Human
explicitly assigned
Human
Rules Engine
AI Agent
Each row is a decision. Expand to see the decision record and whether it can be challenged.
Inquiry Classification and Self-Service Channel Routing What kind of inquiry is this - a fact lookup (leave balance, payslip), a rule question (notice period, parental leave), a judgement matter (grievance, hardship), a transaction (address or leave request), or a data-subject request under GDPR Articles 15 and 17 - and where should it go? AI Agent

The agent reads what the employee is asking, grounding its answer in verified policy documents, and routes the request accordingly - a data lookup, a rule-based answer, a transaction, a data-subject request, or escalation to a specialist. The chatbot identifies itself as AI, as Article 50 of the EU AI Act requires, and never makes a decision on its own under GDPR Article 22.

Decision Record

Model version and confidence score
Input data and classification result
Decision rationale (explainability)
Audit trail with full traceability

Challengeable: Yes - fully documented, reviewable by humans, objection via formal process.

Challengeable by:

Identity Verification, Authorisation and Multi-Factor Authentication Which authentication method fits the request - single sign-on, multi-factor authentication, a one-time password, a CCPA verifiable consumer request, or proportionate identity proof for a GDPR access request? Rules Engine Auditor

Identity is verified to a level that matches the request - a CCPA consumer request needs matching attributes and a signed declaration, a GDPR access request needs identity proof proportionate to the data sought. Sensitive transactions such as a bank-account change require multi-factor authentication, and every authentication is logged.

Decision Record

Rule ID and version number
Input data that triggered the rule
Calculation result and applied formula

Challengeable: Yes - rule application verifiable. Objection possible for incorrect data or wrong rule version.

Challengeable by: Auditor

Authorisation Framework and Data Access Scope Which data scope does this role permit - own data only, a manager's view, HR-only or payroll-only - under the principle of least privilege? Rules Engine Vendor

Each role sees only the data it needs - own data, a manager's view, HR-only, payroll-only - on the principle of least privilege, in line with the data-minimisation and security duties in GDPR Articles 5 and 32. Medical data is held separately, as the ADA requires.

Decision Record

Rule ID and version number
Input data that triggered the rule
Calculation result and applied formula

Challengeable: Yes - rule application verifiable. Objection possible for incorrect data or wrong rule version.

Challengeable by: Vendor

Subject Access Request DSAR and 30-day Response Calendar What is the scope of this subject access request under GDPR Article 15 - which data, recipients and sources - and how does the 30-day deadline, with its two-month extension and third-party redaction, apply? Rules Engine Auditor

A subject access request is met under GDPR Article 15 within the 30-day window - extendable to two months for complex requests - with third-party data and privileged communications redacted. CCPA's Right to Know runs on its own 45-day clock, and the agent consolidates a request that spans the EU, UK and US.

Decision Record

Rule ID and version number
Input data that triggered the rule
Calculation result and applied formula

Challengeable: Yes - rule application verifiable. Objection possible for incorrect data or wrong rule version.

Challengeable by: Auditor

Right to Rectification, Erasure and Data Portability Which right is being exercised under GDPR Articles 16, 17 and 20 - rectification, erasure or portability - how far does the erasure cascade reach, and what statutory retention overrides it? Rules Engine Auditor

The agent handles the rectification, erasure and portability rights under GDPR Articles 16, 17 and 20, cascading an erasure across every system that holds the record and delivering portable data in a machine-readable format. Where a statutory retention period applies - such as six years for ERISA records - that data is kept under the legal-obligation exception.

Decision Record

Rule ID and version number
Input data that triggered the rule
Calculation result and applied formula

Challengeable: Yes - rule application verifiable. Objection possible for incorrect data or wrong rule version.

Challengeable by: Auditor

Self-Service Transaction and Qualified Electronic Signature QSig Which eIDAS signature level fits this transaction - a simple, advanced or qualified electronic signature - and does US law (the ESIGN Act or UETA) govern instead? Rules Engine Vendor

The agent picks the eIDAS signature level that fits the transaction: a qualified signature for legally binding documents such as a contract amendment, an advanced signature for routine actions like a leave request, a simple one for low-risk changes like an address update. In the US the ESIGN Act and UETA govern instead, and every signature is logged.

Decision Record

Rule ID and version number
Input data that triggered the rule
Calculation result and applied formula

Challengeable: Yes - rule application verifiable. Objection possible for incorrect data or wrong rule version.

Challengeable by: Vendor

Pay Slip Access, Pay Transparency Information and Tax-Form Self-Service Which payroll documents does the employee need for their jurisdiction - the payslip, the US W-2 and 1095-C, the UK P60 and P45 - and how does the EU Pay Transparency Directive 2023/970 pay-information right apply? Rules Engine Auditor

The agent delivers the right payroll documents for each jurisdiction - the W-2 in the US, the P60 and P45 in the UK - and serves the pay-information right the EU Pay Transparency Directive 2023/970 grants from 7 June 2026. Electronic delivery needs the employee's consent, with a paper option, and the documents are retained for the statutory period.

Decision Record

Rule ID and version number
Input data that triggered the rule
Calculation result and applied formula

Challengeable: Yes - rule application verifiable. Objection possible for incorrect data or wrong rule version.

Challengeable by: Auditor

Leave Request, Entitlement Calculation and Notice Generation Which leave type and entitlement applies for this jurisdiction - US FMLA with its statutory notices, the EU Working Time Directive, the UK Working Time Regulations - and how do accrual and carryover work under any collective agreement? Rules Engine

Leave entitlement is calculated for each jurisdiction: up to twelve weeks of unpaid FMLA leave in the US, with its statutory notices, four weeks of paid annual leave under the EU Working Time Directive, and 5.6 weeks under the UK Working Time Regulations, alongside the various parental-leave rights. Accrual and carryover follow any collective agreement, and the request goes to the manager for approval.

Decision Record

Rule ID and version number
Input data that triggered the rule
Calculation result and applied formula

Challengeable: Yes - rule application verifiable. Objection possible for incorrect data or wrong rule version.

Challengeable by:

Sickness Notification, Statutory Sick Pay and DOL Notice Which sickness workflow applies - UK Statutory Sick Pay with its self-certification limit, an EU member state's continued-pay rules, or the US ADA's reasonable-accommodation process - and when is a medical certificate required? Rules Engine Auditor

Sickness is handled per jurisdiction: UK Statutory Sick Pay with its qualifying days and the seven-day self-certification limit before a fit note is needed, the continued-pay rules of the relevant EU member state, and in the US the ADA's reasonable-accommodation process where the absence relates to a disability. Any medical evidence is held in segregated files.

Decision Record

Rule ID and version number
Input data that triggered the rule
Calculation result and applied formula

Challengeable: Yes - rule application verifiable. Objection possible for incorrect data or wrong rule version.

Challengeable by: Auditor

Address, Bank Account, Tax Withholding and Beneficiary Updates Which transactional change is this - an address update that propagates to payroll and tax, a bank-account change needing multi-factor authentication, or a beneficiary designation that may require spousal consent under ERISA? Rules Engine Vendor

Each change is handled according to its data type and jurisdiction. An address change propagates downstream to payroll, benefits and tax. A bank-account update requires multi-factor authentication and verification. A beneficiary designation may need spousal consent under ERISA. Every change is logged.

Decision Record

Rule ID and version number
Input data that triggered the rule
Calculation result and applied formula

Challengeable: Yes - rule application verifiable. Objection possible for incorrect data or wrong rule version.

Challengeable by: Vendor

Chatbot Interaction with EU AI Act Article 50 Transparency Does the chatbot identify itself as AI under Article 50 of the EU AI Act, cite its sources, escalate once confidence drops below threshold, and avoid any automated decision GDPR Article 22 prohibits? Rules Engine

The chatbot identifies itself as AI, as Article 50 of the EU AI Act requires, cites its sources, and escalates to a human once its confidence drops below a set threshold. It never makes a decision with legal effect on its own, which GDPR Article 22 prohibits.

Decision Record

Rule ID and version number
Input data that triggered the rule
Calculation result and applied formula

Challengeable: Yes - rule application verifiable. Objection possible for incorrect data or wrong rule version.

Challengeable by:

Escalation Routing by Confidence Threshold and Topic Sensitivity Does this inquiry touch a sensitive topic - a grievance, harassment, retaliation or whistleblower disclosure - that should go to a human specialist, with a whistleblower disclosure routed to a protected channel under the EU Whistleblower Directive 2019/1937? AI Agent

The agent recognises sensitive topics - a grievance, harassment, retaliation, a whistleblower disclosure or genuine hardship - and routes them to a human specialist rather than answering. A whistleblower disclosure must go to a protected channel under the EU Whistleblower Directive, UK PIDA or the US SOX regime. The model only classifies; it does not decide.

Decision Record

Model version and confidence score
Input data and classification result
Decision rationale (explainability)
Audit trail with full traceability

Challengeable: Yes - fully documented, reviewable by humans, objection via formal process.

Challengeable by:

Accessibility Conformance to WCAG 2.1 AA and Reasonable Adjustments Does the portal meet WCAG 2.1 AA - the standard the ADA Title III rule, the UK Equality Act and the EU European Accessibility Act all point to - and is an individual reasonable-adjustment request handled? Rules Engine Auditor

The portal is held to WCAG 2.1 AA - content that is perceivable, operable, understandable and robust - which is the standard the ADA Title III rule, the UK Equality Act and the EU European Accessibility Act all point to. Individual employees can also request a reasonable adjustment.

Decision Record

Rule ID and version number
Input data that triggered the rule
Calculation result and applied formula

Challengeable: Yes - rule application verifiable. Objection possible for incorrect data or wrong rule version.

Challengeable by: Auditor

Audit Trail, Decision Logging and Records of Processing Activities Is every interaction, transaction and data-subject request logged with its reasoning, timestamp, the employee's identity and the outcome, as the records of processing under GDPR Article 30 require? Rules Engine Vendor

Every interaction, transaction, data-subject request and escalation is logged with its reasoning, timestamp, the employee's identity and the outcome - the records of processing GDPR Article 30 requires and the accountability principle in Article 5. Each record is kept for its applicable retention period.

Decision Record

Rule ID and version number
Input data that triggered the rule
Calculation result and applied formula

Challengeable: Yes - rule application verifiable. Objection possible for incorrect data or wrong rule version.

Challengeable by: Vendor

Decision Record and Right to Challenge

Every decision this agent makes or prepares is documented in a complete decision record. Affected employees can review, understand, and challenge every individual decision.

Which rule in which version was applied?
What data was the decision based on?
Who (human, rules engine, or AI) decided - and why?
How can the affected person file an objection?
How the Decision Layer enforces this architecturally →

Does this agent fit your process?

We analyse your specific HR process and show how this agent fits into your system landscape. 30 minutes, no preparation needed.

Analyse your process

Governance Notes

EU AI Act: Not High Risk
The agent is not a high-risk system under the EU AI Act - it provides information and runs transactions without making employment-affecting decisions about individuals. Where the AI Act bites is transparency: under Article 50 the chatbot must identify itself as AI and disclose AI-generated content, and the deployer carries the AI-literacy and oversight duties. The heavier load comes from data-protection and accessibility law. Under GDPR the portal must serve the full set of data-subject rights - access, rectification, erasure, restriction, portability and objection - keep records of processing, and never make a fully automated decision with legal effect. The same duties recur under UK GDPR and the ICO guidance, and California's CCPA/CPRA, together with the other state laws, adds a parallel right to know, delete and correct now that the employee exemption has lapsed. On accessibility, the portal is held to WCAG 2.1 AA, the standard the ADA Title III rule, the UK Equality Act and the EU European Accessibility Act all point to. Signing follows eIDAS in Europe and the ESIGN Act in the US, and a self-service whistleblower channel meets the EU Whistleblower Directive. The penalties are cumulative - GDPR and ICO fines up to 4 percent of turnover, CCPA penalties with a private right of action, and ADA Title III class actions - so every interaction, request and signature is logged with its reasoning as the audit trail.

Assessment

Agent Readiness 81-88%
Governance Complexity 11-18%
Economic Impact 66-73%
Lighthouse Effect 36-43%
Implementation Complexity 26-33%
Transaction Volume Daily

Prerequisites

  • Self-Service Portal Integration with Workday HCM ESS + SAP SuccessFactors Employee Central + Oracle HCM Cloud + ADP Workforce Now + BambooHR + Personio + ServiceNow HR + Microsoft Dynamics 365 HR with Read/Write access to employee master data + payroll + benefits + leave + GDPR Art. 12-22 + Art. 88 + UK GDPR + DPA 2018 + ICO Employment Practices Code + CCPA/CPRA service provider role
  • Subject Access Request DSAR Workflow with 30-day response calendar + 2-month extension + verifiable identity + redaction third-party data + privileged communications + categories + sources + recipients + retention + rights + automated decision-making + cross-system DSAR consolidation + GDPR Art. 12 + Art. 15 + UK GDPR + DPA 2018 + ICO SAR guidance + CCPA/CPRA 45-day Right to Know + extension 45 days
  • Right to Erasure plus Right to Rectification plus Right to Data Portability with cross-system cascade per Records of Processing Activities + GDPR Art. 16 + Art. 17 + Art. 18 + Art. 19 notification + Art. 20 structured commonly used machine-readable format + CCPA/CPRA Right to Correct + Right to Delete + Right to Data Portability + retention legal obligation exception (FLSA 3 years + ERISA 6 years + UK DPA 2018 6 years + EEOC 1 year + tax 7 years)
  • Accessibility Conformance with WCAG 2.1 AA (4 principles perceivable + operable + understandable + robust + 50 success criteria + automated testing axe-core + Lighthouse + manual testing assistive technology screen reader keyboard navigation) + ADA Title III + DOJ Final Rule 28 CFR Part 36 + Section 508 Revised + UK Equality Act Section 20 reasonable adjustments + UK Public Sector Bodies Accessibility Regulations 2018 + EU Web Accessibility Directive + EAA Directive 2019/882 effective 28 June 2025
  • Identity Verification plus Authorisation with Single Sign-On SSO + Multi-Factor Authentication MFA + biometric + one-time password OTP + verifiable consumer request CCPA/CPRA + verifiable identity DSAR ICO + audit trail authentication + role-based authorisation principle of least privilege + GDPR Art. 5(1)(c) data minimisation + Art. 32 appropriate security measures
  • Qualified Electronic Signature QSig Integration with eIDAS Regulation 910/2014 Trust Service Provider TSP + ETSI EN 319 411 + ETSI EN 319 412 + UK eIDAS Regulations 2016 + US E-SIGN Act + UETA + ESIGN consumer disclosure + intent + retention + admissibility evidence + signature level selection (SES + AdES + QSig) per transaction risk + audit trail signature
  • EU AI Act Compliance with Article 4 AI literacy provider deployer obligations + Article 13 transparency information + Article 26 deployer obligations + Article 50 transparency obligations chatbot + GDPR Art. 22 prohibition fully automated decision-making + Article 13-14 information + source citations + confidence threshold + escalation rules + audit trail of chatbot interactions
  • Records of Processing Activities GDPR Art. 30 + Cross-System Inventory of personal data + categories + sources + recipients + retention + cross-border transfers + DPIA Article 35 + Standard Contractual Clauses + EU-US Data Privacy Framework + UK IDTA + Schrems II Transfer Impact Assessment + cross-reference to Employee-Data-Management-Agent Cluster #30

What this assessment contains: 9 slides for your leadership team

Personalised with your numbers. Generated in 2 minutes directly in your browser. No upload, no login.

  1. 1

    Title slide - Process name, decision points, automation potential

  2. 2

    Executive summary - FTE freed, cost per transaction before/after, break-even date, cost of waiting

  3. 3

    Current state - Transaction volume, error costs, growth scenario with FTE comparison

  4. 4

    Solution architecture - Human - rules engine - AI agent with specific decision points

  5. 5

    Governance - EU AI Act, works council, audit trail - with traffic light status

  6. 6

    Risk analysis - 5 risks with likelihood, impact and mitigation

  7. 7

    Roadmap - 3-phase plan with concrete calendar dates and Go/No-Go

  8. 8

    Business case - 3-scenario comparison (do nothing/hire/automate) plus 3×3 sensitivity matrix

  9. 9

    Discussion proposal - Concrete next steps with timeline and responsibilities

Includes: 3-scenario comparison

Do nothing vs. new hire vs. automation - with your salary level, your error rate and your growth plan. The one slide your CFO wants to see first.

Show calculation methodology

Hourly rate: Annual salary (your input) × 1.3 employer burden ÷ 1,720 annual work hours

Savings: Transactions × 12 × automation rate × minutes/transaction × hourly rate × economic factor

Quality ROI: Error reduction × transactions × 12 × EUR 260/error (APQC Open Standards Benchmarking)

FTE: Saved hours ÷ 1,720 annual work hours

Break-Even: Benchmark investment ÷ monthly combined savings (efficiency + quality)

New hire: Annual salary × 1.3 + EUR 12,000 recruiting per FTE

All data stays in your browser. Nothing is transmitted to any server.

Employee Self-Service Agent

Initial assessment for your leadership team

A thorough initial assessment in 2 minutes - with your numbers, your risk profile and industry benchmarks. No vendor logo, no sales pitch.

All data stays in your browser. Nothing is transmitted.

Related Agents

Employee Data Management Agent

Holds employee master data in one place, governed to EU GDPR, UK GDPR, California's CCPA/CPRA and the growing wave of US state privacy laws at once - with erasure, access requests and breach notification handled the same way across every system.

W K
Readiness: 84-91%
Economic: 72-79%
Governance: 18-25%
Micro-Decisions: 15
Daily

HR Document Management Agent

An electronic personnel file where every document carries its own retention clock and access trail - GDPR access and erasure requests answered on time, US tax and discrimination records kept as long as the law demands, across the UK, EU and US.

D
Readiness: 83-90%
Economic: 61-68%
Governance: 18-25%
Micro-Decisions: 15
Daily

Sick Leave Processing Agent

Sick certificates processed in 60 seconds, not three weeks - with the diagnosis kept from the line manager by design, and every FMLA and statutory-pay deadline met across the UK, EU and US.

D W
Readiness: 84-91%
Economic: 68-75%
Governance: 21-28%
Micro-Decisions: 14
Daily

Frequently Asked Questions

How does GDPR Art. 15 Subject Access Request differ from UK GDPR + DPA 2018 SAR and US California CCPA/CPRA Right to Know?

Three parallel privacy frameworks govern employee data access requests, and the mechanics differ. Under GDPR Article 15, the employee is entitled to confirmation and a copy of their data, plus the categories, recipients, retention periods and source, within 30 days - extendable to two months for complex requests - with the first copy free. UK GDPR and Section 45 of the DPA 2018 mirror that scope and deadline, and the ICO Employment Practices Code adds specific rules on medical information; third-party data and privileged communications are redacted, and identity proof is proportionate to the data sought. California's CCPA/CPRA Right to Know works differently: it covers the categories, sources and business purposes of personal information, runs on a 45-day clock, requires a verifiable consumer request, and now applies to employees since the carve-out lapsed on 1 January 2023. Virginia, Colorado, Connecticut and the other state laws are broadly similar but not identical. The agent consolidates a request that spans the EU, UK and US, running each on its own clock with the right redaction and disclosure scope.

How does EU Pay Transparency Directive 2023/970 transposition by 7 June 2026 affect employee self-service Pay Transparency Auskunft?

From 7 June 2026, the EU Pay Transparency Directive 2023/970 gives employees a right to pay information, and the self-service portal is where many will exercise it. An employee can request their own pay level and the average pay levels by sex for the same work or work of equal value, along with the criteria used to set and progress pay. Alongside this, employers with 100 or more staff must report their gender pay gap periodically and explain - and remedy - any gap above 5 percent, and the burden of proof shifts to the employer in a pay-discrimination claim. The UK already runs gender pay gap reporting for employers with 250 or more staff under the Equality Act 2010, and a growing set of US states - California, Colorado, New York, Washington among them - require salary ranges in job postings. The agent serves the pay-information request through the portal, returning the employee's own pay level, the average levels by sex and the pay-determination criteria within the response window.

How do ADA Title III, the 2026 DOJ Final Rule and WCAG 2.1 AA apply to the self-service portal?

ADA Title III bars disability discrimination by places of public accommodation, and US courts and the DOJ now treat that as extending to websites - the DOJ Final Rule (28 CFR Part 36), effective 2026, sets WCAG 2.1 AA as the standard. WCAG 2.1 AA rests on four principles: content must be perceivable, operable, understandable and robust, across roughly 50 success criteria covering text alternatives, captions, keyboard access, navigability and input assistance. The same standard is what the UK Equality Act (through the duty to make reasonable adjustments) and the EU European Accessibility Act 2019/882, effective 28 June 2025, point to, and Section 508 imposes it on US federal contractors. The litigation exposure is real: Title III carries civil penalties of up to USD 75,000 for a first violation and USD 150,000 thereafter, plus a private right of action and class-action risk, as Robles v. Domino's Pizza (2019) and Gil v. Winn-Dixie (2017) showed. The agent holds the portal to WCAG 2.1 AA with automated testing (axe-core, Lighthouse) backed by manual testing on screen readers and keyboard navigation, publishes an accessibility statement, and handles individual reasonable-accommodation requests.

How do the EU AI Act's AI-literacy and transparency duties and GDPR Article 22 apply to the self-service chatbot?

For a self-service chatbot, the EU AI Act's main demand is transparency. Article 50 requires that anyone interacting with the bot be told they are dealing with an AI system, and that AI-generated content be disclosed; Article 4 puts an AI-literacy duty on the provider and deployer. Because the portal only provides information and runs transactions, it is not a high-risk system under Annex III - that classification is reserved for AI that makes employment-affecting decisions. GDPR Article 22 reinforces the boundary by prohibiting decisions based solely on automated processing that have legal effect, subject to safeguards that include human intervention and the right to contest. So the agent enforces the line directly: the chatbot identifies itself as AI, grounds its answers in policy documents with source citations, escalates to a human specialist once confidence drops below threshold, makes no automated decision, and logs the interaction.

How do eIDAS signature levels and the US ESIGN Act and UETA apply to self-service actions such as leave, sickness and address changes?

The right signature level depends on what the transaction does, and eIDAS Regulation 910/2014 defines three. A simple electronic signature is data in electronic form indicating signing; an advanced signature (AdES) is uniquely linked to the signatory, under their sole control, with any later change detectable (Article 26); a qualified signature (QSig) adds a qualified certificate and a qualified signature-creation device (Article 28). The agent matches the level to the risk: a simple signature for low-risk changes like an address update, an advanced signature for routine actions such as a leave request or a benefits election, and a qualified signature for legally binding documents like a contract amendment, a severance agreement or an IP assignment. In the US the ESIGN Act and UETA govern instead, turning on the signer's intent to act electronically and the retention and admissibility of records. Every signature is logged with the signatory's identity, a timestamp, the signed-document hash and the certificate's validity.

How does the Employee Self-Service Agent differ from the Employee Relations Case Agent and Employee Data Management Agent?

All three work in HR governance, but each owns a different layer. The Employee Self-Service Agent - this one - is the employee-facing front door: the self-service portal for leave, sickness, payslips and address changes, the data-subject requests under GDPR Articles 12 to 17, qualified electronic signing, the mobile app and the chatbot, all held to WCAG 2.1 AA accessibility and the EU AI Act's transparency rules. The Employee Relations Case Agent (Cluster #31) owns the case lifecycle - grievances, harassment investigations, discipline, whistleblowing and termination preparation, anchored in the Faragher-Ellerth defence, the UK Equality Act and the EU Whistleblower Directive. The Employee Data Management Agent (Cluster #30) owns the data lifecycle behind the scenes - master-data synchronisation, GDPR and the US privacy laws, erasure cascades, DPIAs and 72-hour breach notification. They connect: this portal triggers the Employee Data Management Agent to run a DSAR or erasure across systems, and routes a judgement matter such as a grievance or whistleblower disclosure to the Employee Relations Case Agent. It is the gateway to the rest of the HR self-service ecosystem.

How does the agent handle the self-service whistleblower channel under the EU Whistleblower Directive 2019/1937, UK PIDA and US SOX 806?

The portal includes a dedicated whistleblower channel because the EU Whistleblower Directive 2019/1937 requires one, and three frameworks coexist behind it. The EU Directive, transposed into national law, mandates protected internal, external and public channels for organisations with 100 or more employees, reverses the burden of proof under Article 21, and sets a seven-day acknowledgement, three-month feedback and five-year retention regime. UK PIDA 1998, through Sections 43A to 47B of the ERA 1996, protects qualifying disclosures where the worker has a reasonable belief and meets the public-interest test from Chesterton Global Ltd v Nurmohamed (2017). In the US, SOX Section 806 protects whistleblowers at publicly traded companies and Dodd-Frank Section 922 runs the SEC's bounty programme. The agent's job at the portal is narrow and important: it recognises a whistleblower disclosure, routes it to the right protected channel, preserves confidentiality, and escalates to the compliance function and outside counsel where required - it does not adjudicate the disclosure itself.

What Happens Next?

1

30 minutes

Initial call

We analyse your process and identify the optimal starting point.

2

1 week

Discover

Mapping your decision logic. Rule sets documented, Decision Layer designed.

3

3-4 weeks

Build

Production agent in your infrastructure. Governance, audit trail, cert-ready from day 1.

4

12-18 months

Self-sufficient

Full access to source code, prompts and rule versions. No vendor lock-in.

Implement This Agent?

We assess your process landscape and show how this agent fits into your infrastructure.