The EU has released Guidance on prohibited artificial intelligence (AI). They have listed out more exceptions than I was expecting. If you deploy AI as part of your infrastructure or product, this is well worth reviewing to see where AI may be prohibited.
https://digital-strategy.ec.europa.eu/en/library/commission-publishes-guidelines-prohibited-artificial-intelligence-ai-practices-defined-ai-act
For example, when discussing the workplace, it gives the following examples.
“Using webcams and voice recognition systems by a call centre to track their employee’s emotions, such as anger, is prohibited.162 If only deployed for personal training purposes, emotion recognition systems are allowed if the results are not shared with HR responsible persons and cannot impact the assessment, promotion etc. of the person trained, provided that the prohibition is not circumvented and the use of the emotion recognition system does not have any impact on the work relationship.”
“Using voice recognition systems by a call centre to track their customers emotions, such as anger or impatience, is not prohibited by Article 5(1)(f) AI Act (for example to help the employees cope with certain angry customers).”
“AI systems monitoring the emotional tone in hybrid work teams by identifying and inferring emotions from voice and imagery of hybrid video calls, which would typically serve the purpose of fostering social awareness, emotional dynamics management, and conflict prevention, are prohibited.”
“Using emotion recognition AI systems during the recruitment process is prohibited.”
“Using emotion recognition AI systems during the probationary period is prohibited.”
“Using cameras by a supermarket to track its employees’ emotions, such as happiness, is prohibited.”
“Using cameras by a supermarket or a bank to detect suspicious customers, for example to conclude that somebody is about to commit a robbery, is not prohibited under Article 5(1)(f) AI Act, when it is ensured that no employees are being tracked and there are sufficient safeguards.”
You should also consider that you have completed a sufficient risk assessment and data protection impact assessment (DPIA) for GDPR.