✔ Data stored in EU   ✔ GDPR-compliant   ✔ Safe and secure (ISO-certified)

EN / DE

Employment screening and data protection

Data protection is a central component of professional employment screening in Germany. 

At DISA, we understand that the security of personal data builds trust between employers, candidates, and us as a screening provider. Our processes must comply with the strict requirements of the GDPR, allowing you to focus on what matters most: finding the right talent for your organisation.

Effective screening and strong data protection are not mutually exclusive. When implemented correctly, they reinforce each other.

Contact us
square-pattern dots
Person signs up at DISA International Plattform
circular-pattern dots

Why data protection is critical in employment screening

Candidates must be able to trust that their personal data is handled with the utmost care. The GDPR and the German Federal Data Protection Act (BDSG) require companies in Germany to ensure transparency, purpose limitation, data security, and the protection of individuals’ rights.

Violations can result in fines of up to €20 million or 4% of annual global turnover, while also putting reputation and safety of the work environment at risk. 

How DISA ensures data protection in employment screening

Integrated data protection principles

Data protection is firmly embedded in all processes. We follow the principle of data minimisation in accordance with Article 5 GDPR, meaning that only the information necessary for the screening is collected. The key principles are:

  • Limitation to what is necessary
  • Purpose limitation
  • Proportionality
  • Regular review

Our processes are based on “privacy by design” and “privacy by default.” Candidates and employees are transparently informed about data collection and usage.

Consent and legal basis under GDPR

Written consent from candidates is essential for employment screening. It is typically obtained before the screening begins but can be withdrawn at any time. All data processing is carried out on a lawful basis.
Common legal bases include legitimate interest or explicit consent, depending on the specific screening check. To ensure transparency and security, it is important to carefully assess legitimate interests and document processing activities in a traceable manner.

Our certifications and security standards for secure screening 

ISO 27001 Certification for information security

ISO 27001 is an internationally recognised standard for information security. It demonstrates that our security controls are strictly monitored and that regular audits ensure the highest standards. This includes risk assessments, security policies, access controls, data encryption, and incident response measures.
Clients and candidates can rely on their sensitive data being professionally protected and handled with care.

ISO 9001 certification for quality management

ISO 9001 certifies our quality management systems and ensures that our processes are consistent, reliable, and transparent. Standardised procedures, documented approvals, checklists, regular internal audits, and continuous improvement ensure data accuracy and diligence across all screening processes.
Customers and applicants can rely on processes being designed efficiently, error-free, and transparently.

ISAE 3000 Type 2 certification for verified compliance processes

ISAE 3000 Type 2 is an international standard for service organisations. It demonstrates that control measures are effective over an extended period of time. Independent auditors assess the design and operational effectiveness of these controls and provide a detailed report.
This provides clients and candidates with a reliable, independent assurance of the quality, security, and compliance of our processes.

EU data hosting and secure IT infrastructure

European data sovereignty and processing within the EU

All data at DISA is processed and stored exclusively within the European Union. Our data centers are in Germany and Ireland, ensuring full GDPR compliance and eliminating cross-border data transfer risks. European data hosting also removes uncertainties related to the US Cloud Act.
Our systems are continuously monitored and protected by state-of-the-art security measures to always ensure data integrity and confidentiality.

 

Technical and organisational security measures (TOMs)

All data is transmitted in encrypted form and stored on secure servers within the EU. Access is strictly controlled and granted only through secure authentication systems, ensuring that only authorised individuals can access sensitive information. Our IT infrastructure is regularly updated and tested for vulnerabilities to maintain the highest level of security. Redundant backups within the EU always ensure reliable data recovery. Physical security measures also protect data centers from unauthorised access. 

Through this combination of technical and organisational measures, clients and candidates can trust that their data is always protected.

Why choose DISA for GDPR-compliant employment screening

  • GDPR expertise: Over 25 years of experience in compliant background screening across Europe and deep knowledge of German requirements.
  • EU data hosting: All data is processed and stored exclusively in Germany and Ireland – no transfers to the US or other third countries.
  • Certified security: ISO 27001, ISO 9001, and other relevant certifications ensure independently verified security standards.
  • Expert support: Our compliance and data protection specialists are always available to support clients and candidates.
  • Proven track record: Leading German companies in regulated industries trust our expertise.
Contact us

FAQ: Employment screening and data protection

Yes, pre-employment screening is permitted in Germany as long as the requirements of the GDPR and the German Federal Data Protection Act (BDSG) are met. This means that personal data may only be collected for a clearly defined purpose, processed transparently, and used lawfully. Candidates typically need to provide written consent, and processing must be based on a legal foundation. These measures ensure that screening is fair, compliant, and privacy friendly.

Data processing in employment screening is based either on the candidate’s explicit consent or on the company’s legitimate interest, for example to verify qualifications and experience. DISA carefully evaluates each screening case, documents all processing activities, and ensures full GDPR compliance.

Screening data is stored only for as long as necessary to fulfill the purpose of the screening. After completion of the checks, or no later than three months after the final report is issued, all personal data is fully deleted unless legal retention obligations apply.

Yes, candidates have the right to access their personal data and screening results at any time. This right is defined under Article 15 GDPR. If necessary, candidates can also request correction or deletion of their data in accordance with Articles 16 and 17 GDPR if the information is inaccurate or no longer required.

If a candidate objects to the screening or withdraws their consent, the screening will not be carried out. In such cases, the employer may decide whether to proceed with the application without screening or to fill the position differently. DISA ensures that all data processed up to the point of withdrawal is handled in compliance with data protection regulations and deleted upon request.

All data is processed and stored exclusively within the EU, particularly in Germany and Ireland. No data is transferred to the United States or other third countries, ensuring full compliance with GDPR requirements.