GDPR guidelines on employment background checks
To protect candidates’ personal data, you may need to review these GDPR guidelines on background checks.
- Do you have a legal basis to carry out background checks?
There must be a legal basis to carry out the background check, such as consent or legitimate interest. - Has the candidate been informed?
The candidate must be informed about what data is collected, why, and how it will be used. - Is the check proportionate to the candidate’s role?
Only relevant and necessary data for the specific position may be collected. - Do you have privacy and security protocols in place?
The data collected should be treated confidentially and protected against unauthorised access. - Be mindful of retention periods
Data may only be stored for the time necessary for the purpose.
Employers must always respect the rights of the individual and follow these rules to avoid GDPR violations.
Want to learn more? Download our white paper
Fill out the form to download our white paper Secure Background Checks in Compliance with GDPR. It covers the fundamental rules for handling personal data during recruitment and provides three practical tips on how to carry out background checks in line with GDPR.
Is it okay to do background checks according to the GDPR?
Yes, a background check performed in connection with new employment is permitted according to the GDPR. A legal basis for background checks is the legitimate interest. Your interest lies in the need to assess the integrity of the future employee and to ensure that the relevant minimum requirements are met.
The minimum requirements differ depending on the sector and role and can be, for example, educational requirements, qualifications of certain programmes, knowledge or work experience.
Download our White Paper on Background Checks and Privacy for more tips on how to carry out background checks and employment screening with regard to GDPR.
What is a background check?
Before we explore how background checks relate to GDPR, it’s important to understand what a background check actually involves – and why it is carried out.
A background check is a structured verification of a candidate’s information as part of the recruitment process. The purpose is to ensure that the information provided is accurate and that the candidate meets the requirements of the role.
A background check can include, for example:
- Verification of education
- Confirmation of previous employment
- Credit checks (for roles with financial responsibilities)
- Criminal record checks
Which checks are relevant depends on the responsibilities of the role, its risk level, and the industry.
Background Checks and the Processing of Personal Data
Carrying out a background check involves processing personal data. This can include contact details, education history, employment information, or, in some cases, data from official registers.
Because background checks involve the handling of personal data, it is essential that they:
- Have a clear purpose
- Are proportionate to the requirements of the role
- Are conducted in accordance with applicable legislation
- Are managed in secure systems that comply with GDPR requirements for data protection and information security
How are background checks and privacy correlated?
The General Data Protection Regulation (GDPR) is the EU regulation that came into force in the European Union on 25 May 2018. The aim of GDPR is to protect individuals’ privacy and data, which is important in the context of a background check. According to GDPR, individuals have the right to know how their personal data is used and organisations are obliged to be transparent about how they collect, store and use this data.
Since GDPR came into force in 2018, common rules have applied to the processing of personal data across the EU. In Sweden, these rules are complemented by national legislation that governs how personal data may be handled in the workplace.
For organisations, this provides clear guidelines on how personal data should be collected, processed, and stored. This is especially important when conducting background checks to protect individuals’ privacy and ensure legally compliant processes.
What does the GDPR mention about background checks?
Conducting a background check is in itself an intrusion of someone’s privacy. Depending on the type of check, specific personal data is requested and checked. According to the GDPR, organisations that collect and process personal data must do so in a lawful, fair and transparent manner and have an obligation to protect this data from misuse and leakage. They must also inform individuals about how and why their data is being processed.
What types of background checks are regulated by the GDPR?
If you verify and collect personal data for employment purposes, you are obliged to comply with the GDPR, in order to protect the applicant’s privacy. Here are some common checks that fall under the GDPR:
- Verification of identity information
This includes the applicant’s full name, date of birth, social security number (or equivalent) and any government-issued identification number. - Registration of contact details
The employer usually collects the applicant’s address, telephone number and email address to facilitate communication. - Verification of work history and reference check
This involves collecting information about the applicant’s previous employers, job titles and dates of employment from references. - Checking educational background
The employer can check the applicant’s educational qualifications, such as degrees, diplomas and certificates, by requesting transcripts or contacting educational institutions. - Criminal record check
Background checks may involve searching for any convictions or pending criminal charges against the applicant via official databases or third-party services.
As a whole, all types of checks that involve the registration, collection and processing of personal data are covered by the GDPR. Therefore, you should collect only the necessary and relevant data for the recruitment process and handle it with confidentiality and transparency.
Privacy-proof background checks according to GDPR with DISA
In addition to the fact that there must be a legitimate interest to conduct a background check, there are some other guidelines that need to be followed. Here are examples of some of the most important ones that you should keep in mind before collecting and processing candidates’ personal data:
DISA's International Platform is secure and we protect personal data both against loss and against unauthorized processing.
We have a data protection officer who is ready to challenge us on how we should process personal data and ensure compliance with all national and international laws and regulations. And all development naturally takes place with the help of built-in integrity.
We have ISO certification (27001 and 9001) which ensures that we always have high quality management and information security.
We can help with background checks in compliance with the GDPR
At DISA, we guide you through the whole process. We protect the candidate’s personal data by complying with current legislation and can help your company with everything from setting up a screening policy to notifying the candidate that a background check will be carried out and what this will entail.
Through our many years of experience, we can advise your organisation and together ensure that you have a safe and secure work environment. With a pre-employment background check, you can be sure that the person you are hiring is who they claim to be. We guarantee that all data is verified as efficiently and securely as possible and in compliance with the GDPR.
Would you like to see how our platform works or discuss your needs with one of our specialists?
Questions? Contact us for more information
Do you want to know more about background checks, GDPR and how we at DISA make sure that all personal data is handled according to current laws and regulations? You are more than welcome to contact us. Please enter your question in the form, and we will get back to you as soon as possible.
FAQ on background checks and GDPR compliance
Employers should only collect data that is necessary and relevant for the specific position. This principle, known as data minimisation, is central to GDPR compliance.
Data should only be stored for as long as it is necessary. Once the recruitment process is completed, personal data should either be deleted or stored securely, depending on the legal requirements.
Employers must have a legal basis, such as legitimate interest or legal obligation, to carry out background checks. In most cases, consent is not a valid legal basis as it may not be given voluntarily during recruitment.