13 October, 2025
What does the law say about credit information in recruitment?
According to the Credit Information Act (KuL), a legitimate need is required to access someone's credit information. This means that credit information may only be used in connection with an actual recruitment case and that the information must be relevant to the nature of the service. According to the GDPR, financial information is considered personal data, and must therefore be handled with special care.
DISA complies with all Swedish regulations and our background checks - including credit checks - are always carried out with a clear purpose, informed consent and in accordance with the GDPR.
GDPR and consent - this applies
Under the GDPR, personal data can only be processed if there is a legal basis. When an employer wants to run a credit check for a job, it is usually based on the legal ground of legitimate interest - not consent. This is because there can be an imbalance of power between employer and candidate, which means that consent is not always considered voluntary.
For the processing to be authorised, the employer must inform the candidate in advance that a credit check will be taken, why it is necessary and how the information will be used. It must be clearly stated that the information is relevant to the position in question.
Obtaining a credit report without informing the candidate in advance may constitute a breach of both the GDPR and the Credit Information Act - with the risk of penalties from IMY and damage to the employer's confidence.
When is it relevant to take a credit check?
Credit checks should be reserved for positions where the employee will be managing financial responsibilities, budgets, purchases or assets. This could be, for example, roles such as finance manager, purchaser or supervisor with budgetary responsibilities. It is important that the principle of proportionality is respected: the more privacy-sensitive the information, the greater the requirement that the information is actually needed.
Learn more:
Risks of improper processing
Conducting credit checks without sufficient legal backing can lead to:
- Penalty fees from IMY
- Claims for damages from candidates
- Loss of trust in the company and the brand
To avoid these risks, it is crucial to have clear internal procedures, documentation and to choose a reliable partner for conducting the screenings.
DISA's secured processes
DISA specialises in background checks for employment in security-critical industries. We work in accordance with ISAE 3000 - an internationally recognised standard for quality and data protection - which means that our processes are audited annually by an independent party.
All our credit checks are carried out in co-operation with Creditsafe and are often integrated into a larger verification package, such as an PID check (Personal Identification check), criminal record check or work experience check. Our reports are easy to read, clear and customised to help you make fast and confident decisions.
Recruiting in line with the GDPR and other applicable laws is both an obligation and a prerequisite for a safe and credible business. With DISA, you get access to expertise, structure and tools that meet industry requirements.
Want to know more about how we can help you with legal and responsible credit reporting?