What does the law say about credit information in recruitment?
According to the Credit Information Act (KuL), a legitimate need is required to access someone's credit information. This means that credit information may only be used in connection with an actual recruitment case and that the information must be relevant to the nature of the service. According to the GDPR, financial information is considered personal data, and must therefore be handled with special care.
DISA complies with all Swedish regulations and our background checks - including credit checks - are always carried out with a clear purpose, informed consent and in accordance with the GDPR.
Can you run a credit check without consent under GDPR?
A common question is whether you can run a credit check without consent. Under the GDPR, personal data may only be processed if there is a legal basis. When an employer wants to run a credit check during hiring, it is usually based on legitimate interest – not consent. This is because there can be an imbalance of power between employer and candidate, meaning consent is not always considered freely given.
This means that a credit check can, in some cases, be carried out without explicit consent – but only if certain conditions are met. The employer must inform the candidate in advance that a credit check will be conducted, why it is necessary, and how the information will be used. It must also be clear that the check is relevant to the specific role.
Running a credit check without informing the candidate in advance may constitute a breach of both the GDPR and the Credit Information Act – with a risk of penalties from authorities and damage to the employer’s reputation.
When is it relevant to run a credit check when hiring?
A credit check during hiring should only be carried out when it is relevant to the role. This primarily applies to positions where the employee will be responsible for financial matters such as budgets, purchasing or assets.
Examples include roles such as finance manager, purchaser or team lead with budget responsibility. For other positions, a credit check may be disproportionate and therefore not permitted under the GDPR.
It is important to follow the principle of proportionality: the more sensitive the information being processed, the greater the requirement that the check is genuinely necessary.
How to run credit checks correctly – step by step
To ensure that credit checks during hiring are carried out correctly in line with the GDPR, you should follow a clear process:
- Establish a legal basis
In most cases, this is legitimate interest rather than consent. - Assess whether the check is relevant
The credit check should be clearly linked to the role and its responsibilities. - Inform the candidate in advance
The candidate should be informed that a check will be carried out, why it is necessary, and how the information will be used. - Document the purpose and decision
Keep a record of why the credit check was necessary. - Avoid routine checks
Credit checks should only be carried out when there is a clear and justified need.
Risks of improper processing
Conducting credit checks without sufficient legal backing can lead to:
- Penalty fees from IMY
- Claims for damages from candidates
- Loss of trust in the company and the brand
To avoid these risks, it is crucial to have clear internal procedures, documentation and to choose a reliable partner for conducting the screenings.
Reduce risk with a clear screening policy
To ensure that background checks are carried out correctly and in line with the GDPR, employers need clear guidelines. A screening policy helps define when checks should be conducted, what information is relevant, and how the process should be documented.
This creates clarity and confidence for both the organisation and the candidates.
How to run credit checks in line with GDPR
Running credit checks in line with the GDPR requires clear routines, sound judgement, and proper documentation. Without a structured process, the risk of incorrect decisions and legal consequences increases.
With the right approach, you can ensure that credit checks are only carried out when they are relevant, proportionate, and handled correctly.
DISA helps organisations carry out credit checks in a secure and quality-assured way, in line with GDPR and industry standards.
Do you need help ensuring the right processes are in place?
Do you want to ensure that your credit checks during hiring comply with GDPR and are carried out correctly? We help you tailor your background checks to your organisation and create clear, structured processes for credit checks in hiring.