What does GDPR mean for background checks?
When you carry out a background check, you process personal data, which means GDPR applies. GDPR (General Data Protection Regulation) is the EU’s legal framework governing how personal data may be processed. For employers in Sweden, this means that all handling of candidate and employee data, including background checks, must be lawful, transparent, and carried out for a clear purpose.
Are background checks allowed under GDPR?
Yes, background checks are allowed under GDPR – but only if there is a legal basis, and if the check is relevant, proportionate and transparent.
This means that employers cannot carry out background checks routinely, but must be able to justify why the check is necessary in each individual case.
Is consent required for background checks?
No, consent is not the only possible legal basis.
In many cases, background checks are instead based on legitimate interest, provided that the employer’s need outweighs the individual’s right to privacy.
This requires that the check:
- has a clear purpose
- is relevant to the role
- and that the candidate is informed in advance
How extensive can a background check be?
A background check must always be proportionate to the role.
This means that:
- only relevant information should be collected
- the scope of the check should be adapted to the level of risk and responsibility in the role
- more intrusive checks require stronger justification
Example: For a financial role, a credit check may be justified. For other roles, the same check could be disproportionate.
When can employers carry out background checks under GDPR?
During recruitment
Background checks are most commonly carried out during recruitment, where the employer needs to verify information or assess risks related to a role.
This may include:
- verifying identity, education or employment history
- ensuring the candidate meets the requirements of the role
- reducing risks in positions of trust or security-sensitive roles
The check must always be tailored to the role and must not be more extensive than necessary.
During employment
In some cases, background checks may also be carried out during ongoing employment, although the requirements are often stricter.
This may be relevant when:
- job responsibilities change or increase
- an employee is moving into Avoid 7 common mistakes when screening critical roles in industry and energy
- specific security requirements apply
The employer must be able to justify the need for the check and ensure that it is proportionate. Clear information must also be provided to the employee.
What information can be checked?
The type of information that can be checked depends on the role’s level of responsibility and risk, but may include:
- Identity information (e.g. name and personal identity number)
- Verification of education and diploma check
- Work experience check
- Credit check (for roles involving financial responsibility)
Not sure what applies in practice?
Determining what information can be checked in practice can be complex – especially when different regulations and risk levels need to be balanced.
In our white paper, we explain how to take a structured approach to background checks while ensuring compliance and protecting individual privacy.
How to carry out a GDPR-compliant background check – step by step
1. Inform the candidate in advance
The candidate must always be informed that a background check will be carried out as part of the recruitment process.
The information should be clear and include:
- what information will be checked
- the purpose of the check
- how the information will be used
Transparency is a fundamental requirement under GDPR.
2. Ensure there is a legal basis
Before carrying out a background check, you must determine which legal basis applies.
Common options include:
- Legitimate interest – where the check is necessary for the organisation
- Consent – in some cases, but should be used with caution
It is important to carry out a balancing test and be able to justify why the check is necessary.
3. Limit the check to relevant information
Under GDPR, only data that is relevant and necessary for the specific role may be processed.
This means that:
- checks should be adapted to the role, industry, level of responsibility, access and risk
- unnecessary or excessive data collection should be avoided
The principle of data minimisation is central.
4. Document the purpose and process
To demonstrate compliance with GDPR, you need to document how background checks are carried out.
This should include:
- why the check is carried out
- which legal basis is used
- how proportionality has been assessed
Documentation is important both for internal review and in the event of an audit by the Swedish Authority for Privacy Protection (IMY).
5. Handle and store data correctly
Personal data from background checks must be handled securely and must not be retained longer than necessary.
This means that:
- access to the data should be restricted
- the data must be protected against unauthorised access
- there should be clear data retention and deletion policies
Data retention and security are core principles of GDPR.
Want to know more?
Dowload our white paper!
What happens if you breach GDPR?
Carrying out a background check without a valid legal basis constitutes a breach of GDPR and may lead to supervision by the Swedish Authority for Privacy Protection (IMY).
Under GDPR, administrative fines can reach up to €20 million or, for companies, up to 4% of global annual turnover – whichever is higher.
In addition to fines, organisations may need to:
- stop or change their processes
- delete collected data
- handle complaints or compensation claims
It may also mean that information from the background check cannot be used in recruitment decisions.
Supervision and enforcement under GDPR
In practice, many questions around background checks arise when individuals turn to their employer or trade union to understand how their personal data has been handled.
This may include situations where:
- a candidate was not informed that a background check had been carried out
- an employer has collected more data than is relevant for the role
- information from a background check is used in a way that is perceived as unfair or disproportionate
If the issue cannot be resolved internally, it may be escalated to the Swedish Authority for Privacy Protection (IMY), which is the supervisory authority in Sweden.
IMY may then initiate an investigation into how personal data has been processed, request documentation, and assess whether the processing complies with GDPR. Where issues are identified, the authority may impose corrective measures or administrative fines.
Decisions by IMY can be appealed to an administrative court, where the matter is reviewed legally. This means that, in some cases, questions related to background checks may ultimately be decided through judicial review.
Examples of case law and regulatory decisions
Alcohol testing in public transport – lack of proportionality (2023)
The Swedish Authority for Privacy Protection (IMY) imposed administrative fines on companies within the SL group after reviewing how alcohol testing of employees had been carried out.
Although the purpose of the checks could be considered justified, IMY found that the processing of personal data was too extensive and not sufficiently proportionate. As a result, the processing was found to be in breach of GDPR.
Key takeaway: Even when there is a legitimate purpose, the scope of a check must be carefully assessed.
In a landmark ruling, the Swedish Supreme Court found that court judgments containing personal data must not be freely shared or made searchable in commercial databases.
The decision means that providers such as Lexbase and Acta Publica can no longer make such information available to paying customers where this would conflict with GDPR.
Key takeaway: Publicly available information does not mean it can be used freely. Personal data must still be processed in accordance with GDPR and be proportionate.
A widely reported GDPR case involving H&M in Germany concerned the collection and storage of detailed information about employees’ private lives, including health data and personal circumstances.
The information was used in a work-related context and was accessible to multiple managers, which was found to breach fundamental data protection principles.
The authority concluded that the processing was disproportionate and lacked a legal basis, resulting in a fine of approximately €35 million.
Key takeaway: There are clear limits to what data can be collected in the workplace. Sensitive personal data requires a strong legal basis and must not be processed routinely.
Avoid common mistakes
Ensuring GDPR compliance in background checks is not just about having the right intention – it’s about making sure the entire process is correctly designed.
Many issues that lead to regulatory scrutiny or fines are not due to background checks being unlawful in themselves, but rather how they are carried out.
To avoid common mistakes, you should:
- Ensure a clear legal basis
Before carrying out a background check, there must be a documented legal basis, such as legitimate interest. This must be justified and balanced against the individual’s right to privacy. - Limit checks to relevant information
Only collect information that is necessary for the specific role.
Example: A credit check may be relevant for financial roles, but rarely for others. - Be transparent with the candidate
Clearly inform the candidate that a background check is being carried out, what information is collected, and why. - Document the process
Ensure you can demonstrate why the check was carried out, which legal basis was used, and how proportionality was assessed. - Handle and retain data correctly
Personal data must not be retained longer than necessary. Clear policies for storage and deletion are essential. - Use reliable and lawful sources
All information must be collected lawfully. Using incorrect or unauthorised sources may itself constitute a GDPR breach.
DISA ensures GDPR-compliant and privacy-focused background checks
In addition to having a valid legal basis, such as legitimate interest, background checks must follow a number of important guidelines under GDPR. Below are some of the key principles to consider before collecting and processing candidates’ personal data.
1. Secure technology
DISA’s screening platform is designed to protect personal data against both loss and unauthorised processing.
2. Access to data protection expertise
We have dedicated data protection specialists who continuously ensure compliance with both national and international regulations. Privacy and data protection are always central when developing our platform.
3. ISO certifications and BKF membership
We are certified according to ISO 27001 and ISO 9001, ensuring high standards in information security and quality management. We are also members of the industry association BKF, reinforcing our commitment to best practice and compliance.
Want to ensure GDPR-compliant background checks?
DISA helps organisations carry out background checks in line with applicable legislation.
European data sovereignty and processing within the EU
All data at DISA is processed and stored exclusively within the European Union. Our data centers are in Germany and Ireland, ensuring full GDPR compliance and eliminating cross-border data transfer risks. European data hosting also removes uncertainties related to the US Cloud Act.
Our systems are continuously monitored and protected by state-of-the-art security measures to always ensure data integrity and confidentiality.
Technical and organisational security measures (TOMs)
All data is transmitted in encrypted form and stored on secure servers within the EU. Access is strictly controlled and granted only through secure authentication systems, ensuring that only authorised individuals can access sensitive information. Our IT infrastructure is regularly updated and tested for vulnerabilities to maintain the highest level of security. Redundant backups within the EU always ensure reliable data recovery. Physical security measures also protect data centers from unauthorised access.
Through this combination of technical and organisational measures, clients and candidates can trust that their data is always protected.
Why choose DISA for GDPR-compliant background checks?
- Proven GDPR expertise: With over 25 years of experience in background screening across Europe, we have a deep understanding of both GDPR and national regulations.
- EU-based data hosting: All data is processed and stored exclusively within the EU, with no transfers to the US or other third countries.
- Certified and industry-aligned security: We are certified according to ISO 27001 and ISO 9001 and follow the standards of the industry association BKF, ensuring high levels of quality, security, and compliance.
- Dedicated expert support: Our specialists in data protection and compliance are available to support both clients and candidates throughout the entire process.
- Trusted experience: We are a reliable partner for organisations in regulated industries with high requirements for security and compliance.
Frequently asked questions about background checks and GDPR
For employers
It depends on the role. Typically, identity, education, and employment history are verified. In some cases, credit checks or other screenings may be justified, but only if they are relevant and proportionate.
No. While consent is one possible legal basis, it is generally not recommended in recruitment processes.
Instead, background checks are often based on legitimate interest, as consent can be withdrawn at any time and may not be considered fully voluntary in an employment context.
Provided that the check is relevant, proportionate, and the candidate is informed, legitimate interest is often the more appropriate legal basis.
Legitimate interest means that the employer has a clear and justified need to carry out a background check, for example to ensure safety, reduce risks, or verify information.
This need must always be balanced against the candidate’s right to privacy, meaning the check must be relevant to the role and not more extensive than necessary.
No. Background checks should not be carried out routinely. They must be based on a specific need and tailored to the role.
Yes, you can make a recruitment decision based on a background check, but the information must be relevant to the role.
This means the findings should have a clear connection to the job responsibilities. For example, financial irregularities may be relevant for a role with financial responsibility, but not for other positions.
The decision must not be discriminatory and should be based on accurate and up-to-date information.
There is no specific time limit under GDPR, but the information must be relevant and proportionate. Older information is often less relevant.
Only in limited cases and depending on applicable legislation. Criminal data is considered sensitive personal data and may only be processed if there is a legal basis.
In practice, this often means relying on official extracts or certificates from Swedish authorities, depending on what is permitted in each case.
Yes, but only if it is justified by the role, for example where there is financial responsibility.
Yes. Informing the candidate is a fundamental requirement under GDPR. They must understand what is being done and why.
It should be clear and easy to understand. The candidate should know the purpose of the check, what data is collected, and how it will be used.
Only for as long as necessary. Organisations should have clear data retention and deletion policies in place.
Yes. Documentation is considered best practice and is often necessary to demonstrate GDPR compliance.
Yes, but you remain responsible for ensuring GDPR compliance. You should only work with trusted providers that meet data protection requirements.
For candidates or employees
No. Under GDPR, you have the right to be informed.
Yes, but it may affect your chances of getting the role depending on its requirements.
Yes. You have the right to transparency about what data is being processed.
Yes, you have the right to access your personal data.
It depends. Any checks must be relevant, proportionate, and comply with GDPR.
Older information must be assessed in terms of relevance. GDPR requires that data is proportionate and up to date.
Yes, but the decision must be objective and non-discriminatory.
Yes, in certain cases you have the right to have your personal data erased under GDPR, known as the “right to be forgotten”.
This applies, for example, if:
- the data is no longer necessary for the purpose it was collected
- the processing lacks a legal basis
- you object to the processing and there are no overriding legitimate grounds to continue
However, there are exceptions. An employer may need to retain data, for example to comply with legal obligations or to defend legal claims.
If you suspect a background check has not been carried out in accordance with GDPR, you can:
- contact the employer
- request information about what data has been processed
- contact your trade union for support
- lodge a complaint with the Swedish Authority for Privacy Protection (IMY)
Learn more about GDPR and background checks
How does the Swedish Data Protection Act differ from GDPR – and how does it affect background checks?
What is the difference between GDPR and the Swedish Data Protection Act? We explain how the regulations interact and what it means when carrying out background checks.
GDPR and credit checks in recruitment
When can you carry out a credit check during recruitment? Learn about the legal requirements, GDPR, and how to protect both the candidate and your organisation.
Background checks and privacy
Background checks involve processing personal data. What requirements must you meet to ensure they are GDPR-compliant?
Get started with background checks
Do you have questions about specific checks or want to find the right solution for your organisation? Get in touch with us.