What is the GDPR?
The GDPR (General Data Protection Regulation) is an EU regulation that governs how personal data may be processed throughout the EU. The regulation came into force in 2018 and aims to strengthen individual rights and create a uniform level of protection for personal data within the Union.
The GDPR is based on a number of fundamental principles, including:
- lawfulness, fairness and transparency
- purpose limitation
- data minimisation
- storage limitation
- integrity and confidentiality
For employers, this means that a background check must always have a clear and legitimate purpose. Personal data may only be processed if there is a legal basis, such as a balancing of interests or a legal obligation. The check must also be relevant and proportionate to the responsibilities and risk level of the position.
The GDPR thus sets out the overall framework for how personal data may be processed, whether in recruitment, supplier collaborations or internal processes.
What is the Data Protection Act?
The Data Protection Act is the Swedish law that supplements the GDPR. As the GDPR is an EU regulation, it applies directly in all member states, but it leaves room for national adaptations in certain areas. The Data Protection Act fills in these gaps and specifies how the rules are to be applied in Sweden.
The Act contains provisions on, among other things:
- processing of personal identification numbers
- handling of sensitive personal data
- processing of data on criminal offences
- supervision and administrative fines by the Swedish Authority for Privacy Protection (IMY)
For employers who carry out background checks, these supplementary rules are particularly important, as certain types of data are subject to stricter requirements than others.
The most important difference: EU regulation and national law
The main difference between the GDPR and the Data Protection Act is that the GDPR is a comprehensive EU regulatory framework, while the Data Protection Act is supplementary Swedish legislation.
The GDPR establishes the basic principles and legal framework for the processing of personal data. The Data Protection Act clarifies how this framework should be applied in Sweden, particularly in matters where Member States have the option of deciding on their own rules.
For employers, this means that both sets of regulations must be taken into account in parallel when conducting a background check.
How do the regulations affect background checks?
A background check must always have a legal basis. When recruiting, a balancing of interests is often used, where the employer's legitimate interest in protecting the business is weighed against the candidate's right to privacy. The greater the responsibility and risk involved in the position, the stronger the employer's interest may be.
At the same time, the check must be proportionate. This means that the scope must be adapted to the actual responsibilities of the role. An extensive check without a clear link to the risk level of the position may therefore conflict with both the GDPR and the Data Protection Act.
Certain types of data are subject to particularly strict rules. This applies, for example, to sensitive personal data and information about criminal offences.
The processing of criminal records is subject to special regulations and requires careful legal assessment. A legal background check must therefore be clearly justified and linked to the role's requirements for integrity, security or special trust. It is not enough to carry out the check as a matter of routine; it must be objectively justified. For example, there are certain roles where you are required by law to request an extract from the Police Criminal Records Register, such as jobs in schools or healthcare.
The GDPR sets high standards for transparency. The candidate must be informed about:
- that a background check is being carried out
- what data is being processed
- the purpose of the processing
- the legal basis
- how long the data will be stored
- what rights the candidate has
Clear and professional communication not only strengthens compliance, but also enhances the candidate experience. Transparency contributes to trust and signals that the organisation works in a structured and responsible manner.
Personal data may not be stored for longer than necessary. Data minimisation is a key principle of the GDPR and applies in full to background checks.
The results should only be available to authorised persons, usually HR and the hiring manager. Access should be restricted and handling documented. A clear deletion policy is an important part of a lawful process.
Common misconceptions about GDPR and background checks
A common misconception is that GDPR prohibits background checks. This is not true. The regulations do not prohibit checks, but regulate how they may be carried out. Another misconception is that consent is always required. In many cases, it is instead a balancing of interests that constitutes the most appropriate legal basis.
It is also important to remember that not all roles require the same level of control. A background check should always be risk-based and proportionate.
How to ensure compliance in practice
To carry out background checks in accordance with the GDPR and the Data Protection Act, the organisation should:
- have a clear and documented policy
- carry out risk assessments per role
- ensure the correct legal basis
- inform the candidate in a transparent manner
- restrict access and storage
- document processes and decisions
Compliance is not just about the law. It is about structure, clarity and consistent application.
How DISA supports a lawful process
Navigating between the GDPR and the Data Protection Act requires both legal and operational expertise. DISA helps organisations conduct background checks in a legally secure, efficient and professional manner.
Our digital platform provides you with clearly structured processes that ensure that each check is tailored to the risk level of the role and that the processing of personal data is carried out in accordance with applicable regulations.
Learn more about GDPR, the General Data Protection Regulation, and background checks
Background Checks and GDPR – What Applies?
Are employers allowed to conduct background checks during recruitment under GDPR? Here are the key guidelines you need to be aware of regarding background checks and data protection. Learn more here.
GDPR and Credit Checks in Recruitment
When is it permitted to carry out a credit check during hiring? Learn about the legal requirements, GDPR considerations, and how to protect both the candidate and your employer brand.
Background Checks and Privacy
Employee background checks inherently involve the processing of personal data. What requirements must you meet to ensure your background checks are GDPR-compliant?
GDPR and employment background checks in Sweden
Employment background checks in Sweden must comply with GDPR. Ensure checks are necessary, proportionate, and transparent, protecting candidates’ personal data.
Frequently asked questions and answers
Yes, it is legal, provided that the check has a clear legal basis and is proportionate to the responsibilities of the position.
Not necessarily. In the workplace, balancing of interests is often used as a legal basis. The assessment must always be made based on the situation.
Only when there is a clear legal basis and a legitimate need linked to the responsibilities of the role. The processing is subject to particularly strict rules.
It is always the employer or client who is the data controller and is therefore responsible for ensuring that background checks are carried out in accordance with the GDPR and the Data Protection Act.