Background Check in Germany: What Employers Need to Know in 2026
A background check in Germany is the systematic verification of applicant information — from identity and qualifications to sanctions lists. The legal basis is Section 26 BDSG (employee data protection) and Article 6 GDPR. This guide shows what is permitted, what is not, and how you can proceed in a legally compliant way.
What is a Background Check?
A background check is a structured pre-employment review of applicant information. The goal is to make sure the details are accurate and the person is suitable for the role — before you sign an employment contract.
Typical areas of review include:
Identity: Authenticity of the ID document, comparison with the applicant's details
Qualifications: Degrees, transcripts, certificates
Professional history: References, previous roles, employment certificates
Compliance: Sanctions lists (EU, UN, OFAC), PEP status, AML Act requirements
Reputation: Adverse media (negative media reports), public social media profiles
Legal basis in Germany
Two provisions form the foundation:
Section 26 BDSG — employee data protection
Permits the processing of personal data in connection with establishing an employment relationship, insofar as this is necessary. “Necessary” means: the check must have a concrete connection to the role.
Article 6 GDPR — lawfulness of processing
The legal basis is either the candidate's consent (Art. 6(1)(a)) or the employer's legitimate interest (Art. 6(1)(f)). In practice: consent is the safer route because it is documented.
What is allowed?
Verification of identity and ID documents
Validation of transcripts and qualifications
Screening against sanctions lists (EU, UN, OFAC)
PEP check under Section 1(12) of the GwG
Adverse media screening (negative media reports with a professional context)
Social media analysis only for publicly accessible, professionally relevant profiles (e.g. LinkedIn, Xing)
Reference checks with named referees (with consent)
What is not allowed?
Unprompted monitoring measures
Scrutinizing private social media profiles without legitimate interest
Requesting health data or religious affiliation (Art. 9 GDPR, specially protected)
Credit report without a concrete connection to the role (only for roles with financial responsibility)
Criminal record certificate outside legally required roles (Section 30a BZRG)
What applies in Switzerland, Austria and across the EU?
Indicium supports companies across Europe. Here are the equivalents to the German legal framework:
Switzerland — revDSG + FINMA
Since September 2023, the revised Data Protection Act (revDSG) has applied. The key provision for personnel checks is Art. 26 et seq. revDSG. For data processing in employment relationships, Art. 328b OR (data processing by the employer) also applies, as do sector-specific rules: FINMA circulars for banks and insurers, Art. 3 BankG for persons subject to a fit-and-proper assessment, and Art. 14 VAG for insurers. The Swiss Data Protection Officer (FDPIC) monitors compliance; fines are imposed personally on responsible natural persons and can amount to up to CHF 250,000.
Austria — GDPR + Section 10 AVRAG
In Austria, the GDPR applies directly, along with the Employment Contract Law Adaptation Act (Section 10 AVRAG) and Section 1151 ABGB as the civil-law framework. In the absence of a specific employee data protection law (like Section 26 BDSG in Germany), the requirements are derived directly from the GDPR — with correspondingly higher documentation obligations. Supervisory authority: the Data Protection Authority (DSB), and the Financial Market Authority (FMA) for regulated sectors.
Across the EU — GDPR + new legal acts
In addition to the GDPR, new legal acts expand the requirements: EBA-ESMA Joint Guidelines on Suitability 2024 (fit and proper across the EU), CRD VI (Capital Requirements Directive, from 2026), AMLR (Anti-Money-Laundering Regulation, from 2027), and the new AMLA (Frankfurt). For companies operating across the EU, this means uniform standards, but higher requirements for monitoring and documentation.
When is a background check mandatory?
In certain industries, the check is legally required:
Financial sector: Managing directors and supervisory board members must pass the BaFin fit-and-proper assessment under Section 25c KWG
Anti-money laundering officers: Reliability check under Section 7 GwG
Insurance: Compliance functions under Section 24 VAG
Educational professions: Enhanced criminal record certificate under Section 72a SGB VIII
KRITIS operators: Reliability check for security-sensitive positions
In practice: How a GDPR-compliant check works
Obtain consent: The candidate receives a statement explaining which data is checked and for what purpose
Document it: Consent must be voluntary, informed, specific, and verifiable
Check: Only perform the checks required for the specific role
Store: Delete results once the purpose has been fulfilled — usually after 6 months (rejected applicants) or until the end of the employment relationship plus limitation periods (hired candidates)
Audit trail: Every step must be documented in an audit-proof way
What does a background check cost?
Manual checks by private investigators cost €450–1,200 per candidate and take 5–10 business days. Automated platforms deliver comparable results in minutes.
What does a bad hire cost?
According to Kienbaum Management Consultants, the total cost of a bad hire in a leadership role is 1.5 to 3 times the annual salary. At an annual salary of €150,000, that means up to €450,000 in damage.
Conclusion
Background checks are legally possible in Germany — if the legal basis is correct, the consent is documented, and the review is appropriate for the role. The most common mistakes are: no documented consent, checks without role relevance, and retention periods that are too long.
If you want to build a structured, GDPR-compliant process: Indicium automates exactly that — including the consent workflow, audit trail, and audit-proof documentation.
Nabil El Berr
