Background Check in Germany: What Employers Need to Know in 2026
A background check in Germany is the systematic review of candidate information — from identity and qualifications to sanctions lists. The legal basis is Section 26 BDSG (employee data protection) and Article 6 GDPR. This guide shows what is allowed, what is not, and how to proceed in a legally compliant way.
What is a background check?
A background check is a structured pre-employment review of candidate information. The goal: make sure the information is accurate and the person is a fit for the role — before you sign an employment contract.
Typical review areas include:
Identity: authenticity of the ID document, comparison with the candidate information
Qualifications: degrees, certificates, credentials
Professional background: references, previous roles, employment references
Compliance: sanctions lists (EU, UN, OFAC), PEP status, AML requirements
Reputation: adverse media (negative media coverage), public social media profiles
Legal basis in Germany
Two rules form the foundation:
Section 26 BDSG — employee data protection
Allows the processing of personal data in connection with establishing an employment relationship, insofar as this is necessary. “Necessary" means: the review must have a concrete connection to the role.
Article 6 GDPR — lawfulness of processing
The legal basis is either the candidate's consent (Art. 6(1)(a)) or the employer's legitimate interest (Art. 6(1)(f)). In practice: consent is the safer route because it is documented.
What is allowed?
Verification of identity and ID documents
Validation of certificates and qualifications
Screening against sanctions lists (EU, UN, OFAC)
PEP screening under Section 1(12) GwG
Adverse media screening (negative media coverage with professional relevance)
Social media analysis only for publicly accessible, professionally relevant profiles (e.g., LinkedIn, Xing)
Reference checks with the listed referees (with consent)
What is not allowed?
Monitoring measures without cause
Reviewing private social media profiles without a legitimate interest
Requesting health data or religious affiliation (Article 9 GDPR, specially protected)
Requesting a credit report without a concrete connection to the role (only for roles with financial responsibility)
Criminal record certificate outside legally required roles (Section 30a BZRG)
What applies in Switzerland, Austria, and across the EU?
Indicium supports companies across Europe. Here are the equivalents to the German legal framework:
Switzerland — revDSG + FINMA
Since September 2023, the revised Data Protection Act (revDSG) has applied. The key provision for personnel checks is Art. 26 ff. revDSG. For data processing in employment relationships, Art. 328b OR (data processing by the employer) also applies, as well as sector-specific rules: FINMA circulars for banks and insurers, Art. 3 BankG for fit-and-proper persons, Art. 14 VAG for insurers. The Swiss Data Protection Officer (FDPIC) oversees compliance; fines are imposed personally on responsible natural persons and can be up to CHF 250,000.
Austria — GDPR + Section 10 AVRAG
In Austria, the GDPR applies directly, supplemented by the Employment Contract Law Adaptation Act (Section 10 AVRAG) and Section 1151 ABGB as the civil-law framework. In the absence of a specific employee data protection law (like Section 26 BDSG in Germany), the requirements are derived directly from the GDPR — with correspondingly higher documentation obligations. Supervisory authority: the Data Protection Authority (DSB), and the Financial Market Authority (FMA) for regulated sectors.
Across the EU — GDPR + new legal acts
In addition to the GDPR, new legal acts expand the requirements: EBA-ESMA Joint Guidelines on Suitability 2024 (fit-and-proper across the EU), CRD VI (Capital Requirements Directive, effective from 2026), AMLR (Anti-Money-Laundering Regulation, effective from 2027), and the new AMLA (Frankfurt). For companies operating across the EU, this means uniform standards, but higher expectations for monitoring and documentation.
When is a background check mandatory?
In certain industries, the check is legally required:
Financial sector: managing directors and supervisory board members must pass the BaFin fit-and-proper assessment under Section 25c KWG
Anti-money laundering officers: reliability check under Section 7 GwG
Insurance companies: compliance functions under Section 24 VAG
Educational professions: extended criminal record certificate under Section 72a SGB VIII
Critical infrastructure operators: reliability check for security-sensitive positions
In practice: How a GDPR-compliant check works
Obtain consent: The candidate receives a statement explaining which data will be checked and for what purpose
Document: Consent must be voluntary, informed, specific, and verifiable
Review: Carry out only the checks that are required for the specific role
Store: Delete results once the purpose has been fulfilled — usually after 6 months (rejected applicants) or until the end of employment plus limitation periods (hired candidates)
Audit trail: Every step must be documented in an audit-proof way
What does a background check cost?
Manual checks by private investigators cost €450–€1,200 per candidate and take 5–10 working days. Automated platforms deliver comparable results in minutes.
What does a bad hire cost?
According to Kienbaum Management Consultants, the total cost of a bad hire in a management role is 1.5 to 3 times the annual salary. With an annual salary of €150,000, that means damage of up to €450,000.
Conclusion
Background checks are legally possible in Germany — if the legal basis is correct, consent is documented, and the review is appropriate for the role. The most common mistakes: no documented consent, checks without a role connection, and storing data for too long.
If you want to build a structured, GDPR-compliant process: Indicium automates exactly that — including a consent workflow, audit trail, and audit-proof documentation.
Further reading — related articles
Nabil El Berr
