Consent Statement for Background Checks: Template under GDPR 2026

A legally compliant consent statement is the foundation of every GDPR-compliant background check. Without it, the screening is unlawful — with it, you have the most important safeguard against later lawsuits and data protection authority audits. This guide shows the four required elements, provides a sample template, and explains the differences between Germany, Switzerland, and Austria.

What makes a consent statement legally compliant

Under Art. 7 GDPR, consent must meet four criteria:

1. Voluntary: The candidate must not be put under pressure. A refusal to consent must not lead to rejection (except in legally required checks such as § 25c KWG).

2. Informed: The candidate must know which data is processed for which purpose, which data sources are used, and how long the data is stored.

3. Specific: Blanket "we check everything" consents are invalid. Each type of screening (identity, sanctions lists, adverse media) must be disclosed separately.

4. Documented in a verifiable way: Written form or qualified electronic form. Paper signature or auditable digital signature.

Sample consent statement (DE, § 26 BDSG + Art. 6 GDPR)

You can use this template as a starting point. Review and adaptation by a qualified lawyer is recommended.

Consent to carry out a pre-employment background check

I hereby consent, [candidate name], born on [date], residing at [address], to a background check by [employer] in connection with my application for the position [job title].

I have been informed that the following checks will be carried out:

• Identity verification based on the submitted identification document

• Verification of the qualifications and career history stated in the CV

• Comparison against international sanctions lists (EU, UN, OFAC)

• Screening for PEP status under § 1 para. 12 GwG

• Adverse media screening (research into negative media reports with a professional context)

• If applicable, reference checks with the referees I have provided

Legal basis: Processing is carried out on the basis of § 26 para. 1 BDSG in conjunction with Art. 6 para. 1 lit. a GDPR (consent) and Art. 6 para. 1 lit. b GDPR (pre-contractual measure).

Service provider: The technical processing is carried out by [Indicium Technologies AG, Rothusstraße 21, CH-6331 Hünenberg] on the basis of a data processing agreement under Art. 28 GDPR.

Retention period: If the application is rejected, the results will be deleted no later than 6 months after the decision; if employment is granted, they will be retained until the end of the employment relationship plus the statutory retention periods.

Rights: I have the right to information (Art. 15 GDPR), rectification (Art. 16), erasure (Art. 17), restriction (Art. 18), data portability (Art. 20), and objection (Art. 21). I can withdraw this consent at any time with effect for the future — without affecting the lawfulness of processing carried out up to that point.

Right to lodge a complaint: I can lodge a complaint with the competent data protection supervisory authority.

[Place], [Date] — [Signature]

What you must NOT include in the consent statement

• Unspecified data collection: "All publicly available data" is not a specific consent

• Condition: "Consent is mandatory": Outside legally required checks (§ 25c KWG, § 7 GwG), this makes consent involuntary → invalid

• Special categories (Art. 9 GDPR): Health, religion, and sexual orientation must not be collected through standard background checks

• Non-transparent sub-processors: If your background-check platform accesses LexisNexis, Moody's, Refinitiv, these sub-processors must be disclosed to the candidate in a transparent manner

What applies in Switzerland, Austria, and across the EU?

Switzerland — revFADP and Art. 328b CO

Under Art. 6 para. 6 revFADP, the Swiss consent statement must be explicit, specific, and informed. Special note: Swiss employers are also subject to Art. 328b CO — data processing is only permissible insofar as it is necessary for the employment relationship. Stricter than § 26 BDSG: Swiss consents must explicitly justify the relevance of each check to the role. Institutions supervised by FINMA should additionally refer to the suitability review under Art. 3 BankA.

Austria — GDPR + § 10 AVRAG

Austria does not have its own employee data protection law. Consent follows the GDPR directly, supplemented by § 10 AVRAG (documentation obligation in the employment relationship). The Equal Treatment Act (GlBG) sets additional limits: discriminatory checks (gender, age, religion) are excluded, and the consent statement should address this explicitly.

EU-wide — GDPR + new legal acts

In addition to the GDPR, the EU AI Act becomes relevant from August 2026: if AI-based assessment is used, the consent must make the use of AI transparent. CSRD requires governance reporting on background check processes from 2026 onward — the documented consent rate is a reportable metric.

Best practice: Digital consent with audit trail

Paper consents are legally valid, but operationally cumbersome. Modern background-check platforms such as Indicium capture consent digitally with:

• Granular checkbox per screening module — the candidate can deselect individual checks

• Timestamp + IP address of the confirmation for later proof

• Audit trail of all processing steps for BaFin, FMA, or FINMA audits

• Automatic withdrawal option via self-service portal

Conclusion

A legally compliant consent statement is the most cost-effective protection against GDPR fines and lawsuits. The four required elements (voluntary, informed, specific, documented) are easy to meet — most mistakes happen because of blanket wording or missing disclosure of sub-processors. For cross-border hiring, you need DACH-consistent versions.

Book a demo and take a look at Indicium's digital consent workflow — with automatic multi-jurisdiction adaptation.

Read more — related articles

• Background Check: What is it and what is allowed?

• GDPR and Background Checks: Employer Guide DE/CH

• Background Check in Germany 2026

• Background Check Costs and Pricing

• Pre-Employment Costs: Manual vs. Automated