Consent Statement for Background Checks: Template under GDPR 2026
A legally compliant consent statement is the foundation of every GDPR-compliant background check. Without it, the screening is unlawful — with it, you have the most important safeguard against later lawsuits and data protection authority audits. This guide shows the four required elements, provides a sample template, and explains the differences between Germany, Switzerland, and Austria.
What makes a consent statement legally compliant
Under Art. 7 GDPR, consent must meet four criteria:
Voluntary: The candidate must not be put under pressure. A refusal to consent must not lead to rejection (except in legally required checks such as § 25c KWG).
Informed: The candidate must know which data is processed for which purpose, which data sources are used, and how long the data is stored.
Specific: Blanket "we check everything" consents are invalid. Each type of screening (identity, sanctions lists, adverse media) must be disclosed separately.
Documented in a verifiable way: Written form or qualified electronic form. Paper signature or auditable digital signature.
Sample consent statement (DE, § 26 BDSG + Art. 6 GDPR)
You can use this template as a starting point. Review and adaptation by a qualified lawyer is recommended.
Consent to carry out a pre-employment background check
I hereby consent, [candidate name], born on [date], residing at [address], to a background check by [employer] in connection with my application for the position [job title].
I have been informed that the following checks will be carried out:
Identity verification based on the submitted identification document
Verification of the qualifications and career history stated in the CV
Comparison against international sanctions lists (EU, UN, OFAC)
Screening for PEP status under § 1 para. 12 GwG
Adverse media screening (research into negative media reports with a professional context)
If applicable, reference checks with the referees I have provided
Legal basis: Processing is carried out on the basis of § 26 para. 1 BDSG in conjunction with Art. 6 para. 1 lit. a GDPR (consent) and Art. 6 para. 1 lit. b GDPR (pre-contractual measure).
Service provider: The technical processing is carried out by [Indicium Technologies AG, Rothusstraße 21, CH-6331 Hünenberg] on the basis of a data processing agreement under Art. 28 GDPR.
Retention period: If the application is rejected, the results will be deleted no later than 6 months after the decision; if employment is granted, they will be retained until the end of the employment relationship plus the statutory retention periods.
Rights: I have the right to information (Art. 15 GDPR), rectification (Art. 16), erasure (Art. 17), restriction (Art. 18), data portability (Art. 20), and objection (Art. 21). I can withdraw this consent at any time with effect for the future — without affecting the lawfulness of processing carried out up to that point.
Right to lodge a complaint: I can lodge a complaint with the competent data protection supervisory authority.
[Place], [Date] — [Signature]
What you must NOT include in the consent statement
Unspecified data collection: "All publicly available data" is not a specific consent
Condition: "Consent is mandatory": Outside legally required checks (§ 25c KWG, § 7 GwG), this makes consent involuntary → invalid
Special categories (Art. 9 GDPR): Health, religion, and sexual orientation must not be collected through standard background checks
Non-transparent sub-processors: If your background-check platform accesses LexisNexis, Moody's, Refinitiv, these sub-processors must be disclosed to the candidate in a transparent manner
What applies in Switzerland, Austria, and across the EU?
Switzerland — revFADP and Art. 328b CO
Under Art. 6 para. 6 revFADP, the Swiss consent statement must be explicit, specific, and informed. Special note: Swiss employers are also subject to Art. 328b CO — data processing is only permissible insofar as it is necessary for the employment relationship. Stricter than § 26 BDSG: Swiss consents must explicitly justify the relevance of each check to the role. Institutions supervised by FINMA should additionally refer to the suitability review under Art. 3 BankA.
Austria — GDPR + § 10 AVRAG
Austria does not have its own employee data protection law. Consent follows the GDPR directly, supplemented by § 10 AVRAG (documentation obligation in the employment relationship). The Equal Treatment Act (GlBG) sets additional limits: discriminatory checks (gender, age, religion) are excluded, and the consent statement should address this explicitly.
EU-wide — GDPR + new legal acts
In addition to the GDPR, the EU AI Act becomes relevant from August 2026: if AI-based assessment is used, the consent must make the use of AI transparent. CSRD requires governance reporting on background check processes from 2026 onward — the documented consent rate is a reportable metric.
Best practice: Digital consent with audit trail
Paper consents are legally valid, but operationally cumbersome. Modern background-check platforms such as Indicium capture consent digitally with:
Granular checkbox per screening module — the candidate can deselect individual checks
Timestamp + IP address of the confirmation for later proof
Audit trail of all processing steps for BaFin, FMA, or FINMA audits
Automatic withdrawal option via self-service portal
Conclusion
A legally compliant consent statement is the most cost-effective protection against GDPR fines and lawsuits. The four required elements (voluntary, informed, specific, documented) are easy to meet — most mistakes happen because of blanket wording or missing disclosure of sub-processors. For cross-border hiring, you need DACH-consistent versions.
Book a demo and take a look at Indicium's digital consent workflow — with automatic multi-jurisdiction adaptation.
Read more — related articles
Nabil El Berr
