Background checks are becoming increasingly important in Europe. At the same time, uncertainty is high: What can I check? What can’t I? And how do I make sure the process is GDPR-compliant?
Many companies face a dilemma. They want to screen new employees carefully — but fear violating data protection laws. The result: they do not screen at all. Or they screen without knowing whether their approach will hold up legally.
Both are risky. This guide gives you, as an HR manager or compliance officer, a clear overview of the legal foundations — without legalese. You will learn which checks are allowed, how to obtain consent correctly, which retention periods apply, and where Germany and Switzerland differ.
Why the GDPR and background checks need to work together
A background check processes personal data. Names, dates of birth, qualifications, employment histories, and sometimes financial information or entries on sanctions lists. That means the GDPR applies — without exception.
Still, many companies in the DACH region avoid systematic checks. The reason: uncertainty. Am I even allowed to do this? What happens if I make a mistake? Will there be fines?
That fear is understandable. But it leads to the wrong result. Because a company that forgoes background checks accepts risks that can be far more expensive than a data protection violation: falsified résumés, compliance breaches, reputational damage.
A GDPR-compliant background check is not only possible — it is the only background check that truly protects your company.
The GDPR does not prohibit personnel screening. It gives you a framework. Anyone who understands and follows that framework can screen applicants in a legally secure way — and build trust with candidates at the same time.
The legal bases at a glance
Every processing of personal data needs a legal basis. For background checks, four bases come into question. Which one you use depends on the type of check and the context.
Art. 6(1)(b) GDPR: Contract initiation
This is the most common legal basis for Pre-Employment checks. When an applicant applies for a position, they are initiating a contractual relationship. The employer may verify the information relevant to the role. An identity check, verification of qualifications, or confirmation of previous employment — all of this falls under contract initiation.
Art. 6(1)(f) GDPR: Legitimate interest
For certain risk-based checks, legitimate interest can serve as the legal basis. This applies especially to positions with an elevated risk profile: executives, employees with access to sensitive data or financial resources. In these cases, a balancing test must be carried out — your interest in the check against the applicant’s right to privacy.
Art. 6(1)(a) GDPR: Consent
Consent is not a mandatory requirement if another legal basis already applies. But it offers additional protection. Especially for checks that go beyond the minimum — for example, an extended sanctions-list screening or PEP screening — documented consent creates clarity for both sides.
Section 26 of the BDSG: The German special rule
In Germany, the Federal Data Protection Act applies alongside the GDPR. Section 26 of the BDSG governs the processing of employee data. It allows data processing when it is necessary for the decision on whether to establish an employment relationship. This is the key provision for pre-employment checks in Germany.
nDSG: The new Swiss Data Protection Act
Since September 2023, the revised Data Protection Act (nDSG) has applied in Switzerland. It is based on the GDPR, but has its own specifics. Unlike the GDPR, the nDSG does not have a general prohibition on processing with permission as an exception. Instead, data processing is generally permitted as long as the data protection principles are observed and no personality rights are violated.
In practice, we recommend combining contract initiation with voluntary consent. That gives you the strongest legal basis.
What can you check — and what can’t you?
Not every check is appropriate for every role. The GDPR requires data minimization: only check what is necessary for the specific position. Here is an overview.
Allowed (with the appropriate legal basis)
Identity verification — Do the name, date of birth and address match? That is the foundation of every check.
Qualification and degree verification — Does the applicant have the degree they claim? Studies show that up to 30% of all résumés contain exaggerations or false information.
Employment history — Were the listed employers and time periods correct?
Sanctions list screening — In regulated industries, this is not optional; it is mandatory. EU, UN and OFAC lists must be checked. Read more in our article on sanctions list screening.
PEP screening — Is the person a politically exposed person? A must for financial service providers and other regulated industries.
Publicly available professional profiles — LinkedIn and similar platforms may be viewed as long as the information is professional.
Conditionally allowed (only for the appropriate role)
Credit check — Only for positions with financial responsibility. A credit report for a marketing role would be disproportionate.
Criminal record certificate — Only for certain professions, such as in education, healthcare, or security-related roles. There must be a factual connection to the job.
Not allowed
Searching private social media profiles — Facebook, Instagram and private accounts are off-limits. They are protected by privacy rights.
Collecting health data — Except in clearly defined exceptional cases (e.g., fitness examinations for physically demanding jobs), health data is especially protected under Art. 9 GDPR.
Marital status, pregnancy, religion — These data have no relevance to professional suitability and may not be collected.
Scoring or profiling without transparency — Automated decision-making is allowed under Art. 22 GDPR only under narrow conditions. The applicant must be informed.
Rule of thumb: Only check what you would also be allowed to ask in the interview. If a question would be impermissible there, it is also impermissible in the background check.
How to design consent correctly
Even if another legal basis applies, we recommend an additional consent. It documents that the applicant was informed and agreed. But: consent is only valid if it meets certain requirements.
Requirements for valid consent
Voluntariness — There must be no pressure. Phrases like ‘Without your consent, we cannot consider your application’ make the consent invalid. The applicant must have a real choice.
Informed nature — The applicant must know: What exactly is being checked? Who carries out the check? Which data are collected? How long are they stored?
Revocability — Consent must be revocable at any time. Withdrawing it must be just as easy as giving it.
Written form — The GDPR does not require written form, but recommends it. For evidence purposes, documented consent — whether digital or on paper — is essential.
Indicium offers integrated consent management. The candidate receives a transparent link, sees exactly which checks are being carried out, and gives digital consent. Everything is logged and can be traced at any time. More on our product page.
Data storage and retention periods
The GDPR has a clear principle: store data only as long as necessary. For background checks, that means the following in practice:
Recommended retention periods
Applicant not hired: delete the data after the rejection. Experience shows that a six-month retention period is defensible to protect against potential claims under the General Equal Treatment Act. After that: delete.
Applicant hired: check results may be stored for the duration of the employment relationship, plus the statutory retention periods after the end of the contract.
Regulated industries: different retention periods apply here. The BaFin, for example, requires retention of up to ten years for certain suitability checks. This stems from MaRisk requirements and sector-specific regulations.
Automatic deletion as best practice
Manual deletion processes are prone to errors. Files get forgotten, deadlines are missed, responsibilities are unclear. The best solution: automatic deletion rules that you configure once.
With Indicium, you can configure automatic retention periods. No manual tracking, no forgotten files. When the retention period expires, the data is deleted — automatically and in a documented way.
Germany vs. Switzerland: The key differences
For companies active in both countries, the comparison between German and Swiss data protection law is especially relevant. Here are the key differences:
Aspect | Germany (GDPR + BDSG) | Switzerland (nDSG) |
|---|---|---|
Legal basis | Art. 6 GDPR, Section 26 BDSG | Art. 6 nDSG, principles-based |
Consent | Voluntary, informed, revocable | Generally similar, less formalistic |
Works council | Co-determination on monitoring measures (Section 87 of the Works Constitution Act) | No comparable works council system |
Supervisory authority | State data protection authorities (16 in total) | FDPIC (one central authority) |
Fines | Up to 4% of global annual revenue | Up to CHF 250,000 (against individuals!) |
Data transfer | Strict rules for transfers to third countries | Federal Council’s own country list |
The most notable difference in Switzerland: fines are imposed not only on the company, but on the responsible individual. That means a data protection violation can personally affect the compliance officer or management — with fines of up to CHF 250,000. That fundamentally changes the risk assessment.
In Germany, the works council comes into play. If you introduce background checks, you have to involve the works council. This applies especially to the design of the process, the selection of screening criteria and the technical implementation. Plan for this early — involving the works council later leads to delays.
The 5 most common GDPR mistakes in background checks
In our work with companies in the DACH region, we keep seeing the same mistakes. Five of them come up particularly often.
Conducting checks without a legal basis. Some companies screen applicants “on the side” — a Google search here, a social media check there. Without a documented legal basis, that is a data protection violation.
Checking more than is necessary for the role. A credit report for an assistant position, a criminal record certificate for a marketing manager — if you go beyond what is required, you violate the principle of data minimization.
Failing to document consent. Even if the applicant agreed verbally: without documentation, you cannot prove it in a dispute. And the burden of proof is on you.
Not deleting data after a rejection. Applicant data that remains stored for months or even years after a rejection is a common finding in data protection audits. After six months, you should delete it.
Using US providers without checking the basis for data transfers. This is the mistake we see most often. Many companies use US-based screening tools without checking whether the transatlantic data transfer is secured in compliance with the GDPR. Since the Schrems II ruling, simply pointing to the EU-U.S. Data Privacy Framework is not always enough. You must be able to document why the data transfer is lawful.
Mistake No. 5 is particularly tricky. US providers often have years of experience in screening — but their infrastructure and data processing were not built for the European legal framework.
How Indicium ensures GDPR compliance
At Indicium, data protection is not an afterthought. It is built into the platform from the start. We are talking about GDPR by design under Art. 25 GDPR. Concretely, that means:
Data in EU data centers. All data is processed and stored in the European Union. No US cloud provider, no transfer to a third country.
Integrated consent management. Candidates receive a transparent link. They see what is being checked and give digital consent. Everything is logged.
Automatic retention periods. You configure once how long data is stored. After that, automatic deletion takes effect — fully and documented.
Complete audit trail. Who initiated which check, and when? Who viewed the results? Every action is logged. That is crucial for your documentation obligations.
DPA as standard. Every Indicium customer receives a data processing agreement. No extra request, no waiting for legal.
SOC 2 Type II certified. Our security measures are regularly verified by independent auditors.
Why is this important? Because as an employer, you are jointly responsible for the GDPR compliance of your service providers. Art. 28 GDPR requires you to use only processors that provide sufficient guarantees. With Indicium, you have that guarantee.
Checklist: GDPR-compliant background check in 7 steps
To wrap up, here is a checklist you can use right away. Print it out, save it, share it with your team.
Set the legal basis. Before each check, determine which legal basis applies: contract initiation, legitimate interest or consent?
Adjust the scope of the check to the role. Only check what is relevant for the specific position. No blanket screening.
Obtain and document consent. Inform the applicant fully. Document the consent. Make sure it is voluntary and revocable.
Choose a GDPR-compliant provider. EU data processing, DPA, audit trail — these are the minimum requirements for your screening partner.
Define retention periods. Set how long results will be stored. Configure automatic deletion rules.
Involve the works council (Germany). Inform the works council about the process at an early stage. Obtain approval.
Maintain documentation. Record everything: legal basis, consent, scope of screening, results, deletion. If in doubt, you must be able to prove that you acted correctly.
Conclusion: Data protection and due diligence are not mutually exclusive
The GDPR is not an obstacle to background checks. It is a quality standard. A company that designs its screening processes in a GDPR-compliant way shows applicants and regulators alike: we take data protection seriously. And we take our duty of care seriously.
The key lies in preparation. If you know the legal bases, adapt the scope of the checks, obtain consent properly and use a European provider, you are on safe ground.
Want to see what a GDPR-compliant background check looks like in practice? Book a demo and we’ll show you how Indicium brings data protection and personnel screening together — with consent management, automatic retention periods and a complete audit trail.
Further reading:
What is a background check? The complete guide
Sanctions list screening for companies
PEP screening: politically exposed persons
LkSG and background checks
This article is for general information only and does not replace individual legal advice. For a legal assessment of your specific use case, we recommend consulting a specialized lawyer for data protection law.
Read more — related articles
Nabil el Berr, CEO
Frequently Asked Questions
Are employers in Germany allowed to conduct background checks?
Yes, employers are allowed to conduct background checks — but only in compliance with the GDPR and the Federal Data Protection Act (§ 26 BDSG). The legal basis is usually the initiation of a contract (Art. 6 Para. 1b GDPR) or legitimate interest (Art. 6 Para. 1f GDPR). The key principle is data minimization: Only checks relevant to the specific position are permissible. An identity verification and qualification check is reasonable for any position, while a credit check is only justified for positions with financial responsibility.
Do I need the applicant's consent for a background check?
Consent is not always mandatory — if another legal basis already applies (e.g., contract initiation), the check can be conducted without explicit consent. However, in practice, a documented consent is always advisable as it ensures transparency and serves as proof in case of a dispute. Consent must be voluntary, informed, and revocable. Phrases that exert pressure (“Without consent, we cannot consider your application”) render it invalid.
How long can background check results be stored?
The GDPR requires storage minimization: Data can only be kept as long as there is a legitimate purpose. For rejected applicants, a deletion period of a maximum of six months is recommended (protection against AGG claims). For hired employees, the results can be stored for the duration of the employment relationship. In regulated industries, longer retention periods apply — BaFin requires up to ten years for certain suitability assessments according to MaRisk.
What is the difference between GDPR and the Swiss Data Protection Act (nDSG)?
The biggest difference: the nDSG does not have a general processing prohibition with permission as the GDPR does. In Switzerland, data processing is generally permitted as long as data protection principles are observed. Regarding fines, the nDSG impacts the responsible individual (up to CHF 250,000), whereas the GDPR imposes fines of up to 4% of the global annual turnover on companies. In Germany, co-determination by the works council (§ 87 BetrVG) is an additional factor, which doesn't exist in Switzerland. Indicium is designed for both legal systems and meets both GDPR and nDSG requirements.
Why shouldn’t I use a US provider for background checks?
US-based screening providers often process personal data on servers in the USA. Since the Schrems II ruling by the CJEU, transatlantic data transfer is legally problematic. The EU-US Data Privacy Framework provides a new basis, but data protection experts doubt its long-term stability. European providers like Indicium process all data in EU data centers, offer a standard data processing agreement (DPA), and are designed from the ground up for the European legal framework — without detouring through US cloud infrastructure.
