Background checks are becoming increasingly important in Europe. At the same time, there's a lot of uncertainty: What am I allowed to check? What not? And how do I ensure the process complies with GDPR?
Many companies face a dilemma. They want to carefully vet new employees — but fear violating data protection regulations. The result: They do no checks at all. Or they conduct checks without knowing if their approach is legally sound.
Both options are risky. This guide gives you, as an HR manager or compliance officer, a clear overview of the legal foundations — without legal jargon. You'll learn which checks are allowed, how to properly obtain consent, what deletion deadlines apply, and where Germany and Switzerland differ.
Why GDPR and background checks need to align
A background check processes personal data, such as names, birth dates, qualifications, employment histories, and sometimes financial statements or entries in sanctions lists. This means GDPR applies — without exception.
Despite this, many companies in the DACH region avoid systematic checks. The reason: Uncertainty. Am I allowed to do this at all? What happens if I make a mistake? Are fines looming?
This fear is understandable. But it leads to the wrong outcome. A company that skips background checks takes on risks that can be far more costly than a data protection violation: falsified resumes, compliance breaches, reputational damage.
A GDPR-compliant background check is not only possible — it's the only check that truly protects your company.
The GDPR does not prohibit employee checks. It provides a framework. Anyone who knows and adheres to this framework can legally vet applicants — and simultaneously build trust with candidates.
Overview of the legal foundations
Every processing of personal data requires a legal basis. For background checks, four bases come into consideration. Which one you use depends on the nature of the check and its context.
Art. 6 para. 1b GDPR: Contract initiation
This is the most common legal basis for pre-employment checks. When an applicant applies for a position, they initiate a contractual relationship. The employer may verify the details relevant to the position. Identity verification, degrees, or confirmation of previous employment — all fall under contract initiation.
Art. 6 para. 1f GDPR: Legitimate interest
For certain risk checks, legitimate interest can serve as the legal basis. This is particularly true for positions with a higher risk profile: executives, employees with access to sensitive data or financial resources. Here, a balance of interests must occur — your interest in the check against the applicant's personal rights.
Art. 6 para. 1a GDPR: Consent
Consent is not a mandatory requirement if another legal basis already applies. However, it provides additional security. Especially for checks that go beyond the minimum — like an extended sanctions list match or a PEP screening — documented consent provides clarity for both parties.
§ 26 BDSG: The German special regulation
In Germany, in addition to the GDPR, the Federal Data Protection Act applies. § 26 BDSG governs the processing of employee data. It permits data processing necessary for deciding on the establishment of an employment relationship. This is the key norm for pre-employment checks in Germany.
nDSG: The new Swiss Data Protection Act
Since September 2023, the revised Data Protection Act (nDSG) has been in effect in Switzerland. It is modeled on the GDPR but has its own peculiarities. Unlike the GDPR, the nDSG does not have a general processing prohibition with a reservation of permission. Instead, data processing is generally allowed as long as data protection principles are observed and personal rights are not violated.
In practice, we recommend combining contract initiation with voluntary consent. This gives you the strongest legal basis.
What can you check — and what not?
Not every check is appropriate for every position. The GDPR requires data minimization: Only check what's necessary for the specific position. Here's an overview.
Allowed (with appropriate legal basis)
Identity verification — Are name, birth date, and address correct? This is the foundation of every check.
Qualification and degree verification — Does the applicant have the degree they claim? Studies show that up to 30% of resumes contain exaggerations or false information.
Employment history — Were the stated employers and periods correct?
Sanctions list check — In regulated industries, this is not an option but a requirement. EU, UN, and OFAC lists must be checked. Learn more in our article on sanctions list checks.
PEP screening — Is the person politically exposed? A must for financial service providers and other regulated industries.
Publicly accessible professional profiles — LinkedIn and similar platforms can be viewed as long as they pertain to professional information.
Conditionally allowed (only for specific positions)
Credit check — Only for positions with financial responsibility. A credit report for a marketing role would be disproportionate.
Criminal record check — Only for certain professions, such as in education, caregiving, or security-related roles. It must have a factual link to the activity.
Not allowed
Searching private social media profiles — Facebook, Instagram, and private accounts are off-limits. They belong to personal rights.
Collecting health data — Except in clearly defined exceptional cases (e.g., fitness testing for physically demanding jobs), health data is particularly protected under Art. 9 GDPR.
Family status, pregnancy, religion — These data have no connection to professional suitability and may not be collected.
Scoring or profiling without transparency — Automated decision-making is only permitted under Art. 22 GDPR under strict conditions. The applicant must be informed.
The rule of thumb: Only check what you would be allowed to ask in an interview. If the question is impermissible there, it is also impermissible in the background check.
Structuring consent correctly
Even if another legal basis applies, we recommend obtaining additional consent. It documents that the applicant was informed and agreed. However, consent is only valid if it meets specific requirements.
Requirements for effective consent
Voluntariness — No pressure should be applied. Phrases like "Without consent, we cannot consider your application" invalidate consent. The applicant must have a real choice.
Informedness — The applicant must know: What exactly will be checked? Who is conducting the check? What data will be collected? How long will it be stored?
Revocability — Consent must be revocable at any time. Revoking should be as easy as granting it.
Written form — The GDPR does not require written form, but recommends it. For proof, documented consent — whether digital or on paper — is indispensable.
Indicium offers an integrated consent management system. The candidate receives a transparent link, sees exactly which checks are being conducted, and agrees digitally. Everything is logged and can be traced at any time. More on our product page.
Data storage and deletion deadlines
The GDPR has a clear principle: Store data only as long as necessary. For background checks, this means specifically:
Recommended deletion deadlines
Applicant not hired: Delete data after rejection. Practice shows: A six-month retention period is reasonable to protect against potential AGG (General Equal Treatment Act) claims. Afterwards: delete.
Applicant hired: Check results may be stored for the duration of the employment relationship, plus the statutory retention periods after contract termination.
Regulated sectors: Here, different deadlines apply. BaFin requires, for example, retention of up to ten years for certain qualification checks. This results from MaRisk requirements and sector-specific regulations.
Automatic deletion as best practice
Manual deletion processes are error-prone. Files are forgotten, deadlines missed, responsibilities unclear. The best solution: automatic deletion rules that you configure once.
At Indicium, you can configure automatic deletion deadlines. No manual tracking, no forgotten files. When the deadline expires, the data is deleted — automatically and documented.
Germany vs. Switzerland: Key differences
For companies operating in both countries, comparing German and Swiss data protection laws is particularly relevant. Here are the main differences:
Aspect | Germany (GDPR + BDSG) | Switzerland (nDSG) |
|---|---|---|
Legal basis | Art. 6 GDPR, § 26 BDSG | Art. 6 nDSG, principle-based |
Consent | Voluntary, informed, revocable | Similar in principle, less formalistic |
Works council | Co-determination on monitoring measures (§ 87 BetrVG) | No comparable works council system |
Supervisory authority | State data protection authorities (16 in total) | EDÖB (a central authority) |
Fines | Up to 4% of worldwide annual revenue | Up to CHF 250,000 (against individuals!) |
Data transfer | Strict rules for third-country transfers | Federal Council's own country list |
The most striking feature in Switzerland: Fines are not only directed at the company but at the responsible individual. A data protection violation can personally impact the compliance officer or management — with up to CHF 250,000 fine. This fundamentally changes the risk assessment.
In Germany, however, the works council comes into play. If you introduce background checks, you must involve the works council. This particularly concerns the design of the procedure, the choice of checking criteria, and the technical implementation. Plan this early — involving the works council late leads to delays.
The 5 most common GDPR mistakes in background checks
From our work with companies in the DACH region, we repeatedly see the same mistakes. Five of them are particularly common.
Conducting checks without a legal basis. Some companies check applicants "on the side" — a Google search here, a social media check there. Without documented legal basis, that's a data protection violation.
Checking more than necessary for the position. A credit report for an assistant position, a criminal record for a marketing manager — anyone who overshoots the mark violates the principle of data minimization.
Not documenting consent. Even if the applicant has given verbal agreement: Without documentation, you can't prove anything in the event of a dispute. The burden of proof lies with you.
Not deleting data after rejection. Applicant data that remains stored for months or even years after a rejection is a common finding in data protection audits. After six months, you should delete.
Using US providers without checking the data transfer basis. This is the mistake we see most often. Many companies use US-based screening tools without checking whether the transatlantic data transfer is GDPR-compliant. Since the Schrems-II ruling, a simple reference to the EU-US Data Privacy Framework is not always sufficient. You must be able to document why the data transfer is lawful.
Mistake No. 5 is particularly tricky. US providers often have years of experience in screening — but their infrastructure and data processing are not built for the European legal framework.
How Indicium ensures GDPR compliance
At Indicium, data protection isn't an afterthought. It's built into the platform — from the start. We call this GDPR-by-design according to Art. 25 GDPR. Specifically, this means:
Data in EU data centers. All data is processed and stored within the European Union. No US cloud provider, no third country transfer.
Integrated consent management. Candidates receive a transparent link. They see what's being checked and agree digitally. Everything is logged.
Automatic deletion deadlines. You configure once how long data is stored. The automatic deletion then applies — fully and documented.
Complete audit trail. Who initiated which check when? Who viewed the results? Every action is logged. This is crucial for your documentation obligations.
DP contract as standard. Every Indicium customer receives a data processing agreement. No extra request, no waiting for the legal department.
SOC 2 Type II certified. Our security measures are regularly verified by independent auditors.
Why is this important? Because as an employer, you're jointly liable for the GDPR compliance of your service providers. Art. 28 GDPR requires that you only use processors that offer sufficient guarantees. With Indicium, you have this guarantee.
Checklist: GDPR-compliant background check in 7 steps
In conclusion, a checklist you can use directly. Print it out, save it, share it with your team.
Establish the legal basis. Check before each background check: Which legal basis applies? Contract initiation, legitimate interest, or consent?
Adjust check scope to the position. Only check what's relevant for the specific role. No blanket checks.
Obtain and document consent. Fully inform the applicant. Document the consent. Ensure it is voluntary and revocable.
Choose a GDPR-compliant provider. EU data processing, DP contract, audit trail — these are the minimum requirements for your screening partner.
Define deletion deadlines. Determine how long results will be stored. Set up automatic deletion rules.
Involve the works council (Germany). Inform the works council early about the process. Obtain approval.
Keep documentation. Record everything: legal basis, consent, check scope, results, deletion. In case of doubt, you must be able to prove you acted correctly.
Conclusion: Data protection and duty of care are not mutually exclusive
The GDPR is not an obstacle to background checks. It's a quality feature. A company that designs its screening processes GDPR-compliant shows applicants and supervisory authorities alike: We take data protection seriously. And we take our duty of care seriously.
The key lies in preparation. Those who know the legal bases, adjust the check scope, properly obtain consent, and use a European provider are on the safe side.
Want to see what a GDPR-compliant background check looks like in practice? Book a demo and we'll show you how Indicium combines data protection and employee screening — with consent management, automatic deletion deadlines, and a complete audit trail.
Further reading:
What is a background check? The complete guide
Sanctions list screening for companies
PEP Screening: Politically exposed persons
LkSG and background checks
This article is for general informational purposes and does not replace individual legal advice. For the legal assessment of your specific application, we recommend consulting a specialized attorney in data protection law.
Nabil el Berr, CEO
Frequently Asked Questions
Are employers in Germany allowed to conduct background checks?
Yes, employers are allowed to conduct background checks — but only in compliance with the GDPR and the Federal Data Protection Act (§ 26 BDSG). The legal basis is usually the initiation of a contract (Art. 6 Para. 1b GDPR) or legitimate interest (Art. 6 Para. 1f GDPR). The key principle is data minimization: Only checks relevant to the specific position are permissible. An identity verification and qualification check is reasonable for any position, while a credit check is only justified for positions with financial responsibility.
Do I need the applicant's consent for a background check?
Consent is not always mandatory — if another legal basis already applies (e.g., contract initiation), the check can be conducted without explicit consent. However, in practice, a documented consent is always advisable as it ensures transparency and serves as proof in case of a dispute. Consent must be voluntary, informed, and revocable. Phrases that exert pressure (“Without consent, we cannot consider your application”) render it invalid.
How long can background check results be stored?
The GDPR requires storage minimization: Data can only be kept as long as there is a legitimate purpose. For rejected applicants, a deletion period of a maximum of six months is recommended (protection against AGG claims). For hired employees, the results can be stored for the duration of the employment relationship. In regulated industries, longer retention periods apply — BaFin requires up to ten years for certain suitability assessments according to MaRisk.
What is the difference between GDPR and the Swiss Data Protection Act (nDSG)?
The biggest difference: the nDSG does not have a general processing prohibition with permission as the GDPR does. In Switzerland, data processing is generally permitted as long as data protection principles are observed. Regarding fines, the nDSG impacts the responsible individual (up to CHF 250,000), whereas the GDPR imposes fines of up to 4% of the global annual turnover on companies. In Germany, co-determination by the works council (§ 87 BetrVG) is an additional factor, which doesn't exist in Switzerland. Indicium is designed for both legal systems and meets both GDPR and nDSG requirements.
Why shouldn’t I use a US provider for background checks?
US-based screening providers often process personal data on servers in the USA. Since the Schrems II ruling by the CJEU, transatlantic data transfer is legally problematic. The EU-US Data Privacy Framework provides a new basis, but data protection experts doubt its long-term stability. European providers like Indicium process all data in EU data centers, offer a standard data processing agreement (DPA), and are designed from the ground up for the European legal framework — without detouring through US cloud infrastructure.
