Background checks are becoming increasingly important in Europe. At the same time, there is a lot of uncertainty: What am I allowed to check? What not? And how do I ensure the process complies with GDPR?
Many companies face a dilemma. They want to thoroughly vet new employees — but fear violating data protection laws. The result: they don't check at all. Or they conduct checks without knowing if their approach is legally sound.
Both are risky. This guide gives you, as an HR manager or compliance officer, a clear overview of the legal essentials — without legal jargon. You'll learn which checks are allowed, how to correctly obtain consent, what the deletion deadlines are, and where Germany and Switzerland differ.
Why GDPR and background checks must be compatible
A background check processes personal data: names, birth data, qualifications, employment histories, and sometimes even financial information or entries on sanction lists. This is where GDPR applies — with no exceptions.
Yet, many companies in the DACH region forgo systematic checks. The reason: uncertainty. Am I even allowed to do this? What happens if I make a mistake? Are fines looming?
This fear is understandable. But it leads to the wrong outcome. A company that forgoes background checks accepts risks that can be far more costly than a data protection violation: fake résumés, compliance violations, reputational damage.
A GDPR-compliant background check is not just possible — it is the only background check that truly protects your company.
The GDPR does not prohibit personnel checks. It provides a framework. Those who know and adhere to this framework can review applicants legally — and at the same time build trust with candidates.
Overview of legal foundations
Every processing of personal data needs a legal basis. Four foundations come into question for background checks. Which you use depends on the type of review and the context.
Art. 6 para. 1b GDPR: Pre-contractual measures
This is the most common legal basis for pre-employment checks. When an applicant applies for a job, they initiate a contractual relationship. The employer may verify the information relevant to the job. An identity check, verification of degrees, or confirmation of previous employments — all fall under pre-contractual measures.
Art. 6 para. 1f GDPR: Legitimate interest
For certain risk checks, legitimate interest can serve as a legal basis. This applies especially to positions with a high risk profile: executives, employees with access to sensitive data or financial resources. Here, a balance of interests must take place — your interest in the check against the applicant's personal rights.
Art. 6 para. 1a GDPR: Consent
Consent is not a mandatory requirement when another legal basis applies. However, it provides additional security. Especially for checks that go beyond the minimum — such as an extended sanctions list reconciliation or a PEP screening — documented consent provides clarity for both parties.
§ 26 BDSG: The German special regulation
In Germany, the Federal Data Protection Act applies alongside the GDPR. § 26 BDSG regulates the processing of employee data. It allows data processing necessary for the decision to establish an employment relationship. This is the central norm for pre-employment checks in Germany.
nDSG: The new Swiss Data Protection Act
Since September 2023, the revised Data Protection Act (nDSG) has been in force in Switzerland. It is based on the GDPR but has its own peculiarities. Unlike the GDPR, the nDSG does not have a general prohibition with reservation of permission. Instead, data processing is generally allowed as long as data protection principles are adhered to and no personal rights are violated.
In practice, we recommend a combination of pre-contractual measures and voluntary consent. This gives you the strongest legal basis.
What are you allowed to check — and what not?
Not every check is appropriate for every position. The GDPR demands data minimization: Only check what is necessary for the specific position. Here is an overview.
Allowed (with appropriate legal basis)
Identity verification — Do name, birth date, and address match? This is the basis of every check.
Qualification and degree verification — Does the applicant have the degree they claim? Studies show that up to 30% of all résumés contain exaggerations or false information.
Employment history — Were the listed employers and time periods correct?
Sanctions list check — In regulated industries, this is not optional but mandatory. EU, UN, and OFAC lists must be checked. More on this in our article on sanctions list checks.
PEP screening — Is the person politically exposed? For financial service providers and other regulated industries, a must.
Publicly accessible professional profiles — LinkedIn and similar platforms may be accessed as long as it pertains to professional information.
Conditionally allowed (only for specific positions)
Credit check — Only for positions with financial responsibility. A credit report for a marketing position would be disproportionate.
Criminal record certificate — Only for certain professions, such as in education, care, or security-relevant positions. There must be a factual relation to the job.
Not allowed
Search private social media profiles — Facebook, Instagram, and private accounts are off-limits. They belong to personal rights.
Collect health data — Except in clearly defined exceptional cases (e.g., suitability test for physically demanding jobs), health data is particularly protected according to Art. 9 GDPR.
Marital status, pregnancy, religion — These data are unrelated to professional suitability and may not be collected.
Scoring or profiling without transparency — Automated decision-making is only allowed under strict conditions according to Art. 22 GDPR. The applicant must be informed.
The rule of thumb: Only check what you would be allowed to ask in an interview. If the question would be inadmissible there, it is also inadmissible in a background check.
Designing consent correctly
Even if another legal basis applies, we recommend obtaining additional consent. It documents that the candidate was informed and has agreed. But: Consent is only valid if it meets certain requirements.
Requirements for effective consent
Voluntariness — There must be no pressure. Phrases like "Without consent, we cannot consider your application" render the consent invalid. The applicant must have a genuine choice.
Informedness — The applicant must know: What exactly is being checked? Who is conducting the check? What data is being collected? How long will it be stored?
Revocability — The consent must be revocable at any time. Revocation must be as easy as giving consent.
Written form — The GDPR does not require written form but recommends it. A documented consent — whether digital or on paper — is indispensable for proof.
Indicium offers an integrated consent management. The candidate receives a transparent link, sees exactly which checks are being conducted, and agrees digitally. Everything is logged and can be tracked at any time. More on our product page.
Data storage and deletion deadlines
The GDPR follows a clear principle: Only store data as long as necessary. For background checks, this specifically means:
Recommended deletion deadlines
Applicant not hired: Delete data after rejection. Practice shows: A six-month retention period is reasonable to protect against potential AGG (General Equal Treatment Act) claims. After that: delete.
Applicant hired: Check results may be stored for the duration of the employment relationship, plus the statutory retention periods after the end of the contract.
Regulated industries: Different deadlines apply here. BaFin requires retention for up to ten years for certain suitability tests. This results from MaRisk requirements and sector-specific regulations.
Automatic deletion as best practice
Manual deletion processes are prone to errors. Files are forgotten, deadlines are exceeded, responsibilities are unclear. The best solution: automatic deletion rules, which you configure once.
With Indicium, you can configure automatic deletion deadlines. No manual tracking, no forgotten files. When the deadline expires, the data is deleted — automatically and documented.
Germany vs. Switzerland: Key differences
For companies operating in both countries, the comparison between German and Swiss data protection laws is particularly relevant. Here are the key differences:
Aspect | Germany (GDPR + BDSG) | Switzerland (nDSG) |
|---|---|---|
Legal basis | Art. 6 GDPR, § 26 BDSG | Art. 6 nDSG, principle-based |
Consent | Voluntary, informed, revocable | Generally similar, less formalistic |
Works council | Co-determination in monitoring measures (§ 87 BetrVG) | No comparable works council system |
Supervisory authority | State data protection authorities (16) | FDPIC (one central authority) |
Fines | Up to 4% of worldwide annual turnover | Up to CHF 250,000 (against individuals!) |
Data transfer | Strict rules for third-country transfers | Own country list of the Federal Council |
The most noticeable peculiarity in Switzerland: fines are directed not only against the company but against the responsible individual. A data protection violation can therefore affect the compliance officer or management personally — with a fine of up to CHF 250,000. This fundamentally changes risk assessment.
In Germany, the works council comes into play. If you introduce background checks, you must involve the works council. This particularly affects the design of the process, the selection of test criteria, and the technical implementation. Plan this early — involving the works council afterwards leads to delays.
The 5 most common GDPR mistakes in background checks
From our work with companies in the DACH region, we repeatedly see the same mistakes. Five of them particularly stand out.
Conducting checks without a legal basis. Some companies check applicants "on the side" — a Google search here, a social media check there. Without documented legal basis, this is a data protection violation.
Checking more than necessary for the position. A credit report for an assistant position, a criminal record certificate for a marketing manager — overshooting violates the principle of data minimization.
Not documenting consent. Even if the applicant has verbally agreed: Without documentation, you cannot prove anything in a dispute. And the burden of proof is on you.
Not deleting data after rejection. Candidate data that is stored months or even years after a rejection is a common finding in data protection audits. After six months, you should delete.
Using US providers without examining the basis for data transfer. This is the most common error we see. Many companies use US-based screening tools without checking whether the transatlantic data transfer is GDPR compliant. Since the Schrems II ruling, a simple reference to the EU-US Data Privacy Framework is not always sufficient. You must be able to document why the data transfer is lawful.
Mistake No. 5 is particularly tricky. US providers often have years of experience in screening — but their infrastructure and data processing are not built for the European legal framework.
How Indicium ensures GDPR compliance
At Indicium, data protection is not an afterthought. It is built into the platform — from the start. We are talking about GDPR-by-Design according to Art. 25 GDPR. Specifically, this means:
Data in EU data centers. All data is processed and stored in the European Union. No US cloud provider, no third-country transfer.
Integrated consent management. Candidates receive a transparent link. They see what is being checked and agree digitally. Everything is logged.
Automatic deletion deadlines. You configure once how long data is stored. Then the automatic deletion takes place — fully and documented.
Complete audit trail. Who initiated which check when? Who viewed the results? Every action is logged. This is crucial for your documentation obligations.
DPA as standard. Every Indicium customer receives a data processing agreement. No extra request, no waiting for the legal department.
SOC 2 Type II certified. Our security measures are regularly verified by independent auditors.
Why is this important? Because as an employer, you are jointly liable for the GDPR compliance of your service providers. Art. 28 GDPR requires you to only use processors that provide sufficient guarantees. With Indicium, you have that guarantee.
Checklist: GDPR-compliant background check in 7 steps
In conclusion, a checklist you can use directly. Print it out, save it, share it with your team.
Determine the legal basis. Before each check, consider: What legal basis applies? Pre-contractual measures, legitimate interest, or consent?
Adapt the scope of the check to the position. Only check what is relevant for the specific position. No blanket checks.
Obtain and document consent. Inform the applicant fully. Document the consent. Ensure it is voluntary and revocable.
Choose a GDPR-compliant provider. EU data processing, DPA, audit trail — these are the minimum requirements for your screening partner.
Define deletion deadlines. Set how long results are stored. Set up automatic deletion rules.
Involve the works council (Germany). Inform the works council early about the process. Obtain approval.
Maintain documentation. Record everything: legal basis, consent, scope of check, results, deletion. In case of doubt, you must be able to prove that you acted correctly.
Conclusion: Data protection and duty of care are not mutually exclusive
The GDPR is not an obstacle to background checks. It is a quality feature. A company that designs its screening processes GDPR-compliant shows applicants and supervisory authorities alike: We take data protection seriously. And we take our duty of care seriously.
The key lies in preparation. Those who know the legal foundations, adjust the scope of checks, obtain consent properly, and use a European provider are on the safe side.
Want to see what a GDPR-compliant background check looks like in practice? Book a demo and we'll show you how Indicium combines data protection and personnel review — with consent management, automatic deletion deadlines, and a complete audit trail.
Further reading:
What is a Background Check? The Complete Guide
Sanctions List Check for Companies
PEP Screening: Politically Exposed Persons
LkSG and Background Checks
This article serves general information and does not replace individual legal advice. For the legal assessment of your specific application, we recommend consulting a specialized data protection lawyer.
Häufig gestellte Fragen
Dürfen Arbeitgeber in Deutschland Background Checks durchführen?
Ja, Arbeitgeber dürfen Background Checks durchführen — allerdings nur unter Einhaltung der DSGVO und des Bundesdatenschutzgesetzes (§ 26 BDSG). Die Rechtsgrundlage ist in der Regel die Vertragsanbahnung (Art. 6 Abs. 1b DSGVO) oder das berechtigte Interesse (Art. 6 Abs. 1f DSGVO). Entscheidend ist das Prinzip der Datenminimierung: Nur Prüfungen, die für die konkrete Stelle relevant sind, sind zulässig. Eine Identitätsverifizierung und Qualifikationsprüfung ist bei jeder Stelle vertretbar, eine Bonitätsprüfung hingegen nur bei Positionen mit finanzieller Verantwortung.
Brauche ich für einen Background Check die Einwilligung des Bewerbers?
Eine Einwilligung ist nicht in jedem Fall zwingend erforderlich — wenn bereits eine andere Rechtsgrundlage greift (z. B. Vertragsanbahnung), kann der Check auch ohne ausdrückliche Einwilligung durchgeführt werden. In der Praxis empfiehlt sich aber immer eine zusätzliche dokumentierte Einwilligung, da sie Transparenz schafft und im Streitfall als Nachweis dient. Die Einwilligung muss freiwillig, informiert und widerrufbar sein. Formulierungen, die Druck ausüben („Ohne Einwilligung können wir Ihre Bewerbung nicht berücksichtigen“), machen sie unwirksam.
Wie lange dürfen Background-Check-Ergebnisse gespeichert werden?
Die DSGVO verlangt Speicherminimierung: Daten dürfen nur so lange aufbewahrt werden, wie es einen legitimen Zweck gibt. Bei abgelehnten Bewerbern empfiehlt sich eine Löschfrist von maximal sechs Monaten (Schutz gegen AGG-Klagen). Bei eingestellten Mitarbeitenden dürfen die Ergebnisse für die Dauer des Arbeitsverhältnisses gespeichert werden. In regulierten Branchen gelten längere Aufbewahrungsfristen — die BaFin fordert bis zu zehn Jahre für bestimmte Eignungsprüfungen gemäß MaRisk.
Was ist der Unterschied zwischen DSGVO und dem Schweizer Datenschutzgesetz (nDSG)?
Der größte Unterschied: Das nDSG kennt kein generelles Verarbeitungsverbot mit Erlaubnisvorbehalt wie die DSGVO. In der Schweiz ist Datenverarbeitung grundsätzlich erlaubt, solange die Datenschutzgrundsätze eingehalten werden. Bei Bußgeldern trifft das nDSG die verantwortliche Einzelperson (bis CHF 250.000), während die DSGVO Unternehmen mit bis zu 4 % des weltweiten Jahresumsatzes belegt. In Deutschland kommt zusätzlich die Betriebsratsmitbestimmung hinzu (§ 87 BetrVG), die es in der Schweiz nicht gibt. Indicium ist für beide Rechtsordnungen konzipiert und erfüllt sowohl DSGVO- als auch nDSG-Anforderungen.
Warum sollte ich keinen US-Anbieter für Background Checks nutzen?
US-basierte Screening-Anbieter verarbeiten personenbezogene Daten häufig auf Servern in den USA. Seit dem Schrems-II-Urteil des EuGH ist der transatlantische Datentransfer rechtlich problematisch. Das EU-US Data Privacy Framework bietet zwar eine neue Grundlage, doch Datenschutzexperten bezweifeln dessen langfristige Beständigkeit. Europäische Anbieter wie Indicium verarbeiten alle Daten in EU-Rechenzentren, bieten standardmäßig einen Auftragsverarbeitungsvertrag (AVV) an und sind von Grund auf für den europäischen Rechtsrahmen konzipiert — ohne Umwege über US-Cloud-Infrastruktur.
Nächste Schritte
DSGVO-konforme Background Checks sind kein Widerspruch — mit der richtigen Plattform sind sie Standard. Indicium bietet integriertes Einwilligungsmanagement, automatische Löschfristen und vollständigen Audit-Trail.
Jetzt kostenlose Demo buchen →
Weiterlesen
Background Check: Was ist es und was ist erlaubt?
Manuelle vs. automatisierte Background Checks: Kosten und ROI
