Remote Hiring International: Background Checks for Cross-Border EU Hiring
Freedom of movement for workers under Art. 45 TFEU is one of the four fundamental freedoms of the European single market. Combined with the ongoing normalization of hybrid and fully distributed working models, it means that HR departments in companies in the DACH region now routinely hire candidates from Portugal, Poland, Romania, or Spain without the future workplace ever being located in Germany, Austria, or Switzerland. What is strategically an opportunity — access to a talent pool of around 240 million workers — becomes, operationally, a compliance challenge. The question of which law applies to the employment relationship, which background checks are permissible, and how data may be processed across borders in compliance with the law cannot be answered by simply looking at national employment law.
This article brings together the legal coordinates for cross-border hiring, identifies the jurisdiction-specific documents that are actually required in practice, and shows how HR teams can set up a robust multi-jurisdiction screening process without falling into GDPR traps.
Which law applies to remote hiring? The conflict-of-laws starting point
Before you can decide at all on background checks, you first need to clarify which law applies. Two EU regulations provide the answer: the Rome I Regulation (EC) No. 593/2008 governs the law applicable to individual employment contracts, while the Rome II Regulation (EC) No. 864/2007 governs the law applicable to non-contractual obligations. Under Art. 8 Rome I Regulation, the law of the country in which the employee habitually carries out their work generally applies to an employment contract. For a fully remote developer based in Lisbon who works for a Zurich-based SaaS provider, Portuguese employment law applies — even if the employer is based in Switzerland.
Under Art. 8(1) Rome I Regulation, the parties can choose the applicable law, but mandatory protective provisions of the objectively applicable law cannot be waived. Concretely, that means a German employer can agree on German law with a Portuguese remote employee, but must still respect Portuguese dismissal protection rules, minimum wage requirements, vacation entitlements, and — relevant for background checks — Portuguese limits on information gathering in the recruitment process.
Posted Workers Directive: When secondment comes into play
Not every cross-border hire is a remote hire. As soon as an employee is temporarily seconded to another Member State to perform work there, the Posted Workers Directive 96/71/EC, as revised by Directive 2018/957, applies. The revision has embedded the principle of “same pay for same work at the same place” and has been binding since July 2020. In practical terms: if the Portuguese developer is seconded to Munich for three months to work on a client project, German working conditions — including pay, not just the minimum wage — apply under Art. 3(1) of Directive 2018/957.
For background screening, this has a subtle but important consequence: the assessment of reliability must be aligned not only with the employee’s home law, but also with the law of the country of assignment, especially where sensitive areas such as financial services, healthcare, or childcare centers are involved, and national sector-specific laws require special reliability certificates.
GDPR for cross-border data processing
Background checks mean data processing, and in the recruitment context almost always the processing of special categories of personal data within the meaning of Art. 9 GDPR — for example, criminal record checks, which enjoy additional protection under Art. 10 GDPR. The legal basis is usually Art. 6(1)(b) GDPR (pre-contractual steps) in conjunction with Art. 88 GDPR and the national employee-data-protection rules, in Germany in particular § 26 BDSG.
When data is collected from another EU Member State, the GDPR remains the shared framework, but the opening clauses lead to significant national diversity. France, for example, sets narrow limits on information gathering in Art. L1221-8 of the Labour Code: only data that is directly and necessary for assessing professional suitability may be collected. Italy generally prohibits inquiries into political, religious, or trade union beliefs under Art. 8 of the Workers’ Statute.
Transfers to third countries — for example to a U.S.-based screening provider — additionally require the conditions of Arts. 44 et seq. GDPR, and after the Schrems II judgment (CJEU, C-311/18), this includes a transfer impact assessment and, where applicable, Standard Contractual Clauses (SCCs) in the version of Implementing Decision (EU) 2021/914.
Country-specific documents: What really matters in the DACH and EU area
The terminology and legal content of criminal-record certificates vary considerably between Member States. Anyone hiring across Europe needs to know which document provides which level of detail and in what form an employer may request it.
Country | Document | Legal basis |
|---|---|---|
Germany | Criminal record certificate (basic / extended) | §§ 30, 30a BZRG |
Switzerland | Criminal record extract (private extract / special private extract) | Art. 46 et seq. StReG |
Austria | Criminal record extract (certificate of good conduct) | § 10 StRegG |
France | Criminal record (Bulletin no. 3) | Art. 777 Code of Criminal Procedure |
Italy | Certificato del Casellario Giudiziale; Certificato dei Carichi Pendenti | D.P.R. 313/2002 |
One key difference: the Italian Certificato dei Carichi Pendenti shows pending criminal proceedings that have not yet been finally decided — information that is not included in the German criminal record certificate. In France, Bulletin no. 3 is the version the applicant can request themselves and present to the employer; Bulletin no. 2 is reserved for certain authorities. The Swiss equivalent has, since 2015, included the special private extract under Art. 371a of the Criminal Code, a specific document for roles involving contact with minors and especially vulnerable persons.
What applies in Switzerland, Austria, and across the EU?
Switzerland: Free movement without EU membership
Switzerland is not an EU Member State, but through the Agreement on the Free Movement of Persons (AFMP, SR 0.142.112.681) of 1999 it has largely aligned itself with EU free movement of persons. For cross-border hiring, this means that EU citizens can work in Switzerland largely without discrimination, and the reverse also applies. The applicable data protection law has, since 1 September 2023, been the revised Data Protection Act (DPA); particularly relevant are Arts. 5 et seq. DPA on processing principles and Arts. 16 et seq. DPA on cross-border data transfers. On 15 January 2024, the European Commission again recognized Switzerland as a safe third country through an adequacy decision, which allows data transfers from the EU to Switzerland without additional safeguards.
For background checks by Swiss employers, Art. 328b of the Swiss Code of Obligations applies: the employer may process data only to the extent that it concerns the employee’s suitability for the employment relationship or is necessary for performing the employment contract. The Swiss special private extract under Art. 371a of the Criminal Code applies to activities involving regular contact with minors or especially vulnerable persons.
Austria: the EU single market directly
Austria is a full EU Member State; the GDPR applies directly, supplemented by the Data Protection Act (DSG) Federal Law Gazette I No. 165/1999 in its current version. In the employment context, § 26 DSG on scientific research is well known in the media, but for hiring processes the general principles are more relevant. The obtaining of a criminal record extract is governed by § 10 StRegG: the extract is issued only to the person concerned or to authorities, not directly to the employer. The employer may inspect the extract only after the applicant presents it. Sectors with heightened integrity requirements — the financial sector under § 5(1)(6) BWG, legal professions, childcare — are subject to special statutory review obligations.
EU-wide: framework decision and cross-border requests
For requesting criminal record information from other Member States, there is the European Criminal Records Information System (ECRIS), governed by Framework Decision 2009/315/JHA and supplemented by Regulation (EU) 2019/816 (ECRIS-TCN for third-country nationals). However, ECRIS is not a tool for employers; it is exclusively for judicial authorities. For applicants, the practical route is to request the extract in their home country and present it to the employer in the target country. Under the Hague Apostille Convention of 1961, the apostille has become unnecessary for many public documents within the EU since Regulation (EU) 2016/1191; certified translations may still be required.
Multi-jurisdiction screening in practice
The operational challenge is to build a screening process that is consistent across countries without demanding the maximum in every jurisdiction and thereby becoming disproportionate. A three-step model has proven effective:
Baseline screening: identity verification, verification of the highest professional qualification, reference letter review, sanctions-list screening. This block can be implemented in a GDPR-compliant way in all EU and EFTA countries and provides the substantive basis for every hiring decision.
Enhanced screening: criminal record extract from the applicant’s home country, credit checks for positions with financial responsibility, expanded reference calls. This is where country-specific documents and procedures come into play.
Special checks: sector-specific reliability certificates (banking supervision, healthcare, critical infrastructure), sanctions and PEP screening for international business relationships, and, where relevant, expanded register extracts for roles involving contact with minors.
What a background-check platform must be able to do
Choosing the right tool determines both compliance risk and operational efficiency. A robust platform for EU mobility hires must meet the following requirements:
Multi-jurisdiction coverage: direct or mediated access to the national register authorities in at least all 27 EU Member States plus the EFTA countries (Switzerland, Norway, Iceland, Liechtenstein).
GDPR-compliant architecture: hosting in the EU/EFTA area, processor arrangement under Art. 28 GDPR, documented technical and organizational measures.
Localization: applicant interfaces in the relevant local language, localized consent statements, and legal wording aligned with the national legal framework.
Auditability: complete logging of all data-processing steps, proof of the legal basis for each processing activity, and a deletion concept aligned with national retention periods.
Role and access control: granular access management that ensures only decision-makers can view sensitive results.
Concrete workflow for HR teams
A legally sound process ideally follows this sequence: first, the recruiting interview clarifies which legal system will apply to the future employment relationship — that is the switch that determines everything that follows. Then the applicant provides granular, informed consent under Art. 7 GDPR, specifying the categories of data to be processed, the recipient group, and the retention period. Criminal record extracts are requested exclusively by the applicant themselves; the employer defines which document in the respective home country is functionally equivalent to the German criminal record certificate.
The assessment takes place in a structured, documented decision-making process that explains individually why certain information is necessary for evaluating suitability. If adverse decisions are made, the limits of § 26 BDSG and the non-discrimination ban under the AGG must be observed. After the process is completed, the deletion and archiving concept applies in line with the national retention periods, typically six months after rejection or for the duration of the employment relationship plus the statutory limitation periods.
Conclusion: integration as a competitive advantage
Cross-border hiring is becoming the rule, not the exception. Companies that still run their background-check processes as a patchwork of country agreements, local service providers, and manual workarounds lose time, money, and legal certainty. The solution is a consolidated, GDPR-compliant platform that does not hide jurisdictional diversity, but maps it cleanly and lawfully. Indicium Technologies supports companies operating across the DACH region and the EU with exactly this consolidation — from process architecture to operational execution.
Book a demo and learn what a consolidated EU mobility screening process could look like in your HR workflow.
Read more — related articles
Nabil El Berr
