The Compliance Compass: Your Guide to Legally Sound Pre-Employment Checks
In a globalized economy, trust is good, validation is better. But you know the dilemma facing German employers: on the one hand, you want to ensure the integrity of new employees (Duty of Care) to protect your company from fraud and reputational damage. On the other hand, the GDPR and German employment law set one of the strictest frameworks in the world.
Do you sometimes feel paralyzed in this tension? The fear of fines or bad press often leads to necessary checks not being carried out at all—or, even riskier, to “secret” Googling. Neither is a strategy for professional risk management.
This guide is your navigation tool. We translate the complex legal landscape into clear, practical guidance. Because data protection is not a stop sign, but a quality framework. Once you know the rules, compliance goes from a brake pedal to a competitive advantage.
The foundation: necessity instead of consent
To understand what is allowed, you need to let go of one idea: that a candidate’s signature on a “Consent Form” opens every door. In employment law, these consents are often worthless. Why? Because courts assume the candidate wants the job and is therefore in a position of pressure—the legally required “freedom of choice” is often missing.
The real enabler for your checks is Section 26(1) of the BDSG.
This provision allows you to process data when it is necessary for the decision on the employment relationship.
The magic word is relevance.
Is it relevant for a cashier to have a theft conviction? Yes. (Protection of assets).
Is a credit check relevant for a warehouse worker? No. (No connection to the job).
A modern background check is not a “dragnet,” but a precision tool that checks only job-relevant risks.
The modules in the practical check: What are you allowed to do?
Based on current supervisory authority practice, you can clearly categorize the areas of review:
A. Education & Employment (The “Resume Fraud”)
Resumes are increasingly being “optimized.” Since professional suitability is the key criterion, Section 26 BDSG fully covers validation.
Your approach: You may request and review original documents.
Pro tip: For foreign qualifications, use the “anabin” database. Because this only checks the status of the institution, it is harmless from a data protection perspective.
Important: Don’t call the university without the candidate’s knowledge. Get explicit authorization for this.
B. Certificates of good conduct (Criminal Record)
What is standard in the U.S. is the exception here. You do not have direct access to the Federal Central Criminal Register.
When is it permitted? Only when there is a direct relevance (e.g., work with minors, cash transport, security, sensitive infrastructure).
Important: Never store a copy permanently in the personnel file (violation of Art. 10 GDPR).
Best practice: Make a note: “Certificate of good conduct dated [date] was provided. No relevant entries.” That is sufficient to meet the evidence requirement.
C. Financial Integrity (Creditworthiness & Insolvency)
Finances are private. Debts say nothing about work ethic.
The exception: Positions with significant financial responsibility (CFO, authorized signatory). Here, your legitimate interest in preventing damage outweighs privacy concerns.
The process: Request a self-disclosure and allow the candidate to redact irrelevant data (e.g., mobile phone contracts).
D. Social Media & Internet (Separating the spheres)
Are you allowed to “Google” candidates? The answer is a clear “yes and no.” Make a strict distinction:
Career-oriented networks (LinkedIn, Xing): You may research here (§ 26 BDSG), as the data is used for professional presentation.
Leisure-oriented networks (Facebook, Instagram, TikTok): Here there is an expectation of privacy. Screening is not permitted. Friend requests from HR are off-limits.
The compliance trap (Art. 14 GDPR):
If you use data from the internet, you must inform the candidate about it. Anyone who secretly Googles and uses the information commits an infringement.
Solution: Add a clause to your privacy notice stating that “public sources related to professional activities” will be reviewed.
E. Sanctions lists
You may not make any payments to persons on EU terrorism lists. Screening against EU sanctions lists is now recognized as a legitimate interest.
Process hygiene: retention periods & documentation
Legal certainty comes not only from the “what,” but above all from the “how.”
Documentation without discrimination: If a rejected candidate sues (AGG) or requests information, your files must be clean. Avoid subjective notes (“looks old,” “probably planning a family”). Document only facts (“qualification not verified”).
Retention periods: You may not store data from rejected candidates forever. Standard retention period: 3 to 6 months after rejection.
Talent pool: If you want to store candidates for longer (e.g., 12–24 months), you absolutely need separate, voluntary consent.
How Indicium gives you confidence (The “Clean Room”)
Many people shy away from checks because they fear making mistakes. Manual research carries the risk that you accidentally see protected data (e.g., a photo suggesting pregnancy or religion). Once seen, you can’t “unsee” that knowledge—you become vulnerable.
Here, Indicium acts as your strategic “clean room”:
Filtering function: The software checks sources but filters out legally sensitive information. You only see the cleaned result (e.g., “degree verified”).
Automated necessity: The system only allows checks that have been preconfigured for the respective job category.
Transparency guarantee: The information obligations toward the candidate are handled automatically.
Checklist for practice (Permissibility matrix)
Print this overview to navigate safely in everyday work:
Type of check | Legal basis | Permissibility & condition | Your practical recommendation |
Resume | Section 26 BDSG | ✅ High. Basis of every hire. | Introduce a standard process. |
Original certificates | Section 26 BDSG | ✅ High. Submitted by the candidate. | Check (or have checked) for authenticity. |
References (former employer) | Consent | ⚠️ Medium. Only with explicit consent. | Ask: “Whom may we contact?” |
LinkedIn / Xing | Section 26 BDSG | ✅ High. Professional context. | Permitted, but observe the information duty. |
Instagram / FB | - | ⛔ Not permitted. Privacy. | Keep your hands off. No friend requests. |
Certificate of good conduct | Section 26 BDSG | 🟡 Conditional. Only when relevant. | View only; do not store a copy. |
Creditworthiness | Section 26 BDSG | 🟡 Conditional. Only where there is a financial risk. | Request self-disclosure from the candidate. |
Sanctions lists (EU) | Art. 6(1)(f) GDPR | ✅ High. Compliance interest. | Include in the privacy notice. |
Conclusion: Be bold about professionalism
A clean pre-employment check is not a bureaucratic monster. It reflects your professional management. By standardizing validation processes, you protect your company from harm and your HR team from legal missteps. At the same time, you signal to candidates: “We work fairly, transparently, and securely.”
Use the possibilities of the GDPR instead of fearing them.
Would you like to audit your processes?
Disclaimer: This guide is intended for general information and orientation based on the current legal situation. It does not replace individual legal advice from a lawyer or data protection officer.
Read more — related articles
"The legal requirements for employers in Europe are high, which is precisely why software that addresses these challenges is necessary."
Nabil el Berr, CEO
