The Compliance Compass: Your Guide to Legally Secure Pre-Employment Checks
In a globalized economy, trust is good, validation is better. But you know the dilemma of German employers: On one hand, you want to ensure the integrity of new employees (Duty of Care) to protect your company from fraud and reputational damage. On the other hand, the GDPR and German labor law give you one of the strictest frameworks in the world.
Do you sometimes feel paralyzed in this tension field? The fear of fines or bad press often leads to necessary checks not taking place at all – or, even riskier, being conducted through secretive Googling. Neither is a strategy for professional risk management.
This guide is your navigational tool. We translate the complex legal situation for you into a clear action plan. Because data protection is not a prohibition sign but a quality framework. If you know the rules, compliance shifts from being a brake block to a competitive advantage.
The Foundation: Necessity Instead of Consent
To understand what is permissible, you must discard one idea: That a candidate's signature ("Consent Form") opens all doors. In employment law, these consents are often worthless. Why? Because courts assume that the applicant wants the job and is therefore in a coercive situation – the legally required "voluntariness" is often missing.
The true enabler for your checks is § 26 Abs. 1 BDSG.
This regulation allows you to process data if it is necessary for the decision on the employment relationship.
The magic word is Relevance.
Is it relevant for a cashier to have a history of theft convictions? Yes. (Protection of assets).
Is it relevant for a warehouse worker to have their creditworthiness scrutinized? No. (No relation to the job).
A modern background check is not a "trawl net," but a precision instrument that only examines job-relevant risks.
The Modules in a Practical Check: What Can You Do?
Based on the current practices of the supervisory authorities, you can clearly categorize the areas of examination:
A. Education & Employment (The "Resume Fraud")
Resumes are increasingly being "optimized." Since professional qualification is the core criterion, § 26 BDSG fully covers validation.
Your Approach: You are allowed to request and inspect original documents.
Pro Tip: Use the "anabin" database for foreign qualifications. Since it only checks the status of the institution, it is legally unobjectionable in terms of data protection.
Warning: Do not call the university without the applicant's knowledge. Obtain explicit approval for this.
B. Criminal Records
What is standard in the USA is the exception here. You do not have direct access to the central federal register.
When is it permissible? Only in cases of direct relevance (e.g., work with minors, cash transport, security services, sensitive infrastructure).
Important: Never permanently store a copy in the personnel file (violation of Art. 10 GDPR).
Best Practice: Make a note: "Criminal record certificate from [date] presented. No relevant entries." This suffices for documentation purposes.
C. Financial Integrity (Creditworthiness & Insolvency)
Finances are a private matter. Debts do not indicate work ethic.
The Exception: Positions with significant financial responsibility (CFO, signatory authority). Here, your legitimate interest in preventing damage prevails.
The Process: Request a self-disclosure and allow the candidate to redact irrelevant data (e.g., mobile phone contracts).
D. Social Media & Internet (Separation of Spheres)
Are you allowed to "Google" candidates? The answer is a clear "Yes and No." Make a strict distinction:
Professionally-Oriented Networks (LinkedIn, Xing): You can research here (§ 26 BDSG), as the data serves professional representation.
Leisure-Oriented Networks (Facebook, Insta, TikTok): There is an expectation of privacy here. Screening is prohibited. Friend requests from HR are taboo.
The Compliance Trap (Art. 14 GDPR):
If you use data from the internet, you must inform the applicant. Secretly Googling and using the information constitutes a violation.
Solution: Include a clause in your privacy notice stating that "professionally relevant public sources" are being checked.
E. Sanctions Lists
You cannot transfer funds to individuals on EU terrorist lists. Checking against EU sanctions lists is now recognized as a legitimate interest.
Process Hygiene: Deletion Periods & Documentation
Legal certainty arises not only from the "what" but especially from the "how."
Documentation Without Discrimination: If a rejected applicant sues (AGG) or requests information, your files must be clean. Avoid subjective notes ("looks old," "probably planning a family"). Document only facts ("Qualification not verified").
Deletion Periods: You may not store data from rejected applicants indefinitely. Regular period: 3 to 6 months after rejection.
Talent Pool: If you wish to retain candidates longer (e.g., 12-24 months), you need a separate, voluntary consent.
How Indicium Provides You Security (The "Clean Room")
Many shy away from checks because they fear mistakes. Manual research carries the risk of accidentally seeing protected data (e.g., a photo suggesting pregnancy or religion). Once seen, you can't "unsee" this knowledge – you become vulnerable.
This is where Indicium acts as your strategic "Clean Room":
Filtering Function: The software examines sources but filters out legally critical information. You only see the cleaned results (e.g., "Degree verified").
Automated Necessity: The system only permits checks configured in advance for the specific job category.
Transparency Guarantee: The information obligations towards the candidate are automatically assumed.
Checklist for Practice (Permissibility Matrix)
Print out this overview to navigate safely in everyday life:
Type of Check | Legal Basis | Permissibility & Condition | Your Practice Recommendation |
Resume | § 26 BDSG | ✅ High. Basis of every hire. | Implement standard process. |
Original Certificates | § 26 BDSG | ✅ High. Submission by applicant. | Check authenticity (or have it checked). |
References (Ex-Employer) | Consent | ⚠️ Medium. Only with explicit consent. | Ask: "Whom may we contact?" |
LinkedIn / Xing | § 26 BDSG | ✅ High. Professional context. | Permissible, but observe information obligations. |
Instagram / FB | - | ⛔ Not permissible. Privacy. | Hands off. No friend requests. |
Criminal Record | § 26 BDSG | 🟡 Conditional. Only relevant. | Viewing only, do not store a copy. |
Creditworthiness | § 26 BDSG | 🟡 Conditional. Only in financial risk. | Request self-disclosure from the applicant. |
Sanctions Lists (EU) | Art. 6f GDPR | ✅ High. Compliance interest. | Include in privacy notice. |
Conclusion: Courage for Professionalism
A clean pre-employment check is not a bureaucratic monster. It is an expression of your professional management. By standardizing validation processes, you protect your company from damage and your HR team from legal missteps. At the same time, you signal to applicants: "We work fairly, transparently, and securely."
Use the opportunities of the GDPR instead of fearing them.
Would you like to audit your processes?
Let's take a look together to determine what level of scrutiny is necessary and permissible for your open positions.
Disclaimer: This guide is for general information and orientation based on current legal status. It does not replace individual legal advice from a lawyer or data protection officer.
"The legal requirements for employers in Europe are high, which is precisely why software that addresses these challenges is necessary."
Nabil el Berr, CEO
