The Compliance Compass: Your Guide to Legally Sound Pre-Employment Checks
In a globalized economy, trust is good, verification is better. But you know the dilemma of German employers: On one hand, you want to ensure the integrity of new employees (Duty of Care) to protect your company from fraud and reputational damage. On the other hand, the GDPR and German labor law impose some of the strictest frameworks in the world on you.
Do you sometimes feel paralyzed in this field of tension? Fear of fines or bad press often leads to necessary checks not taking place at all—or, even riskier, to „secret“ googling. Neither is a strategy for professional risk management.
This guide is your navigational tool. We translate the complex legal situation into a clear action plan for you. After all, data protection is not a prohibition sign; it's a quality framework. Once you know the rules, compliance turns from a brake block into a competitive advantage.
The Foundation: Necessity Instead of Consent
To understand what is allowed, you must say goodbye to one thought: That a candidate’s signature („Consent Form“) opens all doors. In labor law, these consents are often worthless. Why? Because courts assume the applicant wants the job and is therefore acting under duress—the legally necessary „voluntariness“ is often missing.
The true enabler for your checks is § 26 para. 1 BDSG.
This provision allows you to process data when it is required for the decision regarding the employment relationship.
The magic word is relevance.
Is it relevant for a cashier to know if they have a criminal record for theft? Yes. (Protection of assets).
Is it relevant for a warehouse worker to know their credit score? No. (No relation to the job).
A modern background check is not a „dragnet“, but a precision instrument that only examines job-relevant risks.
The Modules in Practice Check: What Are You Allowed to Do?
Based on the current practice of supervisory authorities, you can clearly categorize the examination areas:
A. Education & Employment (The „Resume Fraud“)
Resumes are increasingly being „optimized“. Since professional qualification is the core criterion, § 26 BDSG fully covers validation.
Your Approach: You may request and examine original documents.
Pro Tip: Use the „anabin“ database for foreign degrees. Since only the status of the institution is checked here, this is unobjectionable under data protection law.
Caution: Do not call the university without the applicant’s knowledge. Get explicit permission for this.
B. Criminal Records
What is standard in the USA is the exception here. You have no direct access to the Federal Central Register.
When permissible? Only with direct relevance (e.g., working with minors, money transport, security, sensitive infrastructure).
Important: Never store a copy permanently in the personnel file (violation of Art. 10 GDPR).
Best Practice: Make a note: „Criminal record dated [date] was presented. No relevant entries.“ This suffices for the proof obligation.
C. Financial Integrity (Creditworthiness & Insolvency)
Finances are a private matter. Debts say nothing about work ethic.
The Exception: Positions with significant financial responsibility (CFO, authorized signatory). Here, your legitimate interest in preventing damage outweighs.
The Process: Request a self-disclosure and allow the candidate to redact irrelevant data (e.g., mobile phone contracts).
D. Social Media & Internet (Separating the Spheres)
Are you allowed to „google“ applicants? The answer is a clear „Yes and No“. Distinguish strictly:
Professionally oriented networks (LinkedIn, Xing): Here you may research (§ 26 BDSG), as the data serves professional representation.
Leisure-oriented networks (Facebook, Insta, TikTok): There is an expectation of privacy here. Screening is inadmissible. Friend requests by HR are taboo.
The Compliance Trap (Art. 14 GDPR):
If you use data from the internet, you must inform the applicant. Anyone who secretly googles and uses the information is committing a violation.
Solution: Include a clause in your privacy notices stating that „professionally related public sources“ are reviewed.
E. Sanctions Lists
You are not allowed to pay money to persons on EU terror lists. A match against EU sanctions lists is now recognized as a legitimate interest.
Process Hygiene: Deletion Periods & Documentation
Legal certainty is not only created by the „What“ but above all by the „How“.
Non-Discriminatory Documentation: If a rejected applicant sues (AGG) or requests information, your files need to be clean. Avoid subjective notes („seems old“, „probably planning a family“). Only document facts („qualification not verified“).
Deletion periods: You may not store data of rejected applicants indefinitely. Regular period: 3 to 6 months after rejection.
Talent Pool: If you want to store candidates longer (e.g., 12-24 months), you need a separate, voluntary consent.
How Indicium Gives You Security (The „Clean Room“)
Many shy away from checks because they fear mistakes. Manual research carries the risk that you might inadvertently see protected data (e.g., a photo suggesting pregnancy or religion). Once seen, you cannot „unsee“ this knowledge—you are vulnerable.
This is where Indicium acts as your strategic „Clean Room“:
Filter Function: The software checks sources, but filters out legally critical information. You only see the sanitized result (e.g., „degree verified“).
Automated Necessity: The system only allows checks that have been configured in advance for the respective job category.
Transparency Guarantee: The obligations to inform the candidate are automatically assumed.
Checklist for Practice (Admissibility Matrix)
Print out this overview to navigate safely in everyday life:
Type of Check | Legal Basis | Admissibility & Condition | Your Practice Recommendation |
Resume | § 26 BDSG | ✅ High. Basis of every hiring. | Introduce standard process. |
Original Certificates | § 26 BDSG | ✅ High. Provided by applicant. | Verify authenticity (or have it verified). |
References (Ex-Employer) | Consent | ⚠️ Medium. Only with explicit consent. | Ask: „Who may we contact?“ |
LinkedIn / Xing | § 26 BDSG | ✅ High. Professional context. | Admissible, but remember information obligation. |
Instagram / FB | - | ⛔ Not allowed. Privacy. | Stay away. No friend requests. |
Criminal Record | § 26 BDSG | 🟡 Conditional. Only when relevant. | Viewing only, no copy storage. |
Credit Check | § 26 BDSG | 🟡 Conditional. Only with financial risk. | Request self-disclosure from applicant. |
Sanctions Lists (EU) | Art. 6f GDPR | ✅ High. Compliance interest. | Include in privacy notices. |
Conclusion: Courage for Professionalism
A clean pre-employment check is not a bureaucratic monster. It is an expression of your professional management. By standardizing validation processes, you protect your company from damage and your HR team from legal missteps. At the same time, you signal to applicants: „We operate fairly, transparently, and safely.“
Use the opportunities of the GDPR rather than fearing them.
Do you want to audit your processes?
Let’s look together at what level of checking is necessary and permissible for your open positions.
Disclaimer: This guide serves as general information and orientation based on the current legal situation. It does not replace individual legal advice from a lawyer or data protection officer.
"The legal requirements for employers in Europe are high, which is precisely why software that addresses these challenges is necessary."
Nabil el Berr, CEO
