Social Media Screening of Applicants: What Is Legally Permitted?
Social media profiles often reveal more about candidates than a résumé does. But employers are not allowed to simply scrutinize them. This guide shows what is legally permitted in Germany — and what can lead to fines.
The legal basis
Relevant provisions:
§ 26 BDSG (employment data protection)
Art. 6 GDPR (lawfulness of processing)
Art. 9 GDPR (special categories of personal data)
Case law of the Federal Labour Court (especially BAG 8 AZR 1007/08)
What is permitted?
1. Professional networks (LinkedIn, Xing)
Generally permitted, because these profiles are intentionally created for professional exchange and are publicly accessible. The applicant puts them online precisely so that potential employers can see them.
What employers may review:
Professional career path (plausibility against the résumé)
Qualifications and degrees
Publications, articles, contributions
Professional network
Restriction: Do not use information that falls under the AGG (age, religion, sexual orientation, disability, etc.).
2. Public profiles on social networks (Facebook, Instagram, X)
Only with a legitimate interest and if the content is clearly relevant to the job.
Examples where it may be allowed:
Candidate is applying for a Social Media Manager role → public social media presence is relevant to the job
Candidate publicly posts discriminatory content → may jeopardize the employment relationship
Public presence as a journalist, politician, or public figure
Not permitted:
“Scrutinizing” applicants for lifestyle, religion, or relationships
Evaluating photos that are not relevant to the job
Bypassing private content visible only to friends
What is not permitted?
1. Bypassing privacy settings
Anyone who uses fake accounts to access closed profiles violates Section 202a German Criminal Code (data espionage). This is a criminal offense.
2. Processing sensitive data
Art. 9 GDPR prohibits the processing of special categories of personal data without consent:
Religion
Political opinion
Sexual orientation
Trade union membership
Health data
Ethnic origin
Anyone who extracts such data from public profiles and uses it in the application process violates the GDPR.
3. AGG characteristics
The AGG prohibits discrimination based on:
Age
Gender
Disability
Religion / belief
Sexual identity
Racism / ethnic origin
Anyone who rejects applicants because of such characteristics learned from social media risks AGG claims.
4. Ongoing monitoring after hiring
§ 26 BDSG allows only checks that are necessary for establishing and carrying out the employment relationship. Ongoing monitoring of employees’ social media activity is not permitted.
What does case law say?
BAG 8 AZR 1007/08 (questioning rights ruling)
The Federal Labour Court has made it clear: employers may only ask questions (and process information) in which they have a legitimate, reasonable, and worthy of protection interest. The same applies by analogy to information from social media.
CJEU Schrems II (C-311/18)
Indirectly relevant: social media screening often involves data processed via US platforms (Facebook, Instagram). Data transfers to the US are significantly restricted under Schrems II.
Social media screening in Switzerland, Austria, and across the EU
Switzerland — revDSG and Art. 328b CO
The revised Data Protection Act (revDSG) and Art. 328b CO (processing of personal data by the employer) form the framework. Principle: the employer may only process personal data that is necessary for the employment relationship. Social media screening must therefore have a direct connection to the specific role. Switzerland does not have a direct AGG equivalent, but the Gender Equality Act (GlG) and the discrimination ban in the Federal Constitution (Art. 8 FC) apply in a similar way.
Austria — GDPR + § 10 AVRAG + GlBG
Legal framework: GDPR, § 10 AVRAG (Employment Contract Law Adaptation Act) and the Equal Treatment Act (GlBG). Special feature: the GlBG contains comparable provisions to the German AGG. Discriminatory rejection based on social media information is sanctioned under § 26 GlBG (damages of up to several monthly salaries).
Across the EU — GDPR + Schrems II
A Europe-wide issue: social media platforms (Facebook, Instagram, X) process data on US servers. Under the CJEU judgment Schrems II (C-311/18), such transfers are only permitted under strict conditions. Screenings on US platforms must therefore be properly safeguarded (standard contractual clauses, transfer impact assessment). Automated tools with an EU server architecture have a structural advantage here.
Best practice: how to conduct legally compliant social media screening
1. Obtain consent
Even if the profiles are public — the candidate’s consent makes the process legally secure and documentable.
2. Transparency
Tell the candidate: Which platforms will be reviewed? Which information will be used?
3. Role relevance
Use only information that is relevant to the specific role. For an accountant, questions about social media presence are usually not necessary — for a content creator, they are.
4. AGG screening
Hide or anonymize sensitive data (religion, political opinion, etc.) in the screening before it reaches the decision-maker.
5. Documentation
Document each review: Who checked which sources, and when? Which information was extracted? What role did it play in the decision?
6. Automated tool instead of manual research
Manual research by HR staff is not scalable and is prone to errors. Specialized tools like Indicium carry out GDPR-compliant social media screening: only publicly accessible, job-relevant information, without scrutinizing private profiles.
Consequences of violations
AGG claim
If an applicant is rejected in a discriminatory way, they may claim damages of up to 3 monthly salaries.
GDPR fine
For a GDPR violation: up to €20 million or 4% of global annual revenue.
Reputational damage
If applicants report online how they were illegally scrutinized, employer branding suffers.
What Indicium does differently in social media screening
Only publicly accessible, job-relevant content
Documented consent from the candidate
Anonymization of AGG-relevant characteristics
Focus on professional platforms (LinkedIn, Xing) + optional public profiles when the use case is job-relevant
Audit-proof documentation
Conclusion
Social media screening is permitted in Germany — but only with clear guardrails. Role relevance, consent, AGG compliance, and documentation are the four pillars. Anyone who checks manually often moves right up to the legal limit. Automated tools with a GDPR-ready architecture are the safe path.
Book a demo and integrate social media screening into the hiring process in a legally compliant way.
Read more — related articles
Nabil El Berr
