Applicant Social Media Screening: What is legally permitted?

Social media profiles often reveal more about candidates than a résumé does. But employers cannot simply dig through them. This guide shows what is legally permitted in Germany — and what can lead to fines.

The legal basis

Relevant provisions:

• Section 26 BDSG (employee data protection)

• Art. 6 GDPR (lawfulness of processing)

• Art. 9 GDPR (special categories of personal data)

• AGG (General Equal Treatment Act)

• Case law of the Federal Labour Court (especially BAG 8 AZR 1007/08)

What is allowed?

1. Professional networks (LinkedIn, Xing)

Generally permitted, because these profiles are created specifically for professional exchange and are publicly accessible. The candidate puts them online for the exact purpose of being seen by potential employers.

What employers may review:

• Professional background (consistency with the résumé)

• Qualifications and degrees

• Publications, articles, posts

• Professional network

Restriction: Do not use any information that falls under the AGG (age, religion, sexual orientation, disability, etc.).

2. Public profiles on social networks (Facebook, Instagram, X)

Only with a legitimate interest and only if the content is clearly relevant to the job.

Examples where it may be permitted:

• Candidate applies for a social media manager role → public social media presence is relevant to the job

• Candidate publicly posts discriminatory content → can jeopardize the employment relationship

• Public presence as a journalist, politician, or public figure

Not permitted:

• “Digging into” applicants’ lifestyles, religion, or relationships

• Judging photos that are not relevant to the job

• Bypassing private content visible only to friends

What is not allowed?

1. Bypassing privacy settings

Anyone who uses fake accounts to access private profiles violates Section 202a of the German Criminal Code (data espionage). This is a criminal offense.

2. Processing sensitive data

Article 9 GDPR prohibits processing special categories of personal data without consent:

• Religion

• Political opinion

• Sexual orientation

• Trade union membership

• Health data

• Ethnic origin

Anyone who extracts such data from public profiles and uses it in the application process violates the GDPR.

3. AGG characteristics

The AGG prohibits discrimination based on:

• Age

• Gender

• Disability

• Religion / worldview

• Sexual identity

• Racism / ethnic origin

Anyone who rejects applicants because of such characteristics learned from social media risks AGG claims.

4. Ongoing monitoring after hiring

Section 26 BDSG permits only checks that are necessary for establishing and carrying out the employment relationship. Continuous monitoring of employees’ social media activity is not permitted.

What does the case law say?

BAG 8 AZR 1007/08 (right-to-ask ruling)

The Federal Labour Court made it clear: employers may only ask questions (and process information) in which they have a legitimate, reasonable, and protectable interest. The same applies by analogy to information from social media.

CJEU Schrems II (C-311/18)

Indirectly relevant: social media screening often processes data via US platforms (Facebook, Instagram). Data transfers to the US are heavily restricted under Schrems II.

Social media screening in Switzerland, Austria, and across the EU

Switzerland — revDSG and Art. 328b CO

The revised Data Protection Act (revDSG) and Art. 328b CO (processing of personal data by the employer) set the framework. The basic rule: the employer may only process personal data that is necessary for the employment relationship. Social media screening must therefore have a direct connection to the specific role. Switzerland does not have a direct AGG equivalent, but the Gender Equality Act (GlG) and the constitutional prohibition of discrimination (Art. 8 of the Federal Constitution) apply in a similar way.

Austria — GDPR + Section 10 AVRAG + GlBG

Legal framework: GDPR, Section 10 AVRAG (Employment Contract Law Adjustment Act), and the Equal Treatment Act (GlBG). Special feature: the GlBG contains comparable grounds to the German AGG. Discriminatory rejection based on social media information is sanctioned under Section 26 GlBG (damages of up to several months' salary).

Across the EU — GDPR + Schrems II

An EU-wide issue: social media platforms (Facebook, Instagram, X) process data on US servers. Under the CJEU ruling Schrems II (C-311/18), such transfers are permitted only under strict conditions. Screenings on US-based platforms must therefore be safeguarded accordingly (standard contractual clauses, transfer impact assessment). Automated tools with an EU-server architecture have a structural advantage here.

Best practice: how to run legally compliant social media screening

1. Obtain consent

Even if the profiles are public, the candidate’s consent makes the process legally compliant and documentable.

2. Transparency

Tell the candidate: which platforms are being checked? Which information is being used?

3. Role relevance

Only use information that is relevant to the specific role. For an accountant, social media presence is generally not required — for a content creator, it is.

4. AGG screening

Filter out or anonymize sensitive data (religion, political opinion, etc.) in the screening before it reaches the decision-maker.

5. Documentation

Document every review: who checked which sources, and when? Which information was extracted? What role did it play in the decision?

6. Automated tool instead of manual research

Manual research by HR staff is not scalable and is prone to errors. Specialized tools like Indicium conduct GDPR-compliant social media screening: only publicly available, job-relevant information, without digging into private profiles.

Consequences of a violation

AGG claim

If a candidate is rejected in a discriminatory manner, they can claim compensation of up to 3 months’ salary.

GDPR fine

For a GDPR violation: up to €20 million or 4% of global annual turnover.

Reputational damage

If candidates share online that they were illegally screened, employer branding suffers.

What Indicium does differently in social media screening

• Only publicly accessible, job-relevant content

• Documented consent from the candidate

• Anonymization of AGG-relevant characteristics

• Focus on professional platforms (LinkedIn, Xing) + optional public profiles where the use case is job-relevant

• Audit-proof documentation

Conclusion

Social media screening is permitted in Germany — but only with clear guardrails. Role relevance, consent, AGG compliance, and documentation are the four pillars. Anyone who checks manually often operates close to the legal limit. Automated tools with a GDPR-ready architecture are the safe route.

Book a demo and integrate social media screening into the hiring process in a legally compliant way.