The Compliance Compass: Your Guide to Legally Secure Pre-Employment Checks
In a global economy, trust is good, but validation is better. Yet you're familiar with the dilemma faced by German employers: On one hand, you want to ensure the integrity of new employees (Duty of Care) to protect your company from fraud and reputational damage. On the other, the GDPR and German labor law set one of the world's strictest frameworks for you.
Do you sometimes feel paralyzed in this tension? The fear of fines or bad press often leads to necessary checks not taking place—or, even riskier, to "secretly" googling candidates. Neither is a strategy for professional risk management.
This guide is your navigation tool. We translate the complex legal situation into a clear action plan for you. Because data protection is not a prohibition sign, but a quality framework. When you know the rules, compliance becomes a competitive advantage instead of a drag.
The Foundation: Necessity instead of Consent
To understand what is permitted, you need to let go of one idea: That a candidate’s signature (“Consent Form”) opens all doors. In labor law, these consents are often worthless. Why? Because courts assume that the applicant wants the job and is therefore acting under compulsion—often missing the legally necessary "voluntariness."
The true enabler for your checks is § 26 Paragraph 1 BDSG.
This regulation allows you to process data if it is necessary for deciding on the employment relationship.
The magic word is Relevance.
Is it relevant for a cashier to know if they have a theft conviction? Yes. (Protection of assets).
Is it relevant for a warehouse worker to know their creditworthiness? No. (No connection to their duties).
A modern background check is not a "dragnet," but a precision tool that only checks for job-related risks.
Modules in Practice Check: What Are You Allowed?
Based on current oversight practices, you can clearly categorize the verification areas:
A. Education & Employment (The “Resume Fraud”)
CVs are increasingly "optimized." Since professional competence is the core criterion, § 26 BDSG fully covers validation.
Your Procedure: You may request and verify original documents.
Pro Tip: Use the "anabin" database for foreign degrees. As it only checks the status of the institution, it’s legally unobjectionable.
Warning: Do not call universities without the applicant’s knowledge. Obtain explicit permission for this.
B. Certificates of Conduct (Criminal Record)
What’s standard in the USA is an exception here. You do not have direct access to the Federal Central Register.
When Permissible? Only with direct relevance (e.g. working with minors, cash transport, security, sensitive infrastructure).
Important: Never store a copy permanently in the personnel file (violation of Art. 10 GDPR).
Best Practice: Make a note: “Certificate of conduct dated [Date] was presented. No relevant entries.” This suffices the proof requirement.
C. Financial Integrity (Creditworthiness & Insolvency)
Finances are private. Debt doesn’t indicate work ethic.
The Exception: Positions with significant financial responsibility (CFO, signatory authority). Here, your legitimate interest in preventing damage prevails.
The Process: Request a self-disclosure and allow the candidate to redact irrelevant data (e.g. mobile contracts).
D. Social Media & Internet (Separation of Spheres)
Are you allowed to "google" candidates? The answer is a clear "Yes and No." Distinguish clearly:
Professional Networks (LinkedIn, Xing): You may research here (§ 26 BDSG), as the data is for professional representation.
Leisure Networks (Facebook, Insta, TikTok): Expectation of privacy prevails. Screening is impermissible. Friend requests from HR are forbidden.
The Compliance Trap (Art. 14 GDPR):
If you use data from the internet, you must inform the applicant about it. Secretly googling and using the information is a violation.
Solution: Include a clause in your data protection notices stating that "job-related public sources" will be checked.
E. Sanction Lists
You are not allowed to pay funds to individuals on EU terror lists. A match against EU sanction lists is now recognized as a legitimate interest.
Process Hygiene: Deletion Deadlines & Documentation
Legal certainty arises not only from the "what," but primarily from the "how."
Documentation without Discrimination: If a rejected applicant sues (AGG) or requests information, your records must be clean. Avoid subjective notes (“looks old,” “probably plans to start a family”). Document only facts (“qualification not verified”).
Deletion Deadlines: Data of rejected candidates must not be stored indefinitely. Standard deadline: 3 to 6 months after rejection.
Talent Pool: If you wish to store candidates longer (e.g. 12-24 months), you need a separate, voluntary consent.
How Indicium Provides Security (The “Clean Room”)
Many shy away from checks because they fear mistakes. Manual research carries the risk of inadvertently seeing protected data (e.g. a photo suggesting pregnancy or religion). Once seen, you cannot “unsee” it—you’re vulnerable.
Here, Indicium acts as your strategic “Clean Room”:
Filter Function: The software checks sources, but filters out legally critical information. You only see the sanitized result (e.g. "degree verified").
Automated Necessity: The system only allows checks that have been pre-configured for the specific job category.
Transparency Guarantee: The information obligations to the candidate are automatically fulfilled.
Checklist for Practice (Legality Matrix)
Print out this overview to navigate safely in your daily routine:
Type of Check | Legal Basis | Permissibility & Condition | Your Practice Recommendation |
Resume | § 26 BDSG | ✅ High. Basis for every hire. | Implement standard process. |
Original Certificates | § 26 BDSG | ✅ High. Presentation by applicant. | Verify authenticity (let verify). |
References (Ex-employer) | Consent | ⚠️ Moderate. Only with explicit consent. | Ask: "Whom may we contact?" |
LinkedIn / Xing | § 26 BDSG | ✅ High. Professional context. | Permissible, but observe information duty. |
Instagram / FB | - | ⛔ Impermissible. Privacy. | Hands off. No friend requests. |
Certificate of Conduct | § 26 BDSG | 🟡 Conditional. Only with relevance. | Only review, do not store a copy. |
Creditworthiness | § 26 BDSG | 🟡 Conditional. Only with financial risk. | Request self-disclosure from the applicant. |
Sanction Lists (EU) | Art. 6f GDPR | ✅ High. Compliance interest. | Include in data protection notices. |
Conclusion: Courage to Professionalism
A smooth Pre-Employment Check is not a bureaucratic monster. It is an expression of your professional management. By standardizing validation processes, you protect your company from damage and your HR team from legal pitfalls. At the same time, you signal to applicants: “We operate fairly, transparently, and safely.”
Leverage the opportunities of the GDPR instead of fearing them.
Would you like to audit your processes?
Let’s look together at what check levels are necessary and permissible for your open positions.
Disclaimer: This guide serves as general information and orientation based on the current legal situation. It does not replace individual legal advice from a lawyer or data protection officer.
"The legal requirements for employers in Europe are high, which is precisely why software that addresses these challenges is necessary."
Nabil el Berr, CEO
