The Compliance Compass: Your Guide to Legally Secure Pre-Employment Checks
In a globalized economy, trust is good, validation is better. But you're aware of the dilemma facing German employers: On one hand, you want to ensure the integrity of new employees (Duty of Care) to protect your company from fraud and reputational damage. On the other hand, the GDPR and German labor law provide one of the strictest frameworks in the world.
Do you sometimes feel paralyzed in this area of tension? The fear of fines or bad press often leads to necessary checks not being carried out – or, even riskier, "secret" Googling takes place. Neither is a strategy for professional risk management.
This guide is your navigation tool. We translate the complex legal situation into a clear action guide for you. Because data protection isn't a prohibition sign, it's a quality framework. Once you know the rules, compliance becomes a competitive advantage rather than an obstacle.
The Foundation: Necessity Over Consent
To understand what is permissible, you need to let go of one idea: That a candidate's signature (“Consent Form”) opens all doors. In labor law, these consents are often worthless. Why? Because courts assume the applicant wants the job and thus acts under duress – the legal requirement of "voluntariness" is often missing.
The real enabler for your checks is § 26 para. 1 BDSG.
This provision allows you to process data when it's necessary for making decisions regarding the employment relationship.
The magic word is Relevance.
Is it relevant for a cashier to know if they have a theft conviction? Yes. (Asset protection).
Is it relevant for a warehouse worker to know their credit rating? No. (No relation to the job).
A modern background check isn't a "dragnet", but a precision tool that examines only job-relevant risks.
The Modules in Practice Check: What Are You Allowed to Do?
Based on current practice by supervisory authorities, you can clearly categorize the areas of examination:
A. Education & Employment (The “Resume Fraud”)
Resumes are increasingly being "optimized". Since professional suitability is the core criterion, § 26 BDSG fully covers validation.
Your Approach: You may request and verify original documents.
Pro Tip: Use the "anabin" database for foreign degrees. Since only the status of the institution is checked here, it is unproblematic from a data protection perspective.
Warning: Don't call the university without the applicant's knowledge. Obtain explicit approval for this.
B. Criminal Records
What is standard in the USA is the exception here. You have no direct access to the Federal Central Register.
When Permissible? Only with direct relevance (e.g., work with minors, money transport, security, sensitive infrastructure).
Important: Never permanently store a copy in the personnel file (violation of Article 10 GDPR).
Best Practice: Make a note: “Criminal record dated [date] was presented. No relevant entries.” This suffices for documentation purposes.
C. Financial Integrity (Creditworthiness & Insolvency)
Finances are a private matter. Debts say nothing about work ethic.
The Exception: Positions with significant financial responsibility (CFO, authorized signatory). Here your legitimate interest in preventing damage takes precedence.
The Process: Request a self-disclosure and allow the candidate to redact irrelevant data (e.g., mobile contracts).
D. Social Media & Internet (Separation of Spheres)
Are you allowed to "Google" candidates? The answer is a clear “yes and no”. Strictly distinguish:
Career-focused Networks (LinkedIn, Xing): You can research here (§ 26 BDSG) as the data serve professional representation.
Leisure-oriented Networks (Facebook, Insta, TikTok): There's an expectation of privacy here. Screening is inadmissible. HR friend requests are taboo.
The Compliance Trap (Article 14 GDPR):
If you use data from the Internet, you must inform the applicant. Secretly Googling and using the info constitutes a violation.
Solution: Include a clause in your privacy policy stating that “professionally relevant public sources” are checked.
E. Sanctions Lists
You must not make payments to individuals on EU terror lists. A check against EU sanctions lists is now recognized as a legitimate interest.
Process Hygiene: Deletion Deadlines & Documentation
Legal certainty arises not just from the "what", but above all from the "how".
Documentation Without Discrimination: If a rejected applicant sues (AGG) or requests information, your records must be clean. Avoid subjective notes (“looks old”, “probably planning a family”). Document only facts (“qualification not verified”).
Deletion Deadlines: You must not store data from rejected applicants indefinitely. Standard period: 3 to 6 months after rejection.
Talent Pool: If you wish to retain candidates in a pool for longer (e.g., 12-24 months), you must obtain a separate, voluntary consent.
How Indicium Provides Security (The “Clean Room”)
Many shy away from checks because they fear making mistakes. Manual research carries the risk of accidentally seeing protected data (e.g., a photo indicating pregnancy or religion). Once seen, you cannot "unsee" this knowledge – making you vulnerable.
Here, Indicium acts as your strategic “Clean Room”:
Filter Function: The software checks sources but filters out legally critical information. You only see the sanitized result (e.g., “degree verified”).
Automated Necessity: The system only allows checks that have been pre-configured for the respective job category.
Transparency Guarantee: The information obligations towards the candidate are automatically fulfilled.
Checklist for Practice (Admissibility Matrix)
Print out this overview to navigate safely in everyday life:
Type of Check | Legal Basis | Permissibility & Condition | Your Practice Recommendation |
Resume | § 26 BDSG | ✅ High. Basis of every hiring. | Establish a standard process. |
Original Certificates | § 26 BDSG | ✅ High. Submission by the applicant. | Check or have checked for authenticity. |
References (Ex-Employer) | Consent | ⚠️ Medium. Only with explicit consent. | Ask: “Whom may we contact?” |
LinkedIn / Xing | § 26 BDSG | ✅ High. Business context. | Permissible, but observe information duty. |
Instagram / FB | - | ⛔ Not permissible. Privacy. | Stay away. No friend requests. |
Criminal Record | § 26 BDSG | 🟡 Conditional. Only if relevant. | View only, do not store a copy. |
Creditworthiness | § 26 BDSG | 🟡 Conditional. Only when financial risk involved. | Request self-disclosure from applicant. |
Sanctions Lists (EU) | Article 6f GDPR | ✅ High. Compliance interest. | Include in privacy notices. |
Conclusion: Embrace Professionalism
A thorough pre-employment check is not a bureaucratic monster. It is an expression of your professional management. By standardizing validation processes, you protect your company from harm and your HR team from legal missteps. At the same time, you signal to applicants: "We operate fairly, transparently, and securely."
Use the opportunities of the GDPR, rather than fearing them.
Would you like to audit your processes?
Let's review together what level of inspection is necessary and permissible for your open positions.
Disclaimer: This guide serves as general information and orientation based on the current legal situation. It doesn’t replace individual legal advice from a lawyer or data protection officer.
"The legal requirements for employers in Europe are high, which is precisely why software that addresses these challenges is necessary."
Nabil el Berr, CEO
Frequently Asked Questions
What can employers in Germany check during pre-employment screenings?
Employers in Germany are permitted to verify job-relevant information necessary for establishing the employment relationship (§ 26 BDSG). These include identity verification, validation of educational qualifications and certificates, employment history verification, sanctions list screening, and, for justified reasons, credit checks or a criminal record check. Not allowed are: searches on private social media profiles, inquiries about health, religion, pregnancy, or family planning, and monitoring measures without a specific cause.
Which legal bases apply to pre-employment checks in the DACH region?
The key legal bases are: in Germany § 26 BDSG (data protection for employees) in conjunction with Art. 6 para. 1 lit. b and lit. f GDPR. In Austria § 11 DSG in conjunction with the GDPR. In Switzerland, the revised Data Protection Act (revDSG) since September 2023. Additionally, sector-specific regulations apply, such as the GwG (Money Laundering Act), KWG (Banking Act), and MaRisk for the financial sector.
Is consent required for background checks?
While consent from the candidate is not always the mandatory legal basis (in cases of job-related necessity, § 26 BDSG applies), it is highly recommended as a best practice. It provides transparency, documents the candidate's awareness, and reduces legal vulnerability. Consent must be voluntary, informed, and specific — and candidates must know which screenings will be conducted. Indicium integrates a digital consent management directly into the screening process.
How long can results from pre-employment checks be retained?
The GDPR mandates data minimization and storage limitation. Upon hiring, relevant results may be stored in the personnel file — the retention period depends on the purpose and generally lasts for the duration of the employment plus statutory retention periods. If an application is rejected, the data must be deleted promptly — at the latest after 6 months (period for AGG claims in Germany). Professional screening platforms automate these deletion deadlines.
