Pre-Employment Screening & Data Privacy: What is permitted?

Last updated:
08.02.2022
Pre-employment screening is an attractive method for companies to make the applicant vetting process more effective. As an HR professional, you should be aware of the data protection regulations in place to ensure you remain on the safe side legally. Our tips are here to help you navigate this.
Pre-Employment Screening & Data Privacy: What is permitted?
Key Takeaways
  • Pre-employment screening involves verifying applicant data during the selection process.
  • Permitted sources: professional networks such as Xing and LinkedIn; not permitted: private networks such as Facebook.
  • Data processing is only permitted with a legal basis or the applicant's consent in accordance with GDPR/BDSG.
  • Individual assessment required: data protection regulations vary depending on the position and the principle of proportionality.
  • Transparent processes and proactive communication can reduce the need for extensive background checks.

In human resources, data protection begins the moment you start searching for suitable candidates for an open position. To find the perfect fit, employers collect a wide range of information about applicants. This helps minimize the risk of a bad hire while saving time and money. While submitted application documents and personal interviews are the traditional methods of gathering information, searching for candidates online, on social media, or checking with previous employers are also common sources. But what is actually permitted under data protection laws? How far can you go without violating your applicants' personal rights? We have prepared the answers to these questions for you.

What is pre-employment screening?

Pre-employment screening is a term from the modern workplace that refers to the process of vetting candidates during the recruitment phase. This is also known as a background check. During this process, submitted application documents are scrutinized and verified for accuracy. In addition to public sources like the internet, databases containing information on criminal records may also be used for identity verification.

HR professionals use a wealth of information when researching online: on one hand, there is data that applicants have posted themselves, such as their own websites or profiles on social networks. On the other hand, there is a vast amount of information generated by third parties, such as journalists. Strictly speaking, comments and reviews on any rating portal also provide information about the respective applicant. 

When is pre-employment screening permitted under the GDPR?

According to Art. 4 (1) of the GDPR, any researched and processed information that allows for the identification of an individual is considered personal data. Consequently, many of the types of information collected during pre-employment screening are subject to GDPR regulations.

Furthermore, data from your applicants may only be collected if there is a legal basis for doing so. The collection and processing of personal data is lawful, for example, if the data subject has given their consent. Under Section 26 (2) of the German Federal Data Protection Act (BDSG), the principle of voluntariness applies. From a legal perspective, however, such voluntariness is generally not assumed in pre-employment screening. This is due to the power imbalance between the applicant and the employer. Applicants may fear that refusing consent could disadvantage them in the recruitment process, which contradicts the requirement of voluntariness.

One way to achieve legitimate data collection and processing is if it is necessary for the establishment of an employment relationship. The arguments and legal foundations for this must always be developed and weighed individually for different positions within the company. Therefore, rules for background checks cannot be applied uniformly to all applicants but require a nuanced approach.

4 tips for companies conducting applicant checks

We understand that you want to fill open positions in your company with the best possible candidate. To ensure your pre-employment screening complies with data protection regulations, please consider the following 4 tips: 

Tip 1: Define the data to be collected during the applicant check

To clarify which data may be researched during applicant screening, there is a simple piece of advice: you are already familiar with the scope and limitations of questioning from job interviews, as governed by the General Act on Equal Treatment (AGG). In short, questions that are not permitted in a job interview may not be answered through independent research either.

Tip 2: Distinguish between information sources

When checking applicants, separate the private from the professional. Be aware that career-oriented portals like Xing or LinkedIn are generally accessible for research purposes. Researching private networks like Facebook or Instagram, however, is not permitted.

Tip 3: Establish transparent processes

If you plan to use applicant screening in addition to your selection process, review and update all your procedures to ensure GDPR compliance. Provide information on your data processing obligations, just as you do for other processes within your company.

Tip 4: Actively ask for additional information

If the documents submitted by your applicants do not provide a complete and reliable picture, actively ask for additional proof. This also helps build a respectful and open relationship with your potential new employees. Job interviews and assessment centers are also designed to provide a clear picture of the applicant. Consider how you can use these tools more effectively. This will limit the perceived need to conduct extensive background checks.


Pre-employment screening during the recruitment process is restricted by the GDPR and the BDSG. Compliance with data protection regulations requires an assessment of proportionality to protect the privacy of applicants. At the same time, we recommend evaluating and assessing the applicant check as individually as possible for each specific position.

Do you have further questions on this topic? Our experts will be happy to advise you free of charge.

If you're looking for a partner to support you on your journey to data protection and information security, feel free to contact our team of experienced experts.
60+ Expertinnen und Experten
Book a consultation
Topics
Editorial
Alexander Ingelheim
Co-Founder & CEO
Alexander Ingelheim is Co-founder and CEO of Proliance. His driving force from day one has been to support companies with the hurdles and challenges of data protection and GDPR. He brings extensive experience from his work in international consulting, including positions at Bregal Unternehmerkapital GmbH and McKinsey & Company. He is also a certified Data Protection Officer (TÜV & DEKRA).
Zum Autorenprofil
Zum Expertenprofil
About Proliance
Proliance stands for Professional Compliance for businesses. We are a digitally driven Legal Tech company based in Munich, established in 2017 and now with over 90 privacy enthusiasts. Our more than 2,500 clients include start-ups, medium-sized businesses, and corporate groups from almost all industries.
About us
Latest Articles

Topics you might be interested in