Pre-Employment Screening & Data Privacy: What is permitted?

- Pre-employment screening involves verifying applicant data during the selection process.
- Permitted sources: professional networks such as Xing and LinkedIn; not permitted: private networks such as Facebook.
- Data processing is only permitted with a legal basis or the applicant's consent in accordance with GDPR/BDSG.
- Individual assessment required: data protection regulations vary depending on the position and the principle of proportionality.
- Transparent processes and proactive communication can reduce the need for extensive background checks.
In human resources, data protection begins the moment you start searching for suitable candidates for an open position. To find the perfect fit, employers collect a wide range of information about applicants. This helps minimize the risk of a bad hire while saving time and money. While submitted application documents and personal interviews are the traditional methods of gathering information, searching for candidates online, on social media, or checking with previous employers are also common sources. But what is actually permitted under data protection laws? How far can you go without violating your applicants' personal rights? We have prepared the answers to these questions for you.
What is pre-employment screening?
Pre-employment screening is a term from the modern workplace that refers to the process of vetting candidates during the recruitment phase. This is also known as a background check. During this process, submitted application documents are scrutinized and verified for accuracy. In addition to public sources like the internet, databases containing information on criminal records may also be used for identity verification.
HR professionals use a wealth of information when researching online: on one hand, there is data that applicants have posted themselves, such as their own websites or profiles on social networks. On the other hand, there is a vast amount of information generated by third parties, such as journalists. Strictly speaking, comments and reviews on any rating portal also provide information about the respective applicant.
When is pre-employment screening permitted under the GDPR?
According to Art. 4 (1) of the GDPR, any researched and processed information that allows for the identification of an individual is considered personal data. Consequently, many of the types of information collected during pre-employment screening are subject to GDPR regulations.
Furthermore, data from your applicants may only be collected if there is a legal basis for doing so. The collection and processing of personal data is lawful, for example, if the data subject has given their consent. Under Section 26 (2) of the German Federal Data Protection Act (BDSG), the principle of voluntariness applies. From a legal perspective, however, such voluntariness is generally not assumed in pre-employment screening. This is due to the power imbalance between the applicant and the employer. Applicants may fear that refusing consent could disadvantage them in the recruitment process, which contradicts the requirement of voluntariness.
One way to achieve legitimate data collection and processing is if it is necessary for the establishment of an employment relationship. The arguments and legal foundations for this must always be developed and weighed individually for different positions within the company. Therefore, rules for background checks cannot be applied uniformly to all applicants but require a nuanced approach.
4 tips for companies conducting applicant checks
We understand that you want to fill open positions in your company with the best possible candidate. To ensure your pre-employment screening complies with data protection regulations, please consider the following 4 tips:
Tip 1: Define the data to be collected during the applicant check
To clarify which data may be researched during applicant screening, there is a simple piece of advice: you are already familiar with the scope and limitations of questioning from job interviews, as governed by the General Act on Equal Treatment (AGG). In short, questions that are not permitted in a job interview may not be answered through independent research either.
Tip 2: Distinguish between information sources
When checking applicants, separate the private from the professional. Be aware that career-oriented portals like Xing or LinkedIn are generally accessible for research purposes. Researching private networks like Facebook or Instagram, however, is not permitted.
Tip 3: Establish transparent processes
If you plan to use applicant screening in addition to your selection process, review and update all your procedures to ensure GDPR compliance. Provide information on your data processing obligations, just as you do for other processes within your company.
Tip 4: Actively ask for additional information
If the documents submitted by your applicants do not provide a complete and reliable picture, actively ask for additional proof. This also helps build a respectful and open relationship with your potential new employees. Job interviews and assessment centers are also designed to provide a clear picture of the applicant. Consider how you can use these tools more effectively. This will limit the perceived need to conduct extensive background checks.
Pre-employment screening during the recruitment process is restricted by the GDPR and the BDSG. Compliance with data protection regulations requires an assessment of proportionality to protect the privacy of applicants. At the same time, we recommend evaluating and assessing the applicant check as individually as possible for each specific position.
Do you have further questions on this topic? Our experts will be happy to advise you free of charge.




.avif)








