Lawfulness of Pre-Employment Screenings under Data Protection Law

Introduction

It is becoming increasingly common for employers to carry out their own pre-employment screenings or background checks before selecting applicants. This involves checking the background of one or more candidates. As part of this background check, the applicant’s identity, involvement in competing companies, presence on social media and financial circumstances are regularly examined. In most cases, pre-employment screening serves to protect the company (know-how, property, etc.) and fulfills compliance requirements. 

Independent investigations are the order of the day in other countries. In Germany, it is not questioned that employers pursue interests worthy of protection in providing protecting for the company, but the issue is regularly raised as to what extent the processing of applicant data is permissible in the context of these investigations. Data protection compliance must be kept in mind here.

General Principle

It must be ensured that any processing of personal data is based on a legal permission. For the processing of applicant data, both an effective consent of the applicant as well as legal permissions can be considered.

Consent to the Processing of Applicant Data?

Consent under data protection law is regulated in Art. 4 No. 11 GDPR and Art. 7 GDPR. To be effective, consent must be given voluntarily, in an informed manner, unambiguously and for a specific case (Art. 4 No. 11 GDPR). Pursuant to Art. 7 (1) GDPR, any doubts as to whether the requirements are met shall be the responsibility of the data processor. In the context of the processing of applicant data, the voluntary nature of consent can hardly be assumed. Although there are no clear legal requirements as to the conditions under which consent is deemed to have been given voluntarily, the GDPR provides indications of this in its recitals (EC) 42 and 43 and in Art. 7 para. 4 GDPR.

According to EC 42 GDPR, consent to data processing is only to be regarded as voluntary if the data subject has a genuine or free choice and is therefore able to refuse or withdraw consent without suffering any disadvantages. EC 43 GDPR stipulates that consent is invalid in the event of a clear imbalance if, in view of all the circumstances in the individual case, it is unlikely that consent was given voluntarily.

Applicants regularly are in a vulnerable situation. Unlike in an ongoing employment relationship, there are hardly any protective regulations in their favor. They are heavily dependent on the goodwill of the potential employer. Voluntariness in the legal sense can therefore as a rule not be assumed. Furthermore, Art. 7 para. 4 GDPR prohibits so-called coupled transactions: consent cannot serve as a justification for data processing if it is made a condition for the conclusion of the employment contract. 

It is therefore advisable to base data processing in the context of a background check not on consent, but on a legal permission.

Legal Basis for the Processing of Applicant Data

Art. 6 para. 1 subpara. 1 lit. f GDPR forms a legal permission for data processing. Based on the judgment of the ECJ of March 30, 2023 in case C-34/21, it can be assumed that Section 26 (1) sentence 1 BDSG, the corresponding basis under German law, does not comply with European law. However, due to the similarity of both permission standards, it is irrelevant on which of the two permission standards the processing is based. In both cases, the controller must pursue a legitimate objective regarding the processing and the processing must be suitable, necessary and appropriate to achieve this objective.

The employer must be able to formulate and substantiate the legitimate objective pursued by carrying out pre-employment screening. A legitimate interest exists, for example, in verifying the professional suitability, professional experience and reliability of applicants applying for positions whose holders have access to particularly sensitive information, have an influence on strategic decisions or are important for maintaining information security.

Any processing of data that allows conclusions to be drawn about the applicant’s professional suitability, experience and reliability is suitable for achieving this legitimate objective. Processing is necessary if there are no equally effective but less intrusive means of interfering with the personal rights of applicants. In this context, the direct collection of data from applicants should be considered, although this is not always equally effective. For example, applicants can conceal information or make incorrect statements. Even the submission of forged certificates or other proof of qualifications occurs in practice. The employer therefore also has an interest in verifying the accuracy of the information provided in the case of a direct survey. The appropriateness of this depends on the degree of interest in processing the respective data and the weight of the applicant’s personal rights. In general, however, it can be stated that the employer may learn everything that it legitimately wishes to learn in the course of filling the position.

Information of the Applicants in Accordance with Art. 13, 14 GDPR

Data processing must not only be justified, but also transparent. The principle of transparency permeates the GDPR. Applicants must be informed prior to data processing in accordance with Art. 13, 14 GDPR. Para. 1 of the provisions contains mandatory information, while para. 2 contains information that only needs to be provided if it is necessary. However, this is usually the case. If a service provider carries out pre-employment screening, the information must be supplemented accordingly. If the service provider is located in a non-EU country, the level of data protection under EU law must be ensured. This requires either an adequacy decision by the EU Commission in accordance with Art. 45 GDPR, as is the case for the United Kingdom and to a limited extent for Canada, among others, or suitable guarantees by the processor in accordance with Art. 46 GDPR.

The following information must be provided:

• The name and contact details of the controller and, if applicable, his representative,
• additionally the contact details of the data protection officer,
• the purposes for which the personal data are to be processed and the legal basis for the processing
• the recipients or categories of recipients of the personal data
• the duration for which the personal data will be stored
• the existence of a right of access to the personal data concerned and a right to rectification or erasure or restriction of processing or a right to object to processing and the right to data portability
• if the processing is based on consent, the right to withdraw consent at any time with effect from the time of withdrawal
• whether the provision of personal data is required by law or contract or is necessary for the conclusion of a contract, whether the applicant is obliged to provide the data and the possible consequences of failure to provide the data
• the existence of automated decision-making, including profiling.

Only with regard to personal data collected from third parties must information be provided about

• The categories of personal data that are processed, 
• if the processing is based on Art. 6 para. 1 subpara. 1 lit. f GDPR, the legitimate interests pursued by the controller or by a third party and
• the sources from which the personal data originate and, if applicable, whether they originate from publicly accessible sources.

In addition, reference must be made to the right to object under Art. 21 GDPR.

Examples of data processing in the context of pre-employment screening

Every request for information by the employer must be based on a legally protected interest, which must outweigh the personal rights of the applicant in each individual case. Particularly in the case of extensive interference, no general statements can be made in this regard. The justification of the interference depends largely on the requirements of the position to be filled.

Subject to an assessment in the individual case, it can be said in principle that the following information may be collected in the course of filling a sensitive position:

The applicant’s master data, in particular contact details, may be processed. It is also permissible to process data on education, career, further training and job-related knowledge. It is also permitted to check the accuracy and authenticity of the content of relevant certificates.

In addition, it is permissible to check for conflicts of interest if the employer has a legitimate interest in filling the position with a person who is free from conflicts of interest. This may include the question of secondary employment with a competitor as well as the question of a significant shareholding in a competitor.

It is more difficult to justify, for instance, questions about financial circumstances or previous violations of criminal laws in the area of property offenses and white-collar crime. Here, the employer must be able to justify thoroughly why it wishes to obtain this sensitive information.

The same applies to research in social networks. A distinction is predominantly made here between professionally oriented networks and entertainment-oriented networks. This is justified by the fact that the applicant prepares and provides data in professionally-oriented networks in order to attract the attention of potential employers. However, the employer will generally have no legitimate interest in collecting data in entertainment-oriented social networks.

Risk of Claims for Damages and Administrative Fines

If the employer collects data without being able to justify this with an outweighing protected interest, the processing would be unlawful. There is a risk of claims for damages by the applicant under Art. 82 GDPR and measures by the supervisory authorities, including fines under Art. 83 GDPR.

Conclusion

From a legal perspective, the employer may process all data required to fill the position with the most suitable candidate. However, a sense of proportion must be exercised when determining what is necessary. Minor interference with the applicant’s personal rights is generally possible if it serves to obtain information that is relevant to the decision. In the case of more serious interference with personal rights, it must be possible to justify why the employer’s interest in information outweighs the applicant’s personal rights with regard to the data in question. The employer’s argumentation must relate to the specific job profile.