Shielding Your Company: Best Practices for Background Checks

Considering the increased EU regulatory focus on conducting background checks, organizations might need to (re)consider whether they lawfully screen job candidates. Leaving this part of your regulatory compliance program on the back burner creates risks of enforcement, individual claims, and negative PR.

As an example, in 2022, the Spain’s data protection authority (DPA) penalized collection of criminal conviction certificates with a EUR 2 million fine for lack of legal basis under Spanish law. The DPA found such certificates of good conduct (i.e., documents showing the absence of a criminal record) contained personal data related to criminal convictions and offenses within the meaning of Article 10 of the EU General Data Protection Regulation (GDPR). Accordingly, the information should not have been processed unless authorized by law, and the Spanish law did not contain such authorization. Similarly, just this past September, the French DPA sanctioned a company for, among others, excessive data collection in the context of an internal recruitment process and consulting criminal records of employees without legal basis under article 10 GDPR. A few months earlier, the Italian DPA also fined processing of criminal record checks because of lacking lawful legal basis.

Background checks are a common practice and form a critical part of almost every recruitment process. Organizations tend to conduct various background checks, the most standard being verification of past employment, education, professional licenses, permits, and certifications, references, and even reviews of publicly available sanctions and watchlists. Criminal history checks are also often relied on, although they are mostly limited to a certificate or letter confirming a lack of criminal record or behavior, issued by each relevant EU Member State authorities. Sometimes the checks go further than that and can become quite intrusive, such as reviewing someone’s online activities and social media posts, or even asking questions about their gender, age, family, health, religious and political affiliations.

What many organizations do not realize is that there are a myriad of legal restrictions imposed on such processing activities. What is allowed or required varies by country.  Europe, especially, is a part of the world where different laws (not only privacy, but also offender rehabilitation, labor, regulatory and other industry-specific rules) impose significant limitations on the types of background checks that are allowed, depending on each specific situation. Below we provide an overview of the key issues, risks, and takeaways.

What background checks should your organization be wary of?

Before conducting any background checks, an organization should determine, on a case-by-case basis, which checks are legally required, and which are permitted in each specific jurisdiction. The specific job role, any sector-related considerations, and the intended purpose of carrying out such checks should be carefully considered in each specific context. Organizations should be particularly mindful if they intend to conduct the following types of background checks:

• Employment gap checks: An organization needs to be able to justify why employment gap checks (including requests for supporting documents) are necessary to assess a candidate’s suitability for the intended position. There is an inherent danger that such checks could be regarded as excessive and intrusive. It may be possible to consider (i) limiting such requests to substantial gaps and (ii) only requiring documentation (rather than accepting candidates’ answers at face value) where there is an indication that the answers may not be accurate. This always needs to be assessed on a case-by-case basis.
• Credit checks: The type of financial/credit checks will vary according to the country and industry of the potential or current employer. In most instances, financial background checks should be limited to job candidates or employees whose position will require a high level of integrity, or where such checks are required by law. This might include, for example, regulated professionals and senior management personnel, or positions of trust that involve, for example, management of money and other financial assets. 
• Adverse social media checks: In most cases, it will be difficult to justify the need to conduct social media checks for all job candidates. When conducting searches for public information contained on social media channels (possibly including candidates’ websites, blogs, vlogs, etc.), organizations should limit themselves to screening information contained on public professional websites (such as LinkedIn) and not personal social media accounts (such as Instagram, X, or Facebook). Even if candidates’ accounts or specific posts are publicly available, it will likely not be justifiable for organizations to screen personal online life. Moreover, organizations should only collect and process personal information to the extent that the collection is necessary and relevant to the performance of each specific job role. Organizations conducting such checks should also be careful not to breach social media providers’ terms of service, which often prohibit unauthorized collection of social media information by automated means (such as via harvesting bots and scrapers).
• Sanctions / watchlists checks: The lawfulness of consulting sanctions / watchlists needs to be assessed for each applicable list. In certain countries, such checks will qualify as processing of criminal offense information. The result of this assessment will vary by country and depends on the type of information included on each list, which will differ according to sanctions, financial compliance and enforcement, terrorism, and corruption checks. For example, checks of certain sanctions lists should arguably not constitute processing of criminal offense information because individuals could be placed on those lists for violating a civil norm, not because they are accused or convicted of a crime. 

What are key legal issues when conducting background checks?

The rules regarding the legality and scope of background checks vary by jurisdiction. In some countries (such as the United States) organizations can conduct more extensive checks than in others (such as most EU Member States).  

• National laws and sector-specific requirements: From a privacy perspective, the EU and UK GDPR provide a degree of harmonization in respect of how organizations should conduct background checks (as discussed below). However, differences in other related areas of national law, such as employment and financial industry regulations, either limit or extend the scope of checks that an organization may perform across jurisdictions to a varying degree. In other words, it is important to find out what is allowed in each jurisdiction.
  
  An organization may be legally required to scrutinize prospective employees more closely in regulated sectors. For example, in the UK, certain financial institutions may be required to perform additional checks on candidates who will be carrying out controlled functions relating to a regulated activity, such as those who advise on or arrange mortgages or other investments, deal with insurance contracts, or provide financial advice. Similarly, in Germany, for example, credit institutions and insurance organizations are required to satisfy the federal financial regulator’s requirement that their management board executives must be “fit and proper” persons.
  
  Furthermore, national laws may permit employers, in limited circumstances, to request more intrusive checks, such as pre-employment drug and alcohol screenings. For example, where the job role entails potential safety risks to others, such as operating heavy machinery, driving vehicles, or handling hazardous products, candidates may be required to undergo drug testing to verify that they are medically capable of performing the work safely.  However, such checks are unlikely to be justifiable for most job roles. For example, it would not likely be appropriate to conduct that type of testing for customer service and basic administrative roles.
• Privacy and data protection considerations: The GDPR does not prohibit background checks, but it does include provisions that will influence how to conduct them. Below are key considerations:
• Criminal convictions and offenses: If background checks involve the processing of “personal data related to criminal convictions and offenses” (under Article 10 GDPR), an organization must have both (i) a lawful legal basis for the processing under Article 6 GDPR and (ii) a legal or official authority to conduct the processing (authorized by EU or Member State law) under Article 10 GDPR.  In other words, if the processing of certain criminal offense information is not specifically permitted by EU or EU Member State law, those types of background checks will be deemed to be unlawful. As noted above, regulatory enforcement on this topic emphasizes the critical need for organizations to identify, on a case-by-case basis, whether they can lawfully process criminal offense information (including certificates of good conduct and alike) in each relevant jurisdiction. 
• Proportionality and data minimization: Any personal information sought (including via third-party service providers) should be strictly limited to what is necessary to determine whether a candidate is a good fit for the open position. Organizations should carefully consider what is required to assess whether a candidate is suitable and avoid casting the net too wide. Such an approach also serves to limit the risk of subsequent discrimination claims by candidates that may be brought if the organization looks too deeply into a candidate’s life and obtains information that is irrelevant for the job.
• Third-party service providers: An organization should determine whether a third-party service provider will act as a data controller or processor when performing background checks. This is a critical question when negotiating contracts with service providers, and will often vary among providers, depending on the nature and scope of services provided. As the GDPR sets out very specific requirements in this context, it is particularly important to ensure that appropriate contractual protections are in place before conducting any background checks. An organization should also be careful to limit the amount of information sent back to it by third-party service providers to what is relevant and necessary to accomplish its objectives. For example, a binary search result (whether a candidate passed or did not pass the background check) should be adequate for the organization’s hiring purposes. Such a minimalist approach may also reduce the risk of subsequent privacy or discrimination actions being brought by candidates. 
• Additional documentation: In some countries, an organization may also be required to have additional documentation in place to process certain information. For example, in the UK, an Appropriate Policy Document is required to conduct criminal background checks. In other countries, such as the Netherlands, certain third-party service providers (such as detective agencies and private security organizations) may be required to have a specific permit to conduct checks on an organization’s behalf.
  
  Depending on the type of background checks, a Data Protection Impact Assessment (DPIA) might also be needed where such processing is likely to result in a high risk to individuals, such as criminal background checks. If in doubt as to whether a DPIA is necessary, an organization should complete a DPIA as a fail-safe measure. Additional points of attention are (i) legitimate Interests Assessment (LIA), when relying on a legitimate interest to conduct certain checks; and (ii) Article 30 GDPR records of processing activities that need to be regularly kept up to date.

What steps should you consider for limiting liabilities?

Before undertaking any new or existing background checks, an organization should:

1. Identify the nature and determine the appropriate scope of the background checks that the organization is currently undertaking or proposing to conduct.
2. Determine, on a case-by-case basis, which background checks are required; consider the specific job role, any sector-specific considerations, and the intended purpose for carrying out such checks. 
3. Determine whether the background checks are permitted by applicable local law and identify relevant legal requirements and restrictions, which will likely vary per jurisdiction.
4. Determine whether the organization is subject to any additional regulatory requirements which may require certain types of background checks.
5. Ensure that any personal information sought should be strictly limited to what is necessary for the organization’s specific purposes. 
6. Document the reasons for collecting information so the organization can justify its policies and decision-making when needed.
7. Determine the legal basis for processing the personal information; if legitimate interests are relied on as the basis for the processing, the organization will need to have a written LIA in place.
8. Determine whether there is any relevant law allowing processing of data about criminal convictions and offenses, considering the context and purposes for the processing. 
9. Provide a separate background check privacy notice to candidates prior to conducting the checks that clearly explains (i) why the organization is carrying out the checks, (ii) the legal basis for processing the collected personal information, (iii) where the organization obtains the personal information, and (iv) whether and with whom the organization will share the personal information. The notice must also cover all other transparency requirements of Articles 13 and 14 of the GDPR (including information on data retention, transfers, and individuals’ rights). Note that a background check notice should be separate from a privacy notice directed at job candidates who were not offered the position.
10. Conduct background checks during the last stages of the recruitment process and limit the number of background checks conducted to potentially successful candidates only.
11. Delete personal information collected after it becomes clear that an offer of employment was rejected or a candidate has failed the background check, unless otherwise required by applicable law.
12. Identify any third-party service providers with whom the organization will share personal information, define the nature of the data controller or processor relationship in writing and include the scope of proper instructions.
13. Provide regular training to relevant stakeholders that focuses on how to perform the checks and defines the limitations for the use of collected information.
14. Regularly review background check policies and procedures on an ongoing basis to ensure that they align with the organization’s current practices and evolving legal requirements. If the organization identifies any particularly sensitive and/or new background checks which have not previously been reviewed, the organization should undertake the steps listed above.  

This may indeed sound and feel like a burdensome exercise. But if you want to limit the risk of potential complaints to regulators, possible regulatory attention, and all that comes with it, it would be prudent to proactively establish this background check process in line with local requirements of jurisdictions where your organization has personnel. The process can be phased in with various priorities, but at the end of the day, it may save everybody involved a whole lot of headaches down the line. 

*An abbreviated version of this article - It’s time to check your background checks - was published by People Management on 1/16/2024