Knowledge Base · Data Protection

GDPR and background checks: what compliance actually requires

Employment screening is lawful under GDPR, but only when you meet specific requirements around legal basis, data minimisation, transparency, and retention. This guide covers what the regulation actually says, how it applies to background verification programmes, and where employers most commonly get it wrong.

Reading time: 12 minutes Audience: TPRM, Compliance, Procurement Last updated: April 2026
Key facts
Key takeaways
GDPR permits employment background checks. The regulation does not prohibit screening, but it imposes specific conditions.
6 Legitimate interest (Art. 6(1)(f)) is the most common and practical lawful basis for employment screening. Consent is rarely appropriate.
! Criminal record checks fall under Article 10 and require explicit national law authorisation. Rules vary significantly across EU member states.
X Cross-border transfers need safeguards: Standard Contractual Clauses, adequacy decisions, or binding corporate rules when data leaves the EEA.
“The question is not whether you can screen. It is whether you can prove you screened lawfully.” The compliance gap in employment screening

Can you run background checks under GDPR?

Yes. The General Data Protection Regulation does not prohibit employment background checks. Employers across the European Economic Area run pre-employment screening programmes every day, and the regulation provides multiple lawful bases for doing so. What GDPR does require is that you meet specific conditions before, during, and after the screening process.

The core framework sits in Article 6, which lists six lawful bases for processing personal data. Three of these are relevant to employment screening:

What about consent? Article 6(1)(a) allows processing based on consent, but data protection authorities across Europe have consistently advised that consent is not appropriate for most employment screening. The reason: the power imbalance between employer and candidate means consent cannot be freely given. A candidate who knows that refusing consent will likely end their application cannot meaningfully "choose" to consent. The Article 29 Working Party (now the European Data Protection Board) addressed this directly in its guidelines on consent, noting that consent in employment contexts is almost never freely given.

The practical implication is straightforward. You can run background checks under GDPR. You need a documented lawful basis, you need to tell the candidate what you are doing and why, and you need to limit your data collection and retention to what is necessary for the purpose. The sections below cover each of these requirements in detail.

Choosing the right lawful basis is the first and most important compliance decision. Each basis carries different obligations and different risks. Click each card to see the detail.

Most common

Legitimate interest (Art. 6(1)(f))

The employer identifies a legitimate interest (verifying credentials, protecting the organisation from fraud, ensuring workplace safety) and demonstrates that this interest is not overridden by the candidate's rights and freedoms. This requires a documented Legitimate Interest Assessment (LIA), sometimes called a balancing test. The LIA must identify the specific interest, explain why screening is necessary to achieve it, and assess the impact on the candidate.
When it works Education verification, employment history checks, professional licence confirmation, reference checks. Works well when the check is proportionate to the role and you can demonstrate a clear link between the check type and the role requirements.
Role-specific

Contractual necessity (Art. 6(1)(b))

This basis applies when background screening is genuinely necessary to enter into or perform the employment contract. The key word is "necessary": the check must be required for the contract to function, not merely useful or desirable. For example, verifying a professional licence for a role that legally requires that licence can fall under contractual necessity. Verifying a university degree for a role where the degree is listed as "preferred but not required" probably cannot.
Limitations Narrow in scope. Data protection authorities interpret "necessary" strictly. You cannot bundle all screening under contractual necessity simply by adding a screening clause to the employment contract. The necessity must be objective, not contractual.
Regulated roles

Legal obligation (Art. 6(1)(c))

Where national law mandates specific checks for certain roles, legal obligation provides the clearest and strongest basis. Examples include: fitness and propriety checks for financial services roles under MiFID II or national banking regulations, Disclosure and Barring Service (DBS) checks for roles involving children or vulnerable adults in the UK, and mandatory criminal record checks for security personnel in several EU member states.
When it works Only where a specific, identifiable legal requirement exists. You must be able to point to the law, regulation, or binding rule that requires the check. "Industry best practice" is not a legal obligation.
Avoid

Consent (Art. 6(1)(a))

Consent requires that the data subject freely, specifically, and unambiguously agrees to the processing. In an employment context, the candidate is not in a position to refuse without jeopardising their application. The European Data Protection Board has stated that the imbalance of power between employer and employee (or prospective employee) means consent is "unlikely to be a valid legal ground" for most employment-related processing. If you rely on consent and the candidate later withdraws it, you must stop processing and delete the data, which may be impractical mid-screening.
Risk If a supervisory authority determines that consent was not freely given, your entire screening programme loses its lawful basis retroactively. All data processed under that consent may be treated as unlawfully processed. Use legitimate interest instead.

What GDPR requires for background checks

Beyond choosing a lawful basis, GDPR imposes six practical requirements that apply to every screening programme. These are not optional extras. They are conditions that must be met for the processing to be lawful.

1. Purpose limitation (Art. 5(1)(b))

You must define the specific purpose for each check type before you collect any data. "General due diligence" is not specific enough. The purpose must be tied to the role: verifying the candidate holds the professional qualification required for the position, confirming employment history to assess experience claims, or checking criminal records where the role involves financial responsibility. Each check type should have its own stated purpose, and data collected for one purpose cannot be repurposed for another without a new lawful basis.

2. Data minimisation (Art. 5(1)(c))

Collect only the data that is relevant and necessary for the specific checks you are running. A common failure: running the same comprehensive screening package for every role regardless of seniority or function. A junior administrative role does not require the same depth of screening as a CFO position. Your programme should define check types per role category, and each check should collect only the data points needed to complete it.

Over-collection (non-compliant)

  • Same 12-check package for every role, from intern to director
  • Requesting full financial history for roles with no financial responsibility
  • Collecting social media data without a specific, documented justification
  • Retaining copies of identity documents beyond the verification period

Proportionate collection (compliant)

  • Check types mapped to role categories based on risk and responsibility
  • Financial checks limited to roles with financial authority or fiduciary duty
  • Only data points directly relevant to each check type collected
  • Identity documents verified and then deleted or returned, not stored indefinitely

3. Transparency (Art. 13 and Art. 14)

You must inform the candidate about the screening before it begins. This means providing: what checks will be conducted, the lawful basis for each, who will process the data (including any third-party screening vendors), how long the data will be retained, the candidate's rights (access, rectification, erasure, objection), and contact details for the data protection officer. This information is typically delivered through a screening consent/notification form at the start of the hiring process.

4. Data retention limits (Art. 5(1)(e))

GDPR does not prescribe a specific retention period. Instead, Article 5(1)(e) requires that data be kept no longer than necessary for the purpose it was collected. For background check data, this means:

5. Data subject rights (Art. 15 to Art. 22)

Candidates have the right to access their screening data (Art. 15), request correction of inaccurate data (Art. 16), request erasure where the data is no longer necessary (Art. 17), and object to processing based on legitimate interest (Art. 21). Your screening programme must include a process for handling these requests within the one-month response deadline set by Article 12(3).

6. Data Protection Impact Assessment (Art. 35)

Article 35 requires a DPIA when processing is "likely to result in a high risk to the rights and freedoms" of individuals. Employment screening at scale, particularly when it involves criminal records, financial data, or health-related information, will typically meet this threshold. The DPIA must describe the processing, assess necessity and proportionality, identify risks, and document the measures you are taking to mitigate those risks.

DPIAs are not optional for screening at scale If you are screening more than a handful of candidates per year, you almost certainly need a DPIA. The UK ICO, France's CNIL, and Germany's data protection authorities have all indicated that systematic employment screening involving sensitive data categories triggers the DPIA requirement. Failing to conduct one does not just create compliance risk. It removes your ability to demonstrate accountability under Article 5(2).

Criminal record checks under GDPR

Criminal record data receives special protection under GDPR. Article 10 states that processing of personal data relating to criminal convictions and offences "shall be carried out only under the control of official authority or when the processing is authorised by Union or Member State law providing for appropriate safeguards." This means you cannot simply run criminal checks on candidates because you want to. You need specific legal authorisation under the national law of the relevant member state.

The practical challenge is that these rules vary significantly across Europe:

No pan-European criminal database for private screening There is no single EU-wide criminal record database accessible to private employers or screening vendors. The ECRIS (European Criminal Records Information System) facilitates information exchange between member states, but access is limited to judicial and law enforcement authorities. Private screening programmes must navigate each country's national system individually, which is why country-specific expertise matters more for criminal checks than for any other check type.

Cross-border data transfers in screening

Background screening frequently involves cross-border data flows. A UK-headquartered company screening candidates for its Polish office may use a screening vendor based in India to conduct the checks. The candidate's personal data crosses at least two borders: from Poland to the UK (intra-EEA, generally straightforward) and from the UK or Poland to India (international transfer, requiring safeguards).

GDPR Chapter V (Articles 44 to 49) governs international transfers. The three most relevant mechanisms for screening programmes are:

What this means for screening vendors If your screening vendor operates from or sub-processes data in a country without an adequacy decision (India, Philippines, Vietnam, Indonesia, Mexico, Brazil, Colombia), you need SCCs in place between your organisation and the vendor (or between the vendor and its sub-processors). You also need a Transfer Impact Assessment documenting the data protection landscape in the recipient country. Your vendor should be able to provide both. If they cannot, your transfer may lack a lawful basis under GDPR.

GDPR and the DPDPA, LGPD, and PDPA

GDPR is the most established data protection framework for employment screening, but it is not the only one. Three other major regimes are directly relevant to organisations screening across multiple regions. The table below compares how each framework handles key screening requirements.

Requirement GDPR (EU/EEA) DPDPA (India) LGPD (Brazil) PDPA (Thailand / Malaysia)
Lawful basis for screening Legitimate interest, contractual necessity, legal obligation, or consent Legitimate uses defined by the Act, including employment purposes. Consent is a primary basis. Legitimate interest, contractual necessity, legal obligation, or consent. Structure mirrors GDPR closely. Thailand: consent is the primary basis, with exceptions for contractual necessity and legitimate interest. Malaysia: consent required, with limited exceptions.
Consent in employment Rarely valid due to power imbalance Recognised as a basis. Power imbalance guidance still developing. Similar concerns to GDPR. ANPD guidance discourages reliance on consent in employment contexts. Thailand: consent is commonly used but problematic for the same power-imbalance reasons. Malaysia: consent generally required.
Criminal record checks Art. 10: requires national law authorisation. Varies by member state. No specific equivalent to Art. 10. Governed by general processing rules and sector-specific regulations. Sensitive data category. Requires specific legal basis or explicit consent. Thailand: sensitive data, requires explicit consent. Malaysia: governed by general principles, no specific criminal data category.
Cross-border transfers Adequacy decisions, SCCs, or BCRs required for transfers outside EEA Government to notify restricted countries. Transfer restrictions still being finalised. Adequacy assessments, SCCs, or specific consent. ANPD regulations still maturing. Thailand: adequate safeguards required for transfers. Malaysia: Minister must approve transfer destinations.
DPIA / Impact assessment Required for high-risk processing (Art. 35) Data Protection Impact Assessment for significant data fiduciaries Required for processing that may create risk to data subjects Thailand: required for certain processing activities. Malaysia: not explicitly required under current PDPA.
Retention limits No fixed period. Must be "no longer than necessary." Retain only as long as the purpose requires. Must erase when purpose is fulfilled. Similar to GDPR. Data must be deleted when no longer necessary. Both: retain only as long as necessary for the purpose.

For organisations screening across multiple regions, the practical approach is to build your programme to GDPR standards and then adapt for local requirements. GDPR is the most demanding of these frameworks, so a GDPR-compliant programme will satisfy most requirements under the DPDPA, LGPD, and PDPA with minor adjustments. The country-specific deep dives cover the local nuances: India (DPDPA), Brazil (LGPD), Thailand (PDPA), Malaysia (PDPA).

Building a GDPR-compliant screening programme

Compliance is not a single document or a one-time exercise. It is a set of operational practices built into your screening programme from the start. The checklist below covers the key components.

Step 1: Conduct a Data Protection Impact Assessment

Before launching or materially changing your screening programme, complete a DPIA under Article 35. The DPIA should cover: what data you collect, from whom, for what purpose, the lawful basis for each check type, the risks to candidates, and the safeguards you have in place. This document becomes your primary evidence of accountability.

Step 2: Document your lawful basis for each check type

Do not rely on a single blanket justification for all checks. Map each check type (education, employment, criminal, address, credit, professional licence) to a specific lawful basis and document the reasoning. For legitimate interest, complete a balancing test for each check type. For legal obligation, cite the specific law or regulation.

Step 3: Define a retention schedule

Set retention periods for screening data based on the outcome (hired vs. not hired) and any sector-specific retention requirements. Automate deletion where possible. Review the schedule annually.

Step 4: Put processor agreements in place

If you use a third-party screening vendor, you need a data processing agreement under Article 28. The agreement must cover: the subject matter and duration of processing, the nature and purpose of processing, the types of data involved, the obligations and rights of the controller, sub-processor arrangements, and security measures. If the vendor transfers data internationally, Standard Contractual Clauses must be incorporated or executed alongside the processing agreement.

Step 5: Build candidate communications

Create a screening notification that meets the transparency requirements of Articles 13 and 14. This should be provided to every candidate before screening begins. It should explain what checks are being conducted, why, by whom, how long data is retained, and how the candidate can exercise their rights.

Step 6: Establish a rights-handling process

Candidates will exercise their GDPR rights. You need a documented process for handling access requests, rectification requests, erasure requests, and objections. The process must meet the one-month response deadline under Article 12(3), with the possibility of extension to three months for complex requests.

Related resources For a deeper look at how OutsourceVerify handles data protection in screening, see our compliance brief and data handling deep dive. Both documents cover our processor agreements, retention schedules, and candidate communication templates in detail.

Common GDPR mistakes in background screening

These are the mistakes we see most often when reviewing clients' existing screening programmes. Each one creates real compliance exposure.

Mistake 1: Relying on consent as the lawful basis As covered above, consent is rarely valid in an employment context due to the power imbalance. If your current programme relies on candidate consent as the sole lawful basis for screening, you are exposed. A candidate who withdraws consent mid-screening can halt the process, and a supervisory authority may determine the consent was never valid in the first place. Switch to legitimate interest and document a proper balancing test.
Mistake 2: Running the same checks for every role A one-size-fits-all screening package violates the data minimisation principle. Credit checks on candidates for roles with no financial responsibility, criminal record checks where no legal basis exists for the specific role, and extensive reference checks for junior positions all collect more data than is necessary. Map check types to role categories and justify each one.
Mistake 3: No retention policy or indefinite retention "We keep everything forever" is not a retention policy. Screening data for unsuccessful candidates should be deleted within a defined, documented period. Screening data for hired employees should be retained for the duration of employment plus a justified post-termination period. If you cannot point to a written retention schedule that is consistently applied, you have a compliance gap.
Mistake 4: No DPIA for the screening programme Many organisations skip the DPIA because they view it as bureaucratic overhead. Under Article 35, it is a legal requirement for high-risk processing. Employment screening at scale, particularly involving criminal records or financial data, is high-risk processing. The DPIA is also your best evidence of accountability under Article 5(2). Without one, you cannot demonstrate that you assessed and mitigated the risks.
Mistake 5: No processor agreement with the screening vendor If your screening vendor processes personal data on your behalf (they almost certainly do), Article 28 requires a written data processing agreement. Many organisations operate with nothing more than a commercial services agreement that does not address data protection obligations, sub-processing arrangements, or security measures. This gap is one of the first things a supervisory authority will check.

Frequently asked questions

Can you do background checks under GDPR?

Yes. GDPR does not prohibit employment background checks. Employers can conduct screening provided they have a lawful basis under Article 6, inform candidates about the processing under Articles 13 and 14, collect only data relevant to the role (data minimisation), and apply appropriate retention limits. The most common lawful basis is legitimate interest under Article 6(1)(f), though some checks may fall under contractual necessity or legal obligation depending on the role and jurisdiction.

What is the legal basis for background checks under GDPR?

The most common legal basis is legitimate interest under Article 6(1)(f). This requires a documented balancing test showing the employer's interest in verifying credentials outweighs the candidate's privacy rights. Other lawful bases include contractual necessity under Article 6(1)(b) when screening is required to enter an employment contract, and legal obligation under Article 6(1)(c) when national law mandates specific checks for regulated roles. Consent under Article 6(1)(a) is generally not appropriate in employment contexts due to the power imbalance between employer and candidate.

How long can you keep background check data under GDPR?

GDPR does not specify a fixed retention period. Article 5(1)(e) requires that personal data be kept only for as long as necessary for the purpose it was collected. For successful candidates, most organisations retain screening results for the duration of employment plus a short post-termination period. For unsuccessful candidates, data should typically be deleted within a few months of the hiring decision. The exact retention schedule should be documented in your data protection impact assessment and communicated to candidates at the point of collection.

Do I need a DPIA for employment screening?

In most cases, yes. Article 35 requires a Data Protection Impact Assessment when processing is likely to result in a high risk to the rights and freedoms of individuals. Employment screening at scale, particularly when it involves criminal records, financial data, or systematic evaluation of candidates, will typically meet this threshold. Multiple European supervisory authorities (UK ICO, France's CNIL, Germany's BfDI) have indicated that systematic employment vetting triggers the DPIA requirement. Even if you are unsure whether your programme meets the threshold, conducting a DPIA is good practice and strengthens your accountability position under Article 5(2).

Can I transfer screening data outside the EU?

Yes, but you need appropriate safeguards under Chapter V of the GDPR. The most common mechanism is Standard Contractual Clauses (SCCs) under Article 46(2)(c), which must be executed between the data exporter and the recipient. If the recipient country has an adequacy decision from the European Commission (e.g., Japan, South Korea, UK, Argentina), transfers can proceed without additional safeguards. For transfers to countries without adequacy decisions, such as India, the Philippines, or Mexico, you also need a Transfer Impact Assessment evaluating the data protection framework in the recipient country.

What happens if a candidate objects to screening under GDPR?

Under Article 21, candidates have the right to object to processing based on legitimate interest. When an objection is received, you must stop processing unless you can demonstrate compelling legitimate grounds that override the candidate's interests, rights, and freedoms. In practice, for pre-employment screening, you can typically demonstrate compelling grounds where the checks are proportionate and directly relevant to the role. However, you must assess each objection individually and document your reasoning. If you cannot demonstrate compelling grounds, you must cease processing and delete the data. This is one reason why having a well-documented Legitimate Interest Assessment is critical: it provides the evidence you need to respond to objections.

References & further reading

  1. Compliance brief: OutsourceVerify's approach to regulatory compliance, including GDPR, across all operating corridors.
  2. Data handling deep dive: how candidate data is processed, stored, transferred, and deleted across the screening lifecycle.
  3. Poland deep dive: corridor-specific detail on Polish data protection rules, criminal record access, and screening requirements.
  4. Romania deep dive: Romanian screening requirements, including criminal record certificate procedures and data protection obligations.
  5. Czech Republic deep dive: Czech screening landscape, criminal register access, and employer obligations.
  6. Security posture: technical and organisational measures for data protection, including encryption, access controls, and audit logging.
Share this