Better protection with background checks
Companies are increasingly focused on improving the level of protection for confidential information. This applies to companies where abuse can result in consequences to the public interest, but also generally, especially within competitive industries. In this connection, employees play a crucial role. Therefore, background checks can be one of several security measures companies can benefit from – provided that the data protection rules are complied with.
Recruitment processes often vary depending on the type of company. IQ- and personality tests may be required. However, a background check may also be part of the process, depending on the circumstances. In addition to ensuring the right match, a background check can help increase the protection of confidential information, which the final candidate will be allowed access to.
That also means that companies must establish background checks that comply with the applicable data protection rules, when the information is registered. That applies irrespective of whether the company or a third party performs the background check.
Legitimate interest is often the starting point
Background checks must be necessary and proportionate. That presumes an individual assessment of each category of information being collected, especially as the scope often varies. Examples of categories include:
- References from previous jobs
- Criminal record or child record
- Photo identification
- Education verification
- Information from the RKI register
- Publicly available information (e.g., from social media)
Often, the legal basis will be the company’s legitimate interest. The reason is that consent is problematic within employment relationships as consent rarely satisfies the condition of being voluntarily provided. But there can also be other rules in play, which may constitute the legal basis. Illustratively, this is the case when information on criminal offenses, sensitive information, or confidential information (such as civil registration numbers) is being processed.
When the legal basis for performing the processing activity is legitimate interest, it is necessary to balance the interests involved. Balancing the interests consists of the company’s needs on one side and the job applicant’s on the other. When making the assessment, it is necessary to consider what information is involved, what the purpose for processing the data is and whether the processing activities give rise to potential consequences for the job applicant.
IUNOs opinion
In addition to having the legal basis in place, companies must also keep other data protection rules in mind. For example, companies must also comply with the information obligations and the retention periods when conducting background checks. For this reason, many companies have a specific privacy notice that can be handed out as part of the recruitment process.
IUNO recommends that companies have guidelines on how to conduct a background check when recruiting. This may, for example, depend on the job position in question. The guidelines must include specific assessments of the processing activities, including what the processing entails, as well as when and how it occurs.
Recruitment processes often vary depending on the type of company. IQ- and personality tests may be required. However, a background check may also be part of the process, depending on the circumstances. In addition to ensuring the right match, a background check can help increase the protection of confidential information, which the final candidate will be allowed access to.
That also means that companies must establish background checks that comply with the applicable data protection rules, when the information is registered. That applies irrespective of whether the company or a third party performs the background check.
Legitimate interest is often the starting point
Background checks must be necessary and proportionate. That presumes an individual assessment of each category of information being collected, especially as the scope often varies. Examples of categories include:
- References from previous jobs
- Criminal record or child record
- Photo identification
- Education verification
- Information from the RKI register
- Publicly available information (e.g., from social media)
Often, the legal basis will be the company’s legitimate interest. The reason is that consent is problematic within employment relationships as consent rarely satisfies the condition of being voluntarily provided. But there can also be other rules in play, which may constitute the legal basis. Illustratively, this is the case when information on criminal offenses, sensitive information, or confidential information (such as civil registration numbers) is being processed.
When the legal basis for performing the processing activity is legitimate interest, it is necessary to balance the interests involved. Balancing the interests consists of the company’s needs on one side and the job applicant’s on the other. When making the assessment, it is necessary to consider what information is involved, what the purpose for processing the data is and whether the processing activities give rise to potential consequences for the job applicant.
IUNOs opinion
In addition to having the legal basis in place, companies must also keep other data protection rules in mind. For example, companies must also comply with the information obligations and the retention periods when conducting background checks. For this reason, many companies have a specific privacy notice that can be handed out as part of the recruitment process.
IUNO recommends that companies have guidelines on how to conduct a background check when recruiting. This may, for example, depend on the job position in question. The guidelines must include specific assessments of the processing activities, including what the processing entails, as well as when and how it occurs.
Similar
Unfair design practices resulted in a 345 million euro fine
Accessible personnel files resulted in a data breach
Deadline to establish whistleblower schemes for medium-sized companies approaching
New guidance from the Danish Data Protection Agency on direct marketing
Promises are made to be kept
Messy toolbox led to serious criticism and an injunction