Employee Background Checks Under GDPR - A Brief Guide for HR Professionals

Introduction: The practice of conducting background checks on potential employees has been significantly impacted by the GDPR, requiring organisations to balance due diligence with respect for privacy rights. The European Data Protection Board (EDPB) offers crucial guidance on how to conduct these checks compliantly. This article provides an extensive guide enriched with insights from EDPB guidelines, helping HR professionals navigate this intricate landscape.

Understanding GDPR Basics: The GDPR prioritises the protection of personal data, ensuring that any processing, including background checks, adheres to principles like transparency, purpose limitation, data minimisation, accuracy, storage limitation, integrity, and confidentiality.

Conducting Background Checks Under GDPR with EDPB Guidance:

1. Legal Basis for Data Processing:

• According to the EDPB, consent must not be the default basis for processing due to the power imbalance in the employer-employee relationship. Where possible, consider using legitimate interest, but this requires a careful balancing test as outlined in EDPB guidelines, ensuring the rights and freedoms of data subjects are not overridden by the interests of the employer.

2. Transparency and Consent:

• The EDPB emphasises that consent must be a clear affirmative action. Pre-checked boxes (if you obtain the consent digitally) or implied consents are not valid under GDPR. Employers should provide detailed information about the data being processed, including the purpose, retention periods, and rights of the individual. Consent may be an appropriate legal base in case of special categories involved. Please note your applicable employment (labour) laws here.

3. Data Minimisation:

• EDPB guidelines highlight that only data necessary for the specific job role should be collected. For example, checks on criminal records should be limited to roles where it's a statutory requirement or where there's a direct relevance to the position.

4. Third-Party Involvement:

• When engaging third-party background check services, the EDPB advises ensuring these processors act only on your instructions. Data processing agreements should explicitly outline GDPR compliance obligations, including data protection measures, as noted in the guidelines on controller and processor roles (EDPB Guidelines 07/2020).

5. Data Security:

• EDPB guidelines stress the importance of implementing appropriate technical and organisational security measures. This includes encryption of personal data, especially when it involves sensitive information like criminal records.

6. Data Subject Rights:

• The EDPB advocates for a proactive approach to handling data subject rights. This includes not only responding to requests but also informing candidates about their rights from the outset of the background check process.

7. Retention and Deletion:

• EDPB guidance on storage limitation (e.g., Guidelines 03/2020, but the same opinion may be found in other Board documents) advises against indefinite retention of background check data. Data should be deleted once the recruitment process concludes, unless there's a legal obligation to retain it or if the individual is hired.

Best Practices for Compliance with EDPB Insights:

• Regular Training: Training should cover the nuances of EDPB guidelines, ensuring staff understand both the letter and the spirit of GDPR.
• Audit and Review: Use EDPB's checklist approach from various guidelines to audit your background check processes. This includes reviewing whether your lawful basis for processing is correctly applied.
• Documentation: Keep detailed records of all GDPR compliance activities, including how you've determined the lawful basis for data processing, as suggested by the EDPB.
• Risk Assessment: The EDPB recommends DPIAs for any processing activity likely to result in high risk to individuals' rights and freedoms, particularly when dealing with criminal records data.
• Global Considerations: For multinational companies, integrating EDPB advice on data transfers (Guidelines 05/2021) is crucial for ensuring GDPR compliance in background checks across borders.

Conclusion: Employing the EDPB's perspectives alongside the core GDPR principles ensures that background checks are not only legally compliant but also ethically sound.

HR professionals must stay informed about evolving EDPB guidelines to adapt their practices accordingly, thereby safeguarding candidate rights while protecting organisational interests.

Engage with me for deeper insights into GDPR compliance or to discuss specific scenarios where EDPB guidelines could further refine your approach to background checks.