We have already discussed how to process personal data of your employees. However, during the recruitment process, you will also perform background checks and process personal data of numerous candidates who you are considering for a position.
There is nothing wrong with wanting to mitigate any potential risks and it is sometimes even an employer’s obligation to perform a background check on their future or potential employees as a security measure.
It is no wonder since, in addition to the negligent insiders, there are also malicious insiders compromising intellectual property, accessing personal data, or sensitive financial records.
However, companies should also think about compliance. Find out if your backgrounds checks are compliant and how to protect your company from potential infringements of the General Data Protection Regulation (GDPR) that can easily turn into steep fines.
What is considered a background check?
It is possible that there are certain types of background checks that you perform without even realizing it. Background checks can be as simple as:
- Gathering information from social networks
- Checking criminal records
- Verifying the educational and professional background
- Character check…
Steer clear of compiling blacklists as a part of the background check since they are generally considered non-compliant and illegal.
Some countries even have laws that specifically deal with background checks. However, usually, you will have to rely on employment law and data protection law during the process.
GDPR compliant background checks
Businesses have to process personal data in order to continue business as usual. However, they will have to pay close attention to privacy, national employment laws, GDPR principles and be accountable while doing so.
These are just some of the elements you have to pay close attention to:
1. Identify your lawful base
Prior to starting a background check,(or any other type of processing activity), you will have to identify an appropriate legal basis for data processing.
For processing special categories of data and data about criminal convictions and offenses, you will probably rely on legal obligations under local laws. While, in most other situations, you are probably going to rely on legitimate interest.
Consent is not considered an appropriate legal base since there is a clear imbalance of power in the employee/employer relationship. It is questionable if a potential employee has an undeniable free choice to give consent and revoke it with no repercussions.
2. Find a balance
When relying on legitimate interest, identify and document business benefits of background checks, what type of data you want to collect, how and why in order to find a balance between your business’s needs and the rights and freedoms of individuals.
3. Minimize the data you collect & process
Follow the data minimization principle to limit your background checks and collection of personal data to what is relevant and necessary to accomplish what you wanted.
If you want to conduct a background check and you are not obligated by law to store and archive documents, ask your candidate to support their claims by showing you documents to minimize any unnecessary data collection.
4. Be transparent
Background checks should be conducted lawfully, fairly, and in a transparent manner in relation to the candidate. Before you start with the background check, fully disclose your intentions to the candidate and explain why you are conducting it.
The candidate should be your primary contact for verifying claims and providing documents. Although you will not need consent to contact previous employees to do a background check, it would be advisable to inform the candidate about your intentions.
5. Define data retention period
If you are keeping information and details about your potential employees, keep it for no longer than is necessary for you to fulfill the purpose, so make sure you define the data retention period.
In addition to respecting the storage limitation principle, you will have to explore local regulations and employment laws in order to identify which data you are obligated to keep and archive by law and which data can be deleted.
Generally, data collected during the recruitment process should be deleted if you will not employ the candidate or if the candidate declines your offer.
6. Technical and organizational measures
Your company should have appropriate technical and organizational measures in place to protect personal data and safeguard the rights and freedoms of candidates. You should limit access to personal data to essential employees only.
7. Third parties
Identify if there are any third parties with whom you will exchange or share data, or who will be involved in the process, like partners or vendors, and define the nature of your relationship.
Whether you are a data processor or data controller will play a big difference in your obligations and responsibilities.
Compliant social media background screening
Most companies conduct social media background screening during their recruitment process.
However, even though some of the profiles can be publicly viewed this does not suggest that you are free to process that data for business purposes. Any type of data processing requires a proper legal basis, and social media screening is no exception.
Before you start with the social media screening, you will have to consider whether the profile is related to candidates’ private or business purposes and limit your data collection and processing to what is necessary and relevant to the candidate’s job performance.
You will also have to inform candidates about such processing before the recruitment process starts and delete data once the recruitment process is over and the candidate did not get the position or rejected the offer.
Keep in mind that in order to make your background checks compliant and lawful you will have to take into account other national laws and regulations that may apply, which can be specific to each country.
The candidate should be aware of any background checks you will conduct and make sure the candidate is the primary contact for any clarification or information that you might need.
Gather more information about the topic from the guidelines for collecting employee data and data processing at work from the European Data Protection Board (EDPB) and the WP29.