The General Data Protection Regulation
The General Data Protection Regulation (GDPR) is an EU regulation that aims to protect individuals’ personal data and strengthen their rights. This legislation regulates how personal data may be collected, processed, and stored. The GDPR applies to all organisations and companies that process data about individuals in the EU, regardless of where the company is based.
The Swedish Authority for Privacy Protection – What does IMY say about background checks?
The Swedish Authority for Privacy Protection (IMY) is the Swedish supervisory authority that monitors compliance with data protection legislation. When it comes to background checks, the IMY sets high standards for such checks to be justified and lawful. This means that employers must have a clear and lawful basis for conducting the checks and that they must be carried out in a transparent and fair manner.
Consent and fairness in background checks
Consent and fairness are key concepts in the GDPR when it comes to the processing of personal data in background checks. These principles help protect the privacy of individuals and ensure that personal data is processed ethically and lawfully.
Consent is one of the main legal bases for processing personal data under the GDPR. It must be given freely and without coercion. Consent must be given for a specific and clearly stated purpose. This means that the employer must inform the job applicant exactly what information will be collected and what it will be used for. The person giving consent must also have enough information to make an informed decision. Individuals should also be able to withdraw their consent at any time, and this process should be simple and clear. However, it is important to note that consent is not always necessary to conduct background checks. Other legal grounds such as legitimate interest may also allow employers to carry out these checks without consent, as long as the processing is necessary and proportionate to the stated purpose.
Fairness means that the processing of personal data should not lead to unfair or discriminatory effects on the individual. Background checks must be carried out in a fair manner and must not be used to discriminate based on, for example, ethnicity, gender, age, or religion. The information collected should be directly relevant and necessary for the job to be filled. This means that the employer should limit its requests to data that is essential to the requirements and responsibilities of the position in question.
Do not hesitate to contact us! We will be happy to assist you in carrying out background checks under the GDPR.
When processing personal data, there are seven basic principles that all organisations must follow:
- Lawfulness, fairness and transparency: Personal data must be processed lawfully, fairly and in a manner that is transparent to the data subject.
- Purpose limitation: Data must be collected for specific, explicit and legitimate purposes and must not be further processed in a way that is incompatible with those purposes. Organisations must be clear about the purpose of data collection and stick to it.
- Data minimisation: Only the personal data necessary to fulfil the specified purposes should be collected and processed.
- Accuracy: Personal data should be accurate and, where necessary, kept up to date. Every reasonable step should be taken to erase or rectify personal data that are inaccurate in relation to the purposes for which they are processed.
- Storage limitation: Personal data shall be kept in a form which permits identification of data subjects for no longer than is strictly necessary for the purposes for which the data were collected. Data must be deleted or anonymised when no longer needed for the original purposes.
- Integrity and confidentiality: Personal data must be processed in a manner that ensures appropriate security of the personal data, including protection against unauthorised or unlawful processing and accidental loss, destruction or damage.
- Accountability: The controller is responsible for complying with the above principles and must be able to demonstrate compliance. This means that organisations need to have internal policies, procedures, and safeguards in place to ensure and demonstrate compliance with the GDPR.
Under the GDPR, you in the European Economic Area (EEA) have several rights that ensure the protection and proper handling of your personal data:
- Right to information: You have the right to be informed about the collection and use of your personal data in a clear and comprehensible manner.
- Right of access: You can request access to your personal data and receive information on how these data are processed.
- Right to rectification: You have the right to have inaccurate personal data corrected or completed if it is incomplete.
- Right to erasure (right to be forgotten): You can request the removal or erasure of personal data where there are no compelling grounds for further processing.
- Right to limitation of processing: You have the right to block or restrict the processing of your personal data under certain conditions.
- Right to data portability: This right allows you to obtain and reuse your personal data for your own purposes across different services.
- Right to object: You can object to the processing of your personal data in certain circumstances, such as direct marketing.
- Automated decision-making: You have the right not to be subject to a decision based solely on automated processing which produces legal effects concerning you or similarly significantly affects you. For example, an automated rejection of an online credit application.
Background checks from the employer’s perspective
For employers, background checks are an important tool to ensure that potential employees are suitable for a position and that they are who they say they are. At Validata, we help with various background checks to identify potential risks with candidates. These can include, for example, previous criminal offences or checks on education and work experience for new hires. By carrying out background checks on potential employees, you can create a safer workplace and avoid costly recruitment errors.
Employers must carry out background checks that are relevant and proportionate to the specific position. This means that not all types of checks are appropriate for all positions. The principle of proportionality under the GDPR requires that only the personal data necessary for the specific purpose may be processed.
Yes, it is possible to carry out background checks on existing employees, but it is required that there is a clear and legitimate purpose for the check. This could include internal industry regulatory requirements or in situations where an employee is to be promoted to a position of higher responsibility, for example as a financial manager or other senior role. You as an employer must be open and clear about why and how the background check will be carried out. It is also good to think in advance about what the consequences will be if you find something on an employee in a background check. For example, if you have worked with a controller for over 30 years and the check reveals that the person has personal financial problems, what do you do? Think about what situations might arise and how to deal with them.
Yes, an employer can choose not to hire a person if the background check reveals discrepancies relevant to the position in question. The discrepancies identified must directly affect or be relevant to the duties or level of responsibility of the position. The process must be carried out in a non-discriminatory manner and in accordance with applicable laws.
Background checks from the employee’s perspective
Background checks can raise questions and concerns among potential employees about their chances of getting a job and how their personal data is handled.
Social media can provide insight into a person’s past behaviours and opinions, but such information must be assessed objectively and be relevant to the job. People change over time and so do their opinions and behaviours. It is unfair and potentially damaging to judge someone’s suitability for a job based solely on their past actions or statements without considering their current professionalism and personality. As a job seeker, if you are concerned about how your digital footprint may affect your job prospects, consider regularly reviewing your social media and weeding out content that no longer represents who you are today.
Minor offences such as speeding are recorded in the criminal record, but their relevance to the job must be carefully assessed. At Validata, we make sure that only relevant information is used in our reports to ensure that you, as a job seeker, are assessed on a fair basis.
Employers can carry out background checks on you without your consent if they have a legal basis for doing so, such as a legitimate interest. Under the GDPR, consent is not always necessary for employers, as consent should be voluntary and not considered valid during a job application procedure. For example, the employer’s legitimate interest may be to ensure that they hire competent and reliable people. On the other hand, any background check must be proportionate; it must be relevant and proportionate to the risks associated with the job. This means that the information collected should be directly relevant to the job in question. However, to process personal data and share it with others, such as your previous employers, your consent is always needed.
At Validata, we always comply with the General Data Protection Regulation and respect the needs and rights of both employers and employees when conducting background checks, for a safer and fairer labour market. We always recommend that employers communicate to candidates that a background check will be conducted prior to employment.
Contact us for questions about GDPR and background checks
"*" indicates required fields
"*" indicates required fields
"*" indicates required fields
"*" indicates required fields
"*" indicates required fields