Gerlind Wisskirchen of CMS Hasche Sigle discusses background checks affecting employers in Europe.
Background checks – the most recent since the 2002 financial reporting scandals involving US corporations (Enron, Worldcom and Tyco) – have acquired global significance for employers. Ever since, comprehensive background checks, or ‘pre-employment due diligences’ have been carried out in US corporations. In Europe, however, background checks are not permitted to the same extent.
In Germany no specific legislation exists concerning background checks; the permitted room for manoeuvre must be determined on the basis of the existing legal situation. Statutory constraints with regard to the acquisition and storage of personal data are in place, warranting the protection of the private sphere and the right of self-determination. The applicant need not tolerate any background checks that go beyond an employer’s permissible right to ask questions within the limits of the German Equal Treatment Act (AGG) and the personality right of the applicant. The employer’s legitimate interest in the answering of the question must be so great that the protection of the personality right of the applicant is second to the right to ask questions. The applicant need not respond to inadmissible questions put by the employer, the applicant is also permitted to give a wrong answer to the question. When background checks are being carried out, the principle of direct acquisition of data via the applicant takes priority. Background checks with the help of third parties are therefore only admissible if the reliability of the applicant is of particular relevance, eg, in finance and childcare, or where special information is essential for the employment relationship. The applicant’s knowledge and consent will always be required.
The employer has a legitimate interest in information on the applicant’s personal particulars. Both before and after the job offer, the applicant may be asked to verify his personal particulars by presenting his ID card, passport, social security number or birth certificate. Otherwise, the employer can refuse the applicant. If there is legitimate suspicion that employees have not disclosed their true identity, the employer may demand the mentioned proof of identity, also during the existing employment relationship. The same applies to job application documents. Applicants submit documents concerning their qualifications and previous professional experience with their application. The employer may – both before and after the job offer – request the original documents for perusal, and after being given the applicant’s written consent, may also contact schools, universities and former employers directly. For data privacy protection reasons, as a rule enquiries made are limited to information on the duration and type of employment. In the case of breaches of such requirements, the applicant can assert claims for damages. In addition, there is the threat of an administrative fine of up to E300,000 pursuant to the German Data Protection Act (BDSG). Potential employers may only demand limited information on previous convictions or on the applicant’s financial situation. Questions will only be permitted if the information is relevant to the advertised position, for example because particular trustworthiness and financial reliability are required. Scrutiny of any previous convictions will only be possible in rare cases through presentation by the applicant of a certificate of good conduct (Führungszeugnis). The applicant’s career development and criminal history will only be allowed to be scrutinised in the existing employment relationship if this failed to take place already during the recruitment process, and if the concrete workplace is affected. Then, the written approval of the employee will be required, except in the case of legitimate suspicion of fraud on the part of the employee. Moreover, as a rule, the employer can request presentation of the employee’s work permit and residence entitlement without giving a reason. Creditworthiness checks like SCHUFA information or extracts from the commercial register are prohibited under the German Data Protection Act.
Primarily during the application procedure, HR departments – via internet research – are increasingly collecting data about the applicant that goes beyond the information communicated in the job application documents, notably the applicant’s professional background. Pursuant to section 28, 32 of the Data Protection Act, collecting personal data from the internet is allowed if this data is accessible to the general public, unless the protectable interests of the applicant outweigh this. With work-oriented networks like XING or LinkedIn, the data posted there by the applicant is accessible to the general public after log-in. Data that is posted by the applicant on social networking sites like Facebook may not readily be collected and stored.
Currently, the general terms and conditions of the operator provide for use of the network for private purposes only. Moreover, predominating interests of the applicant and lack of necessity as defined in the Data Protection Act are opposed to the collection of data. If the employer decides against an applicant, the job application documents must be returned to said applicant. If an action brought by the rejected applicant cannot be ruled out, copies of the documents can temporarily remain with the employer. Employee data can be stored for as long as it is required by the employer within the framework of the protection against unfair dismissal process. If the employer intends to introduce staff questionnaires, eg, in the context of works agreements, the approval of the works council must be obtained in advance (section 94 of the German Works Constitution Act) and the data privacy protection officer must be involved (section 4 of the Data Protection Act).
By conducting impermissible background checks, the employer will be in breach of the pre-contractual duty of care and of the general personality right. An impermissible background check can entail damages claims if the applicant can prove that the losses were incurred by obtaining unlawful information and that without this measure, the applicant would have been recruited. It is also possible to grant the employee damages of three monthly salaries, pursuant to section 15(2) of the Equal Treatment Act.
French law offers no explicit statutory framework for handling background checks. It contains provisions concerning admissible acquisition of data relating to applicants. Pursuant to article L.1221-6 of the French Labour Code, the employer can only obtain information about an applicant, which facilitates an assessment of their professional skills with regard to the position being offered. These professional skills must be directly required for the position. Social security enquiries about the applicant are generally prohibited, except if the applicant is not yet registered. In all other respects, personal particulars are allowed to be subject to comprehensive scrutiny. The employer can demand presentation by the applicant of the relevant job references, eg, of former employers, however, not the presentation of pay slips. In addition, the employer has the right to ask questions concerning previous positions and the grounds for their termination. The applicant’s consent relating to enquiries made to former colleagues is required.
Employers may make use of all information from the internet, irrespective of whether it was posted on social or work-oriented networks. In France, the employer is generally prohibited from reviewing any previous convictions as well as the applicant’s financial position. If applicable, the employer can – only by setting forth a legitimate interest – demand the current extract number three of the certificate of good conduct, which lists the heaviest penalties and can only be applied for by the applicant itself. An exception is made in the area of asset management, eg, in the banking industry. With applications in the areas of security or care, the employer additionally has the option, under administration law, of having police files reviewed by local government.
During the existing employment relationship, the employer as a rule (setting out its legitimate interests) can demand updated versions of the certificate of good conduct. Dismissal for breach of the duty to furnish the requested information is possible if the employee’s refusal with regard to furnishing the desired information results in disturbances in the peaceful working climate or if material qualifications for the function turn out to be false. The storage of employee data is possible after prior clarification regarding the affected employee. Employers additionally have the option of setting up biometric ID systems on their employees if CNIL (Commission National de l’Informatique et des Libertés), the French data protection watchdog, approves of their introduction. If the employer violates the above-referenced legal provisions or employee rights, the employee can claim damages or sanctions under criminal law, see article L. 1121 -1 of the French Labour Code. Pursuant to the French Criminal Code and the French Labour Code, an employer could face up to three years of imprisonment, and a fine of up to E46,000 in the event of discrimination with regard to an employee’s membership of a trade union.
In Italy, prior to the acquisition of personal data, there is no general duty to notify the applicant or to obtain the applicant’s approval. The person concerned should be informed in advance concerning the purpose of the background check, in terms of whether the data has to be surrendered voluntarily or obligatorily and with regard to the consequences of non-voluntary surrender (see article 13 of the Italian data protection law).
At the employer’s request, applicants must communicate their social security number to the employer. Publicly accessible data, eg, a birth certificate, can be perused by the employer at any time without the approval of the applicant; detailed information can only be viewed with the approval of the applicant, the employer demonstrating a special interest. The employer can comprehensively scrutinise statements made by applicants about their educational background. Upon request, schools and universities are entitled to surrender their assessments (possibly via electronic information) to the corporation. This generally also applies to enquiries made by former employers. The employer may call on the applicant to handover documents on previous nationwide convictions and pending proceedings before the court in the potential employer’s district. However, the employer may not call for bank and credit card information.
The employer’s right to information also continues to exist during the current employment relationship to the same extent as prior to recruitment. In exceptional cases, dismissal is possible if, after examination of the data, it subsequently emerges that the employee fails to meet the requirements of the position. The employer may store data in the individual case, stating a legitimate purpose, for the duration of the employment relationship. In the event of unauthorised or unlawfully conducted background checks, the employer will be liable for prosecution under civil law and criminal law. The employer will be liable to pay damages or ‘smart money’ if the processing of personal data brings about losses for the employee or if data is stored longer than permitted for the required purpose.
The employer’s right to information is determined in Denmark notably by way of the Danish Act on Processing of Personal Data, APPD. With the written approval of the applicant or employee, the employer can subject their personal data to scrutiny by means of a database governed by social security legislation. If the applicant refuses such scrutiny, the employer can refrain from recruitment for this reason provided the employer has already informed the applicant of the consequences thereof.
With regard to educational background and previous activities, as a rule, the data from the application may be verified by the employer. It is not usual in Denmark to issue job references. Applicants can, however, be called on to surrender contact data of former employers. Also in the existing employment relationship, scrutiny can take place if there is legitimate suspicion of fraud by the employee to the detriment of the corporation. If the employer acquires information via social networks, it must grant the employee the opportunity of answering. The applicant must disclose previous convictions if the offence is relevant to carrying out their duties and if there is a temporal proximity between the offence and the position. This is the case if an official permit regulated by statute for exercise of the function is required, for example relating to insurance clerks, attorneys or finance managers. The legal limits of data acquisition, notably the proportionality principle, are applicable in favour of the applicant and the employee. As a rule, the employer obtains information about relevant previous convictions from the public criminal records kept by the police with the written approval of the applicant.
The employer is authorised to keep personal data of applicants and employees by electronic means. It is permitted by statute to store data for as long as a legitimate purpose for this exists. As a rule, this data is allowed to be stored for up to six months after its transmission to the employer. Danish legislation provides for sanctions like monetary fines or damages for financial losses in the event of illegal collection of data. It is also usual to publish the corporation’s breach on the website of the Danish data protection agency.
In the Netherlands, background checks regarding applicants and employees are generally permitted, but limited by the Data Protection Act (Wet Bescherming Persoonsgegevens). Background checks are only supposed to be carried out relating to necessary data for the firm offer of a position.
The information on professional experience and educational background listed in the application, can, however, be subjected to scrutiny by the employer by making enquiries to former employers. Job references are seldom issued in the Netherlands. On the publicly accessible homepage of the Dutch courts (rechtspraak.nl) employers can inform themselves about the possible insolvency of the applicant.
However, it is up to applicants as to whether they provide information to the potential employer about their financial situation and credit rating. This principle also applies to any previous convictions. Exceptions apply relating to function-related previous convictions, eg, in the case of an applicant for a position as a primary school teacher previously convicted for the sexual abuse of children.
These principles relate to the duty to provide the requested information comprehensively, at any time during the current employment period, and to the extent that scrutiny of data relating to the employee’s position is relevant, and the interests of the employer outweigh those of the applicant. In the Netherlands, the right of the employer to be able to use all private and work-related information from the internet has existed hitherto. To date, notification about the found information has not been prescribed by statute. Personal data can only be stored for a limited period. There is differentiation made between information relating to applicants who are recruited and applicants who are not recruited. Personal data relating to the first-mentioned applicants can be stored during the entire term of employment. With regard to the applicants who are not recruited, differentiation has to be made between whether applicants have consented to further storage of their data (storage for one year admissible) or not (storage for four weeks admissible). The Dutch Data Protection Commission are allowed to sanction corporations breaching the Data Protection Act with monetary fines of up to E15,000.