-
Services
All ServicesIdentityPre-HirePost-HireSolutionsTechnology
-
Industries
- Integrations
-
Resources
-
About Us
October 1st, 2024 | Sterling
The General Data Protection Regulation (GDPR) is a data privacy law that went into effect on May 25, 2018. Enacted by the European Parliament and Council of the European Union, the GDPR aims to harmonize data protection laws across Europe, strengthen data protection rules in the digital age, and ensure consistency for individuals and businesses.
Employers with locations in the European Union or European Economic Area, those who hire European nationals, or those providing services in Europe may wonder whether the GDPR applies to them. In this article, Sterling Backcheck outlines the fundamental principles of the GDPR and offers best practices to help you ensure your hiring and background check programs comply with these regulations. Visit our Downloads page for more compliance resources.
The GDPR applies to:
The GDPR generally applies to employee screening programs already subject to EU law. It typically does not apply to the following screening activities:
It’s a common misconception that the GDPR applies to data collected from all EU citizens regardless of their location. In reality, the GDPR’s application is limited to specific circumstances. These pertain when the company controlling or processing the data is in the EU, when the data is collected in the context of offering a good or service to someone in the EU, or when the behavior of an individual in the EU is monitored. If you’re unsure whether the GDPR applies to you, please consult your privacy office, or seek legal advice.
To understand the rules in the GDPR, it’s essential to grasp the concepts of “controller” and “processor.” An organization processing personal data or having personal data processed on its behalf may be either a controller or a processor:
The GDPR enshrines the concept of “Privacy by Design and Default” into law. This means that privacy should be integrated into all personal data processing from the outset, and that default settings should always prioritize privacy and limit the amount of information shared. The GDPR includes strict enforcement mechanisms, such as significant fines (up to €20 million or 4% of a corporate group’s global revenue). It also introduced the possibility of a “one-stop-shop,” where a single lead regulator handles a situation instead of involving regulators in every applicable country.
Below are some key components of the GDPR that may impact employment background checks:
Any company whose screening program is subject to GDPR should consider several important factors to ensure compliance. Some best practices include:
The GDPR does not set specific retention periods, but requires organizations to destroy or anonymize personal information no longer needed for business purposes or to satisfy legal obligations. Some European countries may provide regulatory guidance on the retention duration for background check data. Your organization should determine both the necessary retention period and whether your third-party screening provider should retain the data on your behalf. You can learn more about Sterling Backcheck’s data retention policies in our privacy statement.
An experienced third-party screening provider like Sterling Backcheck should enable your candidates to exercise their rights under the GDPR and other privacy laws. These include, among others, the right to access and correct personal information, to object to its processing, and, in some cases, to have it deleted entirely. For companies relying on background check information during their hiring process, it’s advisable to establish a thorough background check policy. Organizations must understand how third-party companies process data on their behalf to ensure their privacy notices, policies, and contracts comply with GDPR requirements.
For employment screening programs, the GDPR typically applies only to companies operating and hiring within European countries subject to the regulation. However, for programs screening individuals other than employees, the GDPR may apply to data collection from Europe, even if the company does not operate there.
To determine whether (and how) the GDPR applies to your screening program, Sterling Backcheck recommends consulting with your legal counsel or privacy officer.
For additional compliance resources and best practices, visit our Resources page. To set up a background check program, contact us.
This content is offered for informational purposes only. First Advantage is not a law firm, and this content does not, and is not intended to, constitute legal advice. Information in this may not constitute the most up-to-date legal or other information.
Readers of this content should contact their attorney or lawyer to obtain advice concerning any particular legal matter. No reader, or user of this content, should act or refrain from acting on the basis of information in this content without first seeking legal advice from counsel or lawyers in the relevant jurisdiction. Only your individual attorney or legal advisor can provide assurances that the information contained herein – and your interpretation of it – is applicable or appropriate to your particular situation. Use of, and access to, this content does not create an attorney-client relationship between the reader, or user of this presentation and First Advantage.