Many European countries have specific restrictions on criminal background checks, but with the General Data Protection Regulation (GDPR) effective May 25, 2018, it’s time for employers to rethink background check practices across the EU.
Under Article 10 of the GDPR, the “[p]rocessing of personal data relating to criminal convictions…shall be carried out only under the control of official authority or when the processing is authorised by Union or Member State law…Any comprehensive register of criminal convictions shall be kept only under the control of official authority.” In other words, criminal background checks are only allowed when it has been approved under the individual member state. Separately, once a background check is completed, it should not be retained by the employer unless allowed under local law.
There are two principles under Article 5 of the GDPR which should be carefully considered before running criminal background checks on potential employees.
First, personal data processing should be “adequate, relevant and limited to what is necessary in relation to the purposes for which they are processed.” As an employer, you must carefully consider whether a criminal background check is necessary (and legal) based on the job role. While it’s likely appropriate to run a check on an individual who has access to customers’ financial data, it may be perceived as excessive to run a check on all employees.
Second, employee data should be “kept…for no longer than is necessary for the purposes for which the personal data are processed.” In most cases, once a decision is made based on the results of the background check, you should destroy the data. Note that you can still keep a record in your system that a background check was completed, but we would generally not recommend keeping the background check results once a final decision is made.
Recruiting teams should also think through how they give notice and obtain applicant signatures prior to running any checks. Consent, unless expressly allowed under national law, may not be the best way to request permission to run a criminal check as the majority of employees would not freely agree to this, especially if they have a criminal history. This is an area where we expect more guidance in the future.
When rethinking your criminal background check policies in the EU, it’s a good idea to also reconsider your practices internationally. One option is to have multiple policies, based on the regions where your employee will be hired. While you are updating your criminal background check policies, document why each decision is made and why the check is necessary for each particular role.
While each company will need to make their own determinations relating to criminal background checks, we recommend partnering with your legal, recruiting and data management teams to make the best decision for your organization.
Led by PeopleDoc’s Chief Legal & Compliance Officer, the HR Compliance Assist team relies on a network of internal and external compliance experts and lawyers, including the global law firm Morgan Lewis, to provide clients with best practices and recommendations on topics such as HR document retention, employee data privacy, and HR electronic records. HR Compliance Assist also provides local compliance monitoring and alert services in select countries where PeopleDoc’s customers have employees. HR Compliance Assist is a service exclusively available to PeopleDoc customers.