While background screening is a common practice in most countries, navigating each jurisdiction’s unique regulations can be challenging for companies with a global presence. This resource is intended to provide companies with a general overview of common regulatory principles as well as illustrative examples of specific legislation governing data privacy and background check processing.
This information is provided for educational purposes only and should not be construed as legal advice. All companies are encouraged to seek your own counsel to ensure compliance with all applicable laws prior to requesting Checkr services.
Data Privacy Legislation
Background checks inherently involve the collection and processing of sensitive personal information. And while there are many laws affecting the proper usage of the information collected (such as industry specific employment and anti-discrimination laws that vary by country), data privacy laws tend to impart the most stringent requirements on on all parties involved in the collection and processing of that personal information.
The primary example is the General Data Protection Regulation (GDPR), which is the overarching law governing companies processing personal data on individuals residing in the European Union (EU). Today, the GDPR offers the most comprehensive list of data rights granted to the individual, as well as broader data protection principles. Many companies choose to align their global data collection practices with GDPR as they scale their international hiring in the EU and beyond.
GDPR Party Classifications
The General Data Protection Regulation (GDPR) is the primary data privacy law in the European Union (EU). It came into effect on May 25th, 2018, replacing the EU’s Data Protection Directive. This legislation introduced new data privacy and security principles and regulations on companies handling personal data collected on individuals residing or located in the EU.
GDPR covers three classifications of persons and organizations: (1) data subjects, (2) data controllers, and (3) data processors. The law primarily protects the rights and freedoms of data subjects while placing regulations on organizations controlling and processing their personal data. Below is a description of each party classification and how the relationship between Checkr and the company requesting the background check fits into them.
Data Subject: A natural person whose personal data is being processed and whose rights are being protected under the law.
The candidate you are requesting us to run a background check on.
Data Controller: Body who determines the purposes for processing and what types of personal data is being processed.
|Checkr customers are the Data Controllers because you determine the purpose of processing and the type of data that will be processed. Example: Customers pass PII to Checkr exclusively to run the background check--That restriction on use, specified in our agreement, is the “control” placed on Checkr.|
Data Processor: Body that processes the personal data only on behalf of the data controller.
Checkr is your Data Processor, as we process the data at your request. Data processing includes collecting, recording, organizing, storing, etc. based on the instructions of the Data Controller.
General Data Protection Principles
Article 5 of the GDPR outlines a set of principles related to processing of personal data (which includes background check information). These principles are outlined broadly below. As the responsible party, Data Controllers may incorporate these principles beyond their EU regional compliance to scale their global privacy program.
Lawfulness, Fairness and Transparency
Prior to requesting international background checks from your Data Processor, you as the Data Controller must (1) establish a lawful basis for processing, and (2) ensure that the data processing is being conducted in a fair and transparent manner. When considering the lawful basis for processing outlined in Article 6, companies often rely on the consent of the data subject (see Article 6(1)(a)). Some Member States do not accept consent as a legitimate basis (see Country Specific Analysis section for examples), leading many companies to instead rely on the balance of interests assessment, which indicates that you, as the data controller, have a legitimate interest for processing that is not overridden by the interests or rights of the data subject (see Article 6(1)(f)). It is your responsibility to specify which lawful basis (or bases) your company relies upon.
Prior to requesting background checks with Checkr, customers must ensure they have a legal basis on which to process personal data. The GDPR provides a list of approved conditions on which processing may be deemed as lawful. They are:
- Data subject has provided consent
- Processing is necessary for contract fulfillment
- Processing is necessary for a legal obligation
- Processing is necessary to protect the interests of the data subject
- Processing is for the public interest
- Processing is necessary to support the legitimate interests of the data controller and those interests do not outweigh those of the data subject
This principle relates to your specific purpose for requesting processing of the data. The GDPR states that personal data shall be, “collected for specified, explicit and legitimate purposes” and indicates that use of the data should be limited to that specific purpose (see Article 5(1)(b)). Determining this purpose is the control you are exercising as the Data Controller.
When requesting background checks with Checkr, our customers certify that they have a specific and lawful purpose for the request, and that use of the data will be limited to fulfilling that request. This purpose determination is the primary control that our customers exercise as the Data Controllers.
As your Data Processor, Checkr also ensures that the data collected on your behalf is not used for any of our own purposes (such as marketing resources) outside of fulfilling our contractual obligation with customers.
The personal data that’s collected and processed must be limited to what’s adequate, relevant and necessary for the purpose you specified in your agreements with Checkr and the data subject (see Article 5(1)(c)). When determining which international screenings to request from Checkr, it is important to consider the nature, scope, and context of your purpose to ensure you are only requesting what is relevant and necessary to fulfilling that purpose. This relevancy and necessity criterion is prevalent in nearly every country’s data privacy law.
While the general principles described above are applicable in most jurisdictions, individual countries often introduce additional requirements in the collection, processing and proper use of personal data. These country specific regulations may introduce additional risks for Data Controllers as the users of such information .
Listed below are a few examples of legal parameters particular to individual countries. This list is non-exhaustive and is meant to highlight the need for companies to conduct their own country-specific analysis prior to requesting screenings from Checkr.
The Netherlands and Spain
Even within the EU, the GDPR does not provide for a uniform law to comply with as Member States are permitted to implement specifications, restrictions or additions that meet the needs of their respective countries. For example, in the Netherlands and Spain, consent is not considered to be ‘freely given’ in the employment context due to the imbalance of power between the candidate and the potential employer. Thus consent is not a reliable basis for processing and companies must ensure they are covered by an alternative basis when requesting screenings in these countries. (See Lawfulness, Fairness and Transparency section above.)
Israel and Ireland
In the international landscape, the most common background checks include education and employment verifications. Criminal screenings are less common and multiple countries restrict the permissibility of conducting such checks to limited circumstances. In Israel, access to criminal records from the national registry is strictly prohibited for private employers except in limited circumstances, such as where there are specific legal restrictions on hiring applicants with criminal convictions (e.g., positions at schools, daycares and hospitals). Similarly, Irish law specifies the specific situations under which criminal checks are permissible, including when the roles involve working with children or vulnerable persons, working for the State in sensitive areas, or working as security staff. As the Data Controller and ultimate user of this information, Companies must ensure they meet such local requirements and only request information permitted by law.
Brazil and Mexico
In both Brazil and Mexico, background screening has been strongly prevalent and contested in consumer litigation. A number of court filings have resulted from candidates being rejected based on background check information that was not directly related to the position they applied for. Court rulings have often been in favor of the candidate, deeming the background check process to have violated their right to privacy and/or right to work. Again, to mitigate risk of litigation, it is important to ensure you are only requesting information that is directly relevant to the position at hand and are able to demonstrate that relationship.