Background Screening Regulations

Your job applicant sorting software may be automated decision making that may be prohibited in the EU and may require a bunch of things like a #DPIA and an opt out in the US - even if a hiring counsellor is making the final hiring decision! A new decision from the - per new decision from the Supreme Administrative Court of Austria follows the footsteps of the Schufa decision. In this case the controller, the Public Employment Service in Austria, used an algorithm to calculate the degree of probability for jobseekers to be employed for a certain number of days, based on: (1) age group, (2) gender, (3) country group, (4) education, (5) health impairment, (6) care responsibilities, (7) occupational group, (8) career history and (9) the regional labor market situation and the duration of cases at the controller. Based on this, the algorithm divided jobseekers into the following three groups: (1) Service jobseekers with high labor market opportunities, (2) Care jobseekers with low labor market opportunities, (3) Consultancy jobseekers with medium labor market opportunities. The result was used as a starting point for counsellors to work with jobseekers to assess their potential and any obstacles in the labour market integration. The algorithm itself was not used for job placement, but only for targeted support and assistance, Per the court: 🔹 The algorithm decided on the allocation of jobseeker’s group and thus has a legal effect on the jobseekers concerned or similarly significantly affects them. 🔹 The fact that the final decision on the jobseeker’s group assignment lies with the counsellor, does not prevent the algorithm from being classified as an automated decision under Article 22(1) GDPR. 🔹 The instructions and trainings that were provided to ensure counsellors would not accept the algorithm’s results unquestioningly could not exclude the possibility that the algorithm is ultimately decisive for the allocation. Really important in the US as well since automated decisions that affect the prospect of employment are considered "legal or similarly significant effects" under (most if not all) US State Privacy Laws. #dataprivacy #dataprotection #privacyFOMO #AIprivacy photo by vectorjuice for Freepik https://lnkd.in/eerj7SgW

Illinois HR Teams should know that SB 2339 was passed on October 30, 2025, which expands the Right to Privacy in the Workplace Act. The bill is now on Gov. Pritzker's desk and will immediately take effect once signed. The law creates new rules around employment eligibility verification (like E-Verify), privacy, and employer responsibilities. Here is the bill status: https://lnkd.in/etkmnRtR What HR needs to know: E-Verify & Employment Verification Systems ▪ Previously, employers could voluntarily use E-Verify with notice, training attestation, and recordkeeping. ▪ SB 2339: Prohibits employers from imposing checks beyond federal E-Verify rules, protects employees from extra document requests and pre-screening (amended 820 ILCS 55/10). Handling Discrepancies ▪ Previously, adverse action based on agency/third-party discrepancy notices were at employer discretion, with only minor penalties (820 ILCS 55/10, 820 ILCS 55/5-6). ▪ SB 2339: No adverse action solely on third-party mismatch (ex: SSA or IRS) unless from federal immigration authorities; higher penalties and new private right of action (820 ILCS 55/10(b-5)). Notification Requirements ▪ Previously, limited obligations to notify affected employees of adverse verification findings or rights to contest tentative non-confirmations. ▪ SB 2339: Employers must provide detailed written notice to employees (and their representatives) within five business days of any negative finding, informing them of the issue, timeline to contest, upcoming meetings, and representation rights. They must also post official government notices about E-Verify rights in visible workplace location. Local Government Preemption ▪ Previously, individual municipalities and counties could enact tougher employment verification rules. ▪ SB 2339: State law now overrides all local rules—verification now standardized statewide (amended 820 ILCS 55/10(d)) Penalties and Good-Faith Defense ▪ Previously, violations were classified as petty offenses, with limited fines and little civil recourse for affected employees. ▪ SB 2339: Violations are subject to more severe civil penalties, compensatory damages, and attorney’s fees. The law provides legal safe harbor for employers who act in good faith reliance on guidance from the Illinois Department of Labor or DHS, or who make honest administrative errors that do not affect employment or pay. (820 ILCS 55/18) Tips for HR: 1) Update E-Verify practices to only follow federal rules for employment verification—no extra checks or pre-hire document requests. 2) Notify employees of negative findings in writing within 5 days and post E-Verify rights. 3) Train HR teams to recognize the difference between valid federal agency notices and third-party ones not covered by immigration enforcement If you have more info or comments, please share below. Thanks! #EVerify #Immigration #EmploymentLaw #HR

Background checks. Sensitive data. Zero DPDP compliance. The most sensitive personal data comes from your hiring process. 📌 Criminal records. 📌 Financial history. 📌 Past employment. 📌 Address verification. 📌 Education certificates. And almost no Indian company has a DPDP-compliant process for any of it. Here is the legal reality your HR team doesn't know: Your company = Data Fiduciary. Your BGV vendor = Data Processor. Your candidate = Data Principal with enforceable rights under DPDP. Every obligation that applies to your customer data — applies here too. The 5 gaps I find in almost every BGV process I review: 1️⃣ Consent was never properly obtained. Most companies collect a generic clause inside the offer letter. Under DPDP — consent for a background check must be specific to that purpose, informed about what will be verified and with which sources, and separate from the employment acceptance. "I accept this offer" is not consent to a criminal record check. 2️⃣ No signed DPA with the BGV vendor. You have a commercial agreement with your BGV vendor. Under DPDP — that vendor relationship requires a Data Processing Agreement with breach notification timelines, deletion obligations, sub-processor controls, and Data Principal rights flowing down. A commercial agreement and a DPA are not the same document. 3️⃣ Candidate rights are completely unaddressed. Under DPDP, your candidate has the right to access what data was collected about them, from which sources, and what the report concluded. Most HR teams have no process for this. No one has asked before — but it is now a legal right, not a courtesy. 4️⃣ BGV reports are retained indefinitely. The candidate joined — or didn't. The report is still in your HRMS, your email, your recruiter's drive — years later. Under DPDP — personal data must be deleted once the purpose is fulfilled. The purpose of a background check is the hiring decision. Once made — the legal basis for retaining the report ends. 5️⃣ Cross-border transfers nobody mapped. Most BGV vendors verify employment and academic records through international databases. That is a cross-border data transfer. Under DPDP Section 16 — your company is responsible for it. Not your vendor. Does your BGV vendor's contract specify which countries your candidate's data flows to? _____________________________ The background verification industry processes thousands of sensitive personal data records every month in India. Almost none of it is DPDP-compliant. And the liability doesn't sit with the BGV vendor. It sits with the company that initiated the check and is the Data Fiduciary. Does your company have a signed DPA with your BGV vendor? ___________________ I help companies build DPDP-compliant hiring data processes — from candidate consent to vendor DPAs to rights response frameworks. Book 1:1 call to find out where you stand. (Link in comment.)

Background Checks on Job Applicants: A GDPR Perspective Opinion 2/2017 on data processing at work, adopted in June 2017 by the Article 29 Data Protection Working Party, was still more or less clear in highlighting the limitations for using publicly available data, including from social media. However, in today's competitive job market, conducting background checks on applicants has become a crucial step for employers. Here are some considerations: Legal Basis for Online Research and Social Network Checks: Under GDPR, the processing of personal data is generally prohibited unless a legal basis is established. For background checks, this could be consent from the applicants (Art. 6(1)(a) GDPR) or the necessity for the employment relationship (Art. 6(1)(b) GDPR). Additionally, Section 26(1) BDSG may apply if the processing is essential for the employment decision. Pre-Employment Screening Based on Consent: Consent for data processing must meet the requirements of Art. 7 GDPR, ensuring it is freely given, specific, informed, and unambiguous. Given the inherent power imbalance in employer-applicant dynamics, obtaining genuine consent can be challenging. Moreover, consent can be revoked at any time (Art. 7(3) GDPR), posing a risk for employers relying solely on this basis. Is Googling Applicants Allowed? The use of publicly available data from search engines like Google is contentious. Generally, accessing publicly available data can be permissible if it does not infringe on the applicant’s privacy rights and serves a legitimate interest (Art. 6(1)(f) GDPR). Employers must ensure that only job-relevant information is processed. So stick away from special categories of personal data! Automated Background Checks Using Software (Scraping): Automated systems that gather data from various online sources to create profiles must also comply with GDPR. The legal basis here may include legitimate interest (Art. 6(1)(f) GDPR) or explicit consent (Art. 9(2)(e) GDPR) for processing sensitive data. If profiling (Art. 22(1) GDPR) occurs, explicit consent is typically required. Transparency and Information Obligations: Employers must inform applicants about the data processing activities, ideally before they begin (Art. 14 GDPR). Transparency can positively influence the balancing of interests required by GDPR. Additionally, it is crucial to delete this data as soon as it is no longer needed for its intended purpose to comply with the data minimization and storage limitation principles of GDPR. #GDPR #DataPrivacy

A recent ruling by the Labour Court in the case of CONNOR V LEXISNEXIS (PTY) LTD highlighted that not all criminal convictions should automatically disqualify individuals from job opportunities. In January 2024, an applicant, seeking a position as a Senior Data Discovery and Enrichment Expert, disclosed a past criminal charge for theft in 2001, which had been expunged. Despite this, the employer extended a 9-month contract offer contingent upon background checks. However, after discovering additional historical convictions, including theft and fraud, the employer retracted the offer. The applicant, rightfully concerned, pursued legal action citing unfair dismissal and discrimination. In a victory for fair employment practices, the Labour Court ruled in favour of the applicant, highlighting the irrelevance of past convictions to the job at hand. Consequently, the employer was ordered to honour the original offer, with adjustments for time elapsed. This case underscores a crucial point: when considering candidates, employers must evaluate the relevance of past convictions to the job role. For more insights into this case and its implications for employment law, check out my latest newsletter article below. #EmploymentLaw #FairOpportunity #LegalInsights Global Business Solutions SA Grant Wilkinson John Botha

🇦🇹📑Background checks are important for companies, but conducting them requires strict adherence to the #GDPR. The recent decision of the Austrian DPA (DSB) of 11 November 2025 offers valuable guidance on how employers should handle information about criminal convictions during recruitment and how they must respond to deletion requests from applicants. ❌The case concerned a candidate who, during a hiring process, informed the employer that she had a criminal conviction and submitted an official extract from the criminal register. The HR department then forwarded the conviction details to several managers involved in assessing whether she could be hired. Shortly afterwards, the candidate was rejected. She then asked the company to delete all her personal data. Although the employer later confirmed that the deletion had occurred, an internal HR email containing the details of the conviction remained in the system. ❌The DPA upheld the complaint about the right to erasure. It found that the employer had not fully complied with the August 2024 deletion request. The justification offered by the company, namely that the email had to be retained in case of potential future legal disputes, was rejected. Under the GDPR, controllers may retain personal data for the purpose of defending legal claims only when litigation is already underway or clearly foreseeable. A vague possibility of a dispute in the future is not enough. The DPA therefore ordered the company to delete the remaining email within two weeks. ❌However, the DPA dismissed the complaint regarding the alleged breach of confidentiality. It held that the employer had a legitimate interest under Article 6(1)(f) GDPR, supported by the relevant provisions of Austrian national law, in examining whether the candidate’s conviction affected her suitability for the role. The DPA considered internal sharing of this information necessary and proportionate. ❌The reasoning emphasised that the candidate had herself disclosed the existence of the conviction and had submitted the criminal-record extract, so it was objectively foreseeable that managers directly involved in the hiring decision would need to review it. The DPA also clarified that criminal-conviction data falls within a special category of personal data regulated by Article 10 of the GDPR, meaning that private employers may process such data only when national law expressly allows it and when strong safeguards are in place. #privacy #HR #employees

He was fired by a top Fortune 500 bank holding company while his wife was pregnant. Because he couldn't prove he worked at a school in China nine years earlier. He was hired in April 2022. During his interview, he discussed his work experience in China— teaching business English in 2013. HR asked if he could provide proof of that employment. He said he'd try to contact the school. The problem? The school in China didn't have an email address or readily available contact information. Teaching there meant delivering a 40-minute class and getting paid—usually in cash. No tax reports. No official employment documentation. Communication happened through WeChat because WhatsApp and Facebook are blocked in China. The teacher who hired him in 2013 no longer worked at the school by 2022. Then HR questioned why his start dates on his resume didn't match their records. He explained: he started part-time on probation, then was promoted to full-time. Despite his explanation, HR told him to hand in his badge. He was terminated. No warning. He'd just returned to the United States after many years abroad. His wife was pregnant. He didn't know where to turn or what questions to ask. This is why understanding your employee rights matters, before you're in a crisis. Background verification processes can become weapons against employees who've worked internationally, especially in countries with different record-keeping systems. Instead of working with employees to verify hard-to-document international work, some employers use incomplete verification as grounds for termination. My client did nothing wrong. He was honest about his work history. He tried to verify it. But they fired him anyway. If your employer is demanding documentation you can't reasonably provide: - Document everything in writing - Ask HR to clarify exactly what's required and whether alternatives exist - Request reasonable time to obtain international records - Consult an employment attorney before signing anything Your rights don't disappear just because verification is complicated.

California may be moving beyond when employers can consider criminal history and toward how those decisions are explained. Two bills, AB 2064 and AB 2095, point in that direction. AB 2064 would treat criminal history more like a protected characteristic under California law, placing it alongside categories like race, disability, and gender. It also reinforces the expectation that employers can show a clear, job-related reason when they rely on criminal history in a hiring decision. AB 2095 focuses on the process itself. It would require employers to identify job duties that could relate to disqualifying convictions before a background check, prohibit self-disclosure of criminal history, and require individualized assessments to be documented in writing. Taken together, the shift is subtle, but important. It’s no longer enough to identify a conviction and follow the required steps. Employers may need to explain how that conviction relates to the job and why it supports the decision. That has real implications for job descriptions, adjudication guidelines, and how hiring decisions are documented. I break this down in more detail in my latest Forbes article: https://lnkd.in/gZ-D3bKx #EmploymentLaw #HRCompliance #BackgroundChecks #FairChanceHiring #CaliforniaLaw

A “confidential” HR reference that turned into a breach worth Kes.250,000/=. Many employers still treat reference checks as behind-the-scenes conversations. But under the data protection law there is no such thing as a “confidential” reference when it comes to an employee’s personal data. Whilst background checks are lawful, there are parameters within which they must be carried out. The law requires that:   i. The prospective employer must obtain clear, specific and written consent from the employee before conducting any background check. ii. The employee must be informed of what specific data will be collected eg. academic records, performance reviews, criminal history etc. iii. A referee must confirm that consent exists before sharing any information. iv. Most importantly, the employee has a right to access any personal data shared about them. In this particular case: i. A prospective employer conducted a background check (with consent from the employee). ii. The former employer (referee) shared information that was adverse about the employee which led to the employee not being confirmed after probation. iii. The former employer (referee) refused to supply the employee with the records it had provided to the prospective employer despite several requests. iv. The ODPC fined the former employer (referee) Kes.250,000/= for infringing the employee’s right to access their personal data. There is no exception for “confidentiality” when it comes to a data subject’s rights to access information that pertains to them. As a matter of fact, the law requires that such requests be complied with within 7 days. Reference checks are not just HR practice they are data processing activities governed by law. #DataProtection #HRCompliance #EmploymentLaw#