Beware the fruit of the poisonous tree: Background checks and credit checks on candidates and employees under German law

By Sabine Feindura

Download article as PDF

Besides the documents attached to a job application, a phone call with a previous employer or tools such as Google, Facebook and LinkedIn enable employers to gather a great deal of information not only on the past and present career of a candidate but also on his or her personality and health. Indeed, smart employers and their HR managers undertake additional research before hiring or even inviting a candidate to a first interview. Some of them may be surprised to learn that German law lays down strict limits for such a practice.

Under German law, employees are entitled to a comprehensive reference letter at the end of an employment relationship or even before, e.g., after a change of manager or task. Consequently, the professional career of an employee in Germany is recorded thoroughly. According to the jurisdiction of German labor courts, these reference letters, together with the interview(s), should satisfy almost any legitimate information requirements of a potential employer.

Further information may only be collected from the candidate or with his or her prior consent, unless

(i) collecting the data from the candidate would require disproportionate effort (e.g., the candidate must not be asked for data publicly accessible in newspapers and public registers or on television or open websites) and

(ii) no overriding legitimate interest of the candidate is impaired (as would be for example, if a detective interrogated the candidate’s landlord).

According to the German Federal Data Protection Act (Bundesdatenschutzgesetz, BDSG), personal data on present or future employees may only be collected, processed and stored, if and as far as it is in the employer’s justified and legitimate interest. Every piece of information on an employee or candidate requested or otherwise collected must be necessary to assert his or her ability to perform the tasks assigned to the job. Any information on an employee may only be collected, processed or stored as far as it is necessary for the performance of the job.

Examination of references

Consequently, before recruitment, the employer is mainly restricted to reference letters from former and present employers and professional certificates attached to job applications. According to German jurisdiction, reference letters may not cite negative events, facts or characteristics of the employee but merely omit any comment on the ability of the employee. Moreover, the content of a reference letter is often agreed by the parties to a lawsuit as part of a settlement.

Inquiries by a previous employer

Although reference letters may not give a true and full picture of an employee, it is not advisable to call a former employer of a candidate as under German law any employer is bound by the wording of his or her reference letter and can be held accountable by the former employee if a job application is rejected due to negative information provided by the former employer that cannot be proven. As most of Germany’s employers are aware of data protection requirements and sanctions, to some extent they refer to their reference letters if contacted.

Internet research

Search engines like Google and Yahoo are considered to be generally accessible sources and therefore using them is basically permissible to collect data. However, the employer is only allowed to use and save information from search engines that might be relevant for the hiring decision.

Research into the person on web pages of the present employer is legitimate as far as the information concerns professional data or soft skills necessary for the job. If other than professional data is found, concerning, for example, lifestyle, sexual orientation, extracurricular activities or product preferences, the employee’s right to privacy may outweigh the interest of the future employer to gain and use or save such information and may thus be illegitimate.

Platforms for business networking (e.g., Xing, LinkedIn) may be used to gather predominantly professional data. Although this information is not generally accessible (if registration is necessary), data collection is only legitimate as far as it provides information about whether the person is qualified for the position or not.

Given that recreation-oriented social networks such as Facebook provide their services mainly for private purposes, such data is not generally accessible. Even if the network does not provide terms and conditions that explicitly emphasize its private purpose, the employee’s interest must be respected and clearly outweighs the employer’s interest in collecting such personal data.

Review of the financial situation

The employer may only request financial information from candidates and employees if and as far as particular features of the job actually require such information (e.g., for employees with authority for online banking or substantial dealings with cash, bookkeepers, corruption risk).

Employers do not have access to information provided by the German credit data set. Only the employee may request and forward it to his or her future or present employer. But unless the position includes substantial risks as described above, the employee may not be sanctioned if he or she refuses to provide such information.

Criminal background

In Germany, criminal offenses committed by citizens are recorded in a public register. Employees and some employers (e.g., public employers, kindergartens, nursery schools) may request a copy of the employee’s record (Führungszeugnis). It lists only serious offenses after final conviction and is issued to the concerned citizen by local police authorities. As it may include more information than necessary for a job, it is rarely allowed for employers other than those named by law to ask the employee to present such a reference (e.g., banks if they hire employees dealing with cash).

Participation of the works council

Where a works council has been elected, its consent is required for forms to be distributed to and filled in by applicants, as well as for evaluation principles and some assessment procedures.

Employee’s consent

Even the employee’s consent does not enable the employer to collect data on the employee. Such consent is only effective if it is the employee’s own decision. Any applicant interested in a job will grant his or her consent no matter if he or she is happy to be checked. Thus it is not advisable to count on the effectiveness of the employee’s consent.

Deletion of data

According to Germany’s General Equal Treatment Act (Allgemeines Gleichbehandlungsgesetz, AGG), the employer may be held accountable for discriminating against applicants. Therefore the applicant must assert his or her claim in writing within two months after the application was declined. Consequently, the employer is allowed to retain data concerning the applicant until he or she can be sure that claims cannot be raised anymore by the candidate. Employees’ data may be stored for as long as the employment relationship exists or claims arising from it can be raised.

Sanctions

If an employer declines a job application based on illegitimate background checks, the applicant may not claim for employment, but for compensation.

Furthermore, the infringement of provisions concerning the unauthorized collection of personal data constitutes an administrative offense. Such offenses can be penalized with a fine of up to 1300,000 or, in severe cases, even
imprisonment.

feindura@buse.de