Employment Background Checks: The Legal Floor in EU, UK, US, and Georgia

Employment background screening is one of the most jurisdictionally divergent pieces of the hiring workflow. The same check that is routine in one country is illegal in another. For employers hiring across borders, the rules need to be read country by country before the first reference call goes out.

The EU and UK floor under GDPR

Under the EU GDPR (Regulation 2016/679) and the UK GDPR (substantively similar), background checks must:

• Be based on a lawful ground (typically legitimate interest or, for criminal records, an explicit legal basis under Article 10)
• Be proportionate to the role — credit checks for non-financial roles rarely survive proportionality review
• Inform the candidate before the check runs, including the categories of data and the sources used
• Respect retention limits — results held no longer than necessary, often deleted post-decision for unsuccessful candidates

The UK's ICO guidance on recruitment and selection data is the most operationally detailed regulator reference; Spain, France, and Germany's national data-protection authorities have issued comparable but stricter guidance.

Criminal record checks — the largest divergence

1. UK — Disclosure and Barring Service (DBS) operates Basic, Standard, and Enhanced checks. The role's regulatory category determines which level is available. The Rehabilitation of Offenders Act 1974 limits what spent convictions must be disclosed.
2. Germany — Employers can request a Führungszeugnis (police certificate) but cannot run criminal-record checks via third-party agencies in the way US employers can.
3. France — Criminal-record checks are restricted to specific regulated roles; the Bulletin n°3 is the relevant document for general roles.
4. Netherlands — Certificate of Good Conduct (VOG) required for certain roles; cannot be denied on the basis of unrelated offences.
5. United States — Background checks are governed by the Fair Credit Reporting Act; "ban the box" laws in 37+ states restrict when criminal-history questions can be asked.
6. Georgia (country) — Criminal records are obtainable via the my.gov.ge portal; restrictions apply on use in hiring outside regulated sectors.

Credit checks, social media, and reference calls

Three commonly misunderstood mechanics:

• Credit checks — typically only justifiable for roles with material financial responsibility. The US FCRA requires written authorisation; most EU jurisdictions require very strong necessity justification.
• Social media review — broadly permitted on publicly available information in most jurisdictions but creates risk of unlawful discrimination because protected characteristics surface in the review. Best practice: a designated reviewer not involved in the hiring decision documents only role-relevant findings.
• Reference calls — require the candidate's consent under GDPR. In Germany, the prior employer is restricted to a "kindly worded" reference unless the employee has consented to a frank one.

For ATS-side capture, see our applicant tracking system glossary entry; for the underlying privacy regime, see GDPR for HR.