Important and/or distinctive aspects of recruitment legislation in Germany
Generally, the high standard of privacy protection under German law sets narrow limits for conducting background checks. The employer's legitimate interest in gathering personal data must be so great that the protection of the candidate's data rights is in comparison less important. Background checks via third parties are only allowed if the trustworthiness of the candidate is of particular relevance, and the candidate's knowledge and written consent will be required in any case.
We would recommend that employers provide detailed information to the candidate on the intended background checks to ensure cooperation.
The employer has a legitimate interest in knowing the identity of a candidate. Therefore, the candidate may be asked to provide an identification card (Personalausweis), social security number or certificate of birth. If the candidate does not provide these documents, the employer may decide not to hire the candidate.
Education and employment history
The employer may confirm a candidate's education history by requesting original documents (or certified copies) directly from the candidate. The employer may also contact schools, universities etc. if the candidate has given written consent. In the case of a breach, the candidate can claim damages. In addition, the German Data Protection Act provides for a penalty fee of up to EUR 300,000 in relation to unlawfully obtained and/or used personal data.
Potential employers may only demand limited information on a candidate's financial situation. Questions are only allowed if relevant for the advertised position. Credit checks conducted by the employer (e.g. asking SCHUFA for information) are not permitted under the German Data Protection Act.
If a works council exists, the works council has a right to be involved when general principles on background checks are established. This right applies to any formalised and/or standardised collection of information regarding candidates as well as existing employees. If a data protection officer is established under the Data Protection Act, they will also need to be involved when background checks are implemented.