In a nutshell, failing to conduct a background check on a job candidate's professional history and qualifications can cost an organisation dearly when, for example, having to part with a newly hired colleague who has dishonestly embellished their CV, the company is forced to begin another costly hiring process. Worse still, a candidate with nefarious intentions may be inadvertantly hired. Someone who wants to steal from the organisation, misuse its resources, data, information, or cause damage.
A systematic and appropriate process for vetting candidates is important not only for protecting an organization's tangible and intangible assets, but also for meeting a range of regulatory obligations, ensuring due diligence by management, and obtaining or maintaining various ISO certifications.
What are the limits of a background check?
Everything has its limits. Even a background check.
The vetting of job applicants and the screening and monitoring of existing employees inherently involves extensive processing of personal data and encroachment on privacy. We are guided therefore primarily by the General Data Protection Regulation (GDPR) and the Labour Code.
Does this mean that background checks cannot actually be carried out? Absolutely not!
It is perfectly legitimate to check prospective and current employees, their work histories and other facts. And it is even legal to do so. The important thing is to be aware of your obligations, the rights of applicants and employees, and to conduct the process from start to finish in a regulatory-compliant and completely transparent manner.
What if we go too far in vetting candidates?
We will address the main requirements of the GDPR and the Labour Code in a moment. But first, let's answer the question: what is the risk to an organisation if it carries out the job applicant verification process in a haphazard, incorrect manner,, fails to inform applicants or uses illegally obtained data?
There are several risks:
- Penalty In extreme cases, violations of the GDPR are punishable by fines of up to EUR 20 million or 4% of the annual turnover of a company group, such as, for example, where massive illegal surveillance of employees has taken place.
Is this threat only theoretical? I wouldn't say so. Not far from us, in Germany, H&M has just been fined EUR 35.3 million by the local data protection authority for excessive monitoring, some would even say snooping, of its employees. Of course, in our country, the fine would probably be an order of magnitude less. But even a few million euros could be quite a high price to pay for wanting to know more about applicants and employees than is strictly necessary.
- Changing internal processes backwards The consequences of a violation of the rules does not have to be limited to a fine. They may also require the organisation to change or cease certain processes, and to destroy any illegally processed information. This has been done several times by the Czech Data Protection Authority.
- Unusability of illegally obtained outputs Information about job applicants obtained illegally are unusable in practice. And it can be very costly to reject an applicant or dismiss an existing employee on the basis of improperly gathered data. In addition to a fine, such an employer could face a claim for invalid dismissal or for compensation for non-pecuniary damage.
- Damaged reputation of the employer Despite the turbulent economic and political situation in the Czech Republic, employees are still rather scarce, especially in some sectors. "Improving" your reputation as an employer by spying on job applicants or existing employees and finding out all sorts of things about them, and getting fined for it, will certainly notimprove your position on the labour market.
Background check and GDPR
How to proceed?
How can you ensure that job applicant or employee screening is carried out in accordance with the GDPR?
GDPR is a comprehensive regulation, so let's highlight the most important ones:
- Establish and clearly describe the purpose of processing applicants' personal data.
- Find sufficient legal authority for processing data in the context of a background check. Sometimes the legitimate interest of the employer is sufficient. In other cases (more extensive background checks, certain sources of information or categories of data) the consent of the candidate concerned is already required: informed, voluntary, and, above all, retrospectively verifiable consent.
- Determine the scope, manner and duration of retention of personal data collected. For these rules, the GDPR likes to employ the vague concept of "necessity". Personal data must be collected only to the extent necessary to achieve the stated purpose, retained only for the necessary period of time, etc. It may not always be easy to define and justify why a particular piece of data is actually necessary to verify an applicant for a particular job.
- Demonstrably inform job applicants and employees about the processing of their personal data.
- Take sufficient security measures, both technical and organisational, to ensure that the information obtained does not fall into unauthorised hands. Whether outside the organisation or inside.
- In particular, in the case of more extensive screening or monitoring of individuals (multiple individuals, larger data volumes, advanced tools for recruiting and assessing applicants and employees), the organisation may be required to appoint a Data Protection Officer.
- The entire process for processing personal data and protecting the rights of individuals needs to be documented so that the organisation can demonstrate its compliance with the GDPR requirements.
Verification of job applicants from the perspective of the Labour Code
The GDPR is not the only regulation that governs workplace privacy in employment relationships. The other, no less important, is the Labour Code. In fact, the Labour Code regulates some specific aspects or details that are not in the general regulation, the GDPR. And as a specific legal regulation, it even takes precedence over the GDPR in these parts.
By the way, did you know that the control of privacy protection in the workplace is not carried out by the Data Protection Authority (DPA), but by labour inspectorates? There are many more of them, they have local branches and more capacity. While the OOOO carries out a total of 50 inspections per year (offices, hospitals, banks, e-shops, municipalities, schools), the Labour Inspectorate found 26 violations of legal rules for monitoring employees and job applicants last year alone? And it can also immediately issue a fine for such violations.
What does the Labour Code say about employee privacy?
First, it defines the categories of data that an employer may not request from job applicants or employees, nor obtain through third parties. This typically includes data on sexual orientation, church membership, trade union membership or political beliefs.
Certain other categories of data may be used by the employer, but** only if the employer can justify** its necessity in relation to a specific job,for example, information relating to family and financial circumstances or a criminal record.
The Labour Code also protects employees from unreasonable surveillance at work by, for example, cameras, monitoring of communications and internet activity, use of equipment on the job, etc. If an employer wishes to implement any of these practices, it must again be able to justify and document why it is necessary in the particular circumstances of the workplace. And it must directly and demonstrably inform the employees concerned.
Background check quickly, efficiently... and legally!
There is no shortage of legal requirements and conditions for performing a background check. Complying with and documenting these requirements in practice is not an easy task. This is especially true in companies where there is not much experience of HR compliance, or candidate screening, or where there are insufficient resources for doing so.
What to do?
Outsource these worries along with the entire background check. Engage the services of an experienced professional who specializes in job applicant verification and** can effectively deal with the requirements of the law**, and can also document his client's compliance with the relevant legal requirements.
