How OSINT Enables GDPR-Compliant Pre-Employment Background Screening
Background screening in the EU is possible under the GDPR but must be performed with a valid legal basis, proportionality and respect for data subject rights.
1) Choose the right legal basis
Common legal bases for recruitment screening are: consent (rarely ideal because it can be withdrawn), legal obligation (where specific law requires a check), or - most commonly - legitimate interests. When relying on legitimate interests, perform a balancing test and record the assessment. Guidance and precedent show legitimate interest is used widely for employment screening but must be documented. Source: cFIRST
2) Limit scope & apply data minimisation
Collect only what’s necessary for the hiring decision and the role’s risk profile. OSINT tools should be configured to surface role-relevant findings (e.g., public fraud convictions for a finance role), not exhaustive personal histories.
3) Be transparent and provide privacy notices
Inform candidates that checks will be performed, what categories of data will be processed, the legal basis, retention periods and how to exercise rights. Transparency reduces disputes and supports fairness.
4) Special categories & criminal conviction data
rocessing criminal conviction data is subject to Article 10 GDPR and often requires specific national rules; for many jurisdictions employers must follow local criminal records procedures rather than raw scraping. Always check local law before using criminal conviction data in decisions. Source: Sterling
5) Record your balancing test and DPIA where relevant
A documented Legitimate Interest Assessment (LIA) and - if the processing is high-risk - a Data Protection Impact Assessment (DPIA) are strong compliance signals.
6) Rely on reputable OSINT sources & provenance
Use tools that record the source and timestamp for each finding, and prioritise official registers and high-confidence OSINT signals over anonymous forum noise. Having provenance supports accuracy and defence in case of challenge.
7) Allow candidate response & correction
If you find concerning information, give applicants an opportunity to explain or correct items before making an adverse decision.
8) Retention & deletion
Define short, role-based retention windows for screening data and delete raw OSINT snapshots that aren’t needed to justify hiring decisions.
9) Processor vs controller responsibilities
If you use a screening provider, clarify whether you (the employer) are the data controller and the provider the processor; set clear contracts with security and confidentiality measures.
10) Technical & organisational security
Store screening reports encrypted, restrict access, log access to sensitive reports and include screening in your NIS-2 organisational evidence if applicable. ENISA and NIS-2 guidance emphasise that organisational measures - including HR processes - are part of overall cybersecurity posture. Source: enisa.europa.eu
OSINT can be a fast, lawful and proportionate way to screen candidates - when it’s used with documented legal bases, minimisation, transparency and proven source-tracking.