the Dutch DPA
Close menu

Filter search results

Conditions for screening

If as an employer, you are going to screen an applicant or employee, you will be processing personal data of this applicant or employee. This means that the General Data Protection Regulation (GDPR) and the GDPR Implementation Act (UAVG) apply. As an employer, you are responsible for ensuring that the screening process fully complies with the requirements of these acts.

On this page

Most important reasons for screening

The most important requirements under the GDPR and GDPR Implementation Act are:

  • You have a legitimate interest (legitimate reason) for screening. Your legitimate interest in screening will usually be that you must be able to trust that your (future) employees are honest and reliable. Unless screening is required by law. In that case, no legitimate interest is needed. Note: consent of the applicant or employee is not a valid legal basis for screening.
  • Screening is necessary. This means, among other things, that you cannot achieve your purpose by means other than screening.
  • You inform the applicant or employee about screening. You inform them in advance that screening is taking place. You indicate why screening is necessary, which data are examined and why those data are relevant to the position. Afterwards, you communicate the results of the screening process.

Other conditions for screening

In addition, you must meet the following conditions under the GDPR and the GDPR Implementation Act:

  • You will not use the data obtained from the screening process for any other purpose.
  • You do not retain the data longer than necessary for the purpose of screening.
  • The data from the screening process are sufficient, they are relevant and you do not collect more data than necessary.
  • You properly secure the data.
  • You assess whether you have to carry out a data protection impact assessment (DPIA). Screening is data processing with a high privacy risk.
  • If the DPIA shows that the envisaged screening entails a high risk, and you are unable to find measures to mitigate this risk, you have to consult with the Dutch Data Protection Authority (DPA) before you start screening. This is called a prior consultation.

Note: If as an employer, you carry out pre-employment screening for clients, you may need a permit under the Dutch Private Security Organisations and Detective Agencies Act.

Determining the necessity for screening

As an employer, you determine whether screening is necessary by:

  • identifying the risks associated with the different job categories within your organisation;
  • finding out if you can mitigate the risks other than through screening.

Identifying risks

For each job category, you identify the job requirements and the specific risks involved. For example, positions in which staff work with confidential information involve the risk of this information being sold or passed on. Financial positions, for example, involve a risk of fraud, theft, embezzlement or bribery.

Mitigating risks

Once you have identified the risks, you must set up your organisation in such a way that you reduce the identified risks. This includes strict internal checks or the distribution of powers.

Good organisational measures can ensure that the risks for your organisation are completely removed. If this is not the case, screening applicants or employees may be necessary.

Consent not valid

If you do not have a legitimate interest in screening, and screening is not required by law, you are not allowed to carry out a screening process. You cannot circumvent this by asking for consent from the applicant or employee in question.

The screening of (future) personnel cannot be based on the legal basis of consent. The GDPR requires that consent must be freely given to be legally valid.

Applicants or employees are in a dependent position towards you as a (future) employer. As a result, they may feel pressured to give consent. In that case, consent is not given freely.

Outsourcing screening

As an employer, you may have screening carried out by another company, such as a private detective agency. Both you and this company must meet all statutory requirements for the screening to be carried out.

Criminal data

If the company request criminal data from your (prospective) employees on your behalf, this is only allowed if the company has a permit under the Dutch Private Security Organisations and Detective Agencies Act. With such a permit, the company may process criminal data for a third party. In this case, that is you.

Note: If the company tells you that your (prospective) employee has not received a certificate of conduct (Dutch: VOG), it can be concluded that they have a criminal history. This means you are exchanging criminal data.

Criminal data during screening

Checking identity

If the company checks someone’s identity on your behalf, it must carry out the check on the basis of an original document. The screening company is not allowed to make a copy of the identity document.

Back to subject Screening

Also view

Back to subject Screening