Running background checks is a common and often critical part of recruitment processes and other business arrangements. Background checks on prospective employees or potential business associates help companies prevent insider threats, corporate espionage, and other serious threats that may harm the company, its employees, or its assets.
However, as background checks involve personal data processing, businesses must ensure that they remain compliant with applicable data protection laws. In this regard, a recent decision of the Swedish Authority for Privacy Protection (IMY), which allowed a private company (Company) to handle personal data relating to legal violations in certain cases, holds great significance.
The decision of IMY offers detailed insight into how personal data relating to individuals’ criminal history should be processed and what safeguards should be adopted to respect the data protection rights of the concerned individuals.
As per Article 10 of the GDPR, the processing of personal data relating to criminal convictions and offenses or related security measures is only permitted in the EU when it is carried out under the control of official authority or when such processing is authorized by the law of the EU or a member state, provided the rights and freedoms of data subjects are appropriately safeguarded.
In this respect, data processing should be lawful and based on one of the processing grounds specified in Article 6(1) of the GDPR, that is, consent of the data subject, performance of a contract to which the data subject is a party to, compliance by the controller with a legal obligation, protection of vital interests of the data subject or another natural person, performance of a task in the public interest or in the exercise of official authority, or pursuance of legitimate interests by the controller or a third party except where the rights of the data subject override such interests.
Due to an imbalance of power between an employer and an employee, the employee’s consent is considered an appropriate legal basis for the processing of personal data only in rare circumstances when the data subject is able to refuse consent without facing any consequences on his/her employment relationship.
In Sweden, the Act with Supplementary Provisions to the GDPR (SFS 2018:218) and the Ordinance with Supplementary Provisions to the GDPR (SFS 2018:219) are the two primary data protection legislations that incorporate GDPR in the domestic framework.
Section 9 of SFS 2018:218 specifies that an authority designated by the government may, in individual cases, decide that actors other than public authorities may process personal data relating to criminal convictions and offenses, as referred to in Article 10 of the GDPR. However, such a decision may be subject to conditions.
Further on, Section 6 of the SFS 2018:219 entitles the Swedish Authority for Privacy Protection (formerly the Swedish Data Protection Authority) to decide upon such matters. It is important to note that the IMY has clarified that the aforementioned conditions may include revocation clauses, time limits or requirements for re-reporting, or requirements relating to protecting the rights and freedoms of the data subjects.
The decision of IMY to allow a private company to process personal data relating to legal violations constitutes an important development under the GDPR and Swedish law. The permission granted by IMY extends to running background checks on prospective employees, potential customers, suppliers, or business affiliates.
IMY comments that in accordance with the mandate of the Swedish government, IMY should only reject requests filed for the processing of personal data relating to legal violations where such processing is incompatible with data protection laws, specifically the principles of lawful data processing as specified in Article 5 of the GDPR and the requirement for a lawful basis of data processing. In all other instances, permission should be granted, albeit it may be qualified by certain restrictions to protect the rights and freedoms of data subjects.
In its decision, IMY upholds the following legal principles:
- The Company is deemed to be a data controller in accordance with the GDPR, as it determines the purposes and means of the processing of personal data when running background checks by making key decisions on which information should be looked into, from where it should be collected, and how it should be processed.
- The Company cannot rely on consent as a basis for the processing of personal data relating to legal violations. This is because many job seekers or potential business affiliates may consent to the processing of their personal data in order to not miss out on a professional opportunity - thus negating the ‘voluntary’ component of consent.
- The Company has a legitimate interest in being able to provide background checks service to its clients as long as the latter’s interest is justified.
- The data subjects’ privacy interests do not outweigh the justifiable interests invoked by the Company, as it is of great importance for business entities not to hire any unsuitable individuals or enter into unsuitable business arrangements.
- An entity may only pursue background checks on prospective employees where the position for which the individual has applied can be used to commit similar crimes or has a decisive significance for such a person’s suitability for the role. Similarly, background checks on potential business partners may only be sanctioned where the legal violation in question, taking into account the position of the concerned person, has decisive importance for the suitability of the planned transaction. The Company should adhere to the following conditions while performing background checks in different contexts.
- While performing background checks on a business’ suppliers and customers, the Company should:
- only perform a background check where the relationship between the business and its suppliers/customers is such that it can have a significant impact on the business's reputation, security, or finances;
- only assess people in senior positions or with a controlling influence in the concerned entity;
- only register such legal violations which by their nature are such that they could negatively affect the relationship between a business and its customer/supplier, or the reputation of the business in the relevant industry or the society; and
- only assess those suppliers who can independently gain access to and move freely in the Client's premises or gain access to equipment with a high financial value or can cause serious damage if misused. In this respect, the Company should only check for such legal violations as allowed for individual jobseekers or consultants.
- While performing background checks in the context of the acquisition of a legal entity, the Company should:
- only record personal data of such individuals who hold senior positions or have a controlling influence in the operations of the target company, and the background check should be carried out to the same extent as done for potential employees;
- with respect to transferring shareholders, only record offenses that are of such a nature that they could negatively affect the relations between the client and the inspected persons or the client’s reputation in the society or the industry in which they operate; and
- only perform background checks on such shareholders in the target company who are intended to have a direct or indirect shareholding after the acquisition, and only record such offenses which could negatively affect the client’s reputation in the society or the industry in which they operate.
- While performing background checks in the context of the disposal of a legal entity, the Company should:
- Only perform background checks on persons in senior positions or with controlling influence in the acquiring company; and
- Only record information about such offenses which, by their nature, could negatively affect the relations between the client and the inspected persons or the reputation of the client in society or the industry in which they operate.
- While performing background checks on a business’ suppliers and customers, the Company should:
- Only such categories of legal violations should be recorded in background checks that are relevant to the position/job an individual is applying for. For example, fraud and economic crime, tax crimes, and embezzlement are relevant for important white-collar positions. However, IMY also specifies that particular offenses under Swedish law are relevant for background checks concerning all positions, such as organized crime.
- The Company should not record any information relating to an offense that has become irrelevant in the present context due to the amount of time that has elapsed since the offense was committed. The Company should also not report to its client any criminal records which have been deleted in accordance with the law.
The decision of IMY sets an important precedent in relation to the processing of personal data relating to legal violations by private entities. The decision offers significant safeguards for data subjects while also respecting the legitimate interests of business entities. Therefore, the decision also adds to the jurisprudence on balancing the legitimate interests of data controllers against the rights and freedoms of data subjects.
Moreover, the decision offers helpful guidance to businesses if they intend to conduct background checks on potential employees or business associates so they can prioritize their business interests while also protecting the data protection rights of the concerned individuals.