Candidate verification and GDPR: a guide for HR
Introduction
My biggest recruitment mistakes were failing to verify candidates’ employment history and references. I made these mistakes several times back when I was building my own recruitment agency.
Without verifying employment history and references, I hired, among others, a person who claimed years of experience at Company X in Position Y, when in reality they hadn’t even made it past the three-month probation period at that company.
Another example: a person we hired at our own recruitment agency. This person forged client confirmations of candidate placements in order to meet targets required for bonuses. The case ended up with the prosecutor’s office. As it later turned out, the person had a bad reputation at their previous recruitment firm.
These aren’t just my stories. I’ve heard plenty of cases from people who paid a high price for not verifying a candidate thoroughly before hiring them.
Yes, these are extreme cases that account for a small percentage of all hires. But they’re painful, they can happen to anyone, and they’re exactly the kind of thing we all want to avoid.
GDPR makes candidate verification harder
When GDPR came into force, it changed the legal reality in many areas of recruitment — including how you can verify a candidate’s employment history, check references, and test candidates for job fitness.
Before May 25, 2018 (when GDPR took effect), there was practically no debate about whether you could verify employment history, call a candidate’s previous employers, or ask certain questions in tests. If you wanted to verify, you verified. Nobody worried about penalties.
Since GDPR, the situation has changed dramatically — mainly because of the steep fines introduced by the new (and at the same time imprecise) regulations, and the lack of clear court rulings on how to interpret the ambiguous provisions.
So can you legally verify candidates’ employment history and collect references from previous employers? Can you legally test candidates and base hiring decisions on test results?
To answer these questions, we organized a webinar where Data Protection Officer Anna Zmijewska from Creativa Legal answered questions from me and the audience. This article is a summary of that webinar, with additional commentary.
Element)” />
Three candidate verification tools
You can use many different tools to verify a candidate’s suitability for a position. During the webinar, we focused on three that I consider particularly valuable — and which have become legally questionable since GDPR took effect:
- Verifying the candidate’s employment history
- Collecting references from the candidate’s previous employers
- Recruitment tests
Verifying employment history means confirming that the employment history presented by the candidate — usually in their CV — is truthful and complete.
Collecting references means asking the candidate to provide contact details for people at their previous workplaces who can share an opinion about their work. Alternatively, the candidate can provide pre-written references (e.g. on paper or on their LinkedIn profile). Note, however, that pre-written references may not address the specific questions a recruiter wants answered.
Candidate testing means verifying a candidate’s suitability through knowledge tests or psychometric assessments.
Verifying candidates’ employment history
Can an employer investigate a candidate’s employment history?
Under GDPR and local labor law, an employer can request information about a candidate’s previous employment if it’s necessary to assess their suitability for the position. The employer can also ask the candidate to document this history with appropriate evidence.
The law doesn’t specify what kind of documents should confirm the candidate’s history, so any documents that adequately serve this purpose — without collecting excess data — should be acceptable. Employment certificates or other written confirmations of previous employment seem like a reasonable method.
However, the law doesn’t clearly answer whether an employer can verify employment history by other means — for example, by independently contacting a previous employer or hiring a specialized verification firm.
According to our expert Anna Zmijewska, independent verification of a candidate’s employment history (or verification through a third party) can only be done with the candidate’s consent. For evidentiary purposes, this consent should be documented — for example, via email confirmation or a record in the recruitment system showing the candidate clicked the appropriate consent on an application form. If a third-party firm handles the verification, they can also obtain the candidate’s consent.
It’s worth noting that the data protection authority’s guidelines state that an employer can use information available on LinkedIn to confirm a candidate’s employment history. This is an exception stemming from the fact that LinkedIn’s purpose is sharing employment history and professional experience. Collecting personal data about candidates from other platforms, such as Facebook, is not permitted.
Additionally, the data protection authority states that a hiring decision must still be based on the candidate’s own statements, not on what’s found on LinkedIn.
Candidates can share sensitive personal data (such as ethnic origin, political views, health information, religious beliefs, etc.) only voluntarily. The employer should also have documented explicit consent from the candidate for processing such data.
As a side note, our expert Anna Zmijewska, who has experience working with international organizations, pointed out that other European countries tend to interpret GDPR less restrictively than Poland does in this area.
Summary of employment history verification:
- An employer can request documents confirming employment history (e.g. employment certificates).
- An employer can verify employment history on LinkedIn, but not on Facebook.
- An employer can, with the candidate’s consent, commission a third party to verify employment history.
References from previous employers
Can you contact a candidate’s previous employer for a reference?
Under current regulations and their prevailing interpretation, contacting a candidate’s previous employer can only happen with the candidate’s consent.
The consent can be given in any form, but we recommend documenting it for evidentiary purposes — for example, as an email from the candidate or as a saved application form where the candidate checked the consent box. If the candidate later changes their mind after a rejection and claims they never consented, documented proof becomes very useful.
If you use application forms with GDPR consents, make sure the consents are stored in a way that makes them easy to produce during an audit. Modern ATS systems automatically maintain a GDPR consent log for each applicant.
Can a previous employer’s opinion be grounds for rejecting a candidate?
According to our expert, the data protection authority could potentially challenge a hiring decision (e.g. rejection) based on a negative reference from a previous employer.
I admit it’s genuinely hard to predict how the authority would evaluate such a situation. But if it turned out that you can’t base your decision on a previous employer’s reference, then collecting these references would be largely pointless.
Of course, references from previous employers can be unfair to the candidate. The recruiter’s job is to conduct a thorough interview with the previous employer and assess how objective and useful the feedback actually is.
Do you need consent to process personal data of the person giving the reference?
If the candidate gave you contact details for a person at their previous employer, they’ve likely shared that person’s personal data (name, phone number, or email). What does the law say about processing this data?
In this case, you don’t need separate consent from the reference provider. You have a legitimate interest in processing this data, which is a standalone and sufficient legal basis under GDPR.
However, you still need to fulfill your information obligation toward this person — which, in my opinion, is a very impractical requirement (I hope either the legislature will modify the rules or the courts will establish more practical precedents).
The simplest way to meet this obligation is to send an email with a link in the footer to a document containing the required GDPR information.
Summary of references:
- You can only collect references from previous employers with the candidate’s consent.
- The candidate can provide contact details for a reference or submit pre-written references.
- For potential audits, it’s worth having documented consent. An ATS system can automatically collect and store these.
- According to our expert, a previous employer’s opinion should not be the sole basis for a hiring decision.
- You don’t need separate consent from the person providing the reference, but you do need to fulfill the GDPR information obligation toward them.
Recruitment tests
What types of tests are used in recruitment?
Recruitment processes generally use two types of tests:
- Psychometric tests
- All other tests
A psychometric test is, by definition, “a standardized and objectified measurement of a sample of behavior.” It allows you to infer how a person will behave in real-life situations based on their behavior in the testing situation.
Psychometric tests should be prepared and evaluated by qualified professionals.
Other tests include:
- Competency tests — assessing the candidate’s knowledge of topics related to the position
- Analytical tests — assessing the candidate’s ability to perform specific analytical tasks (calculations, text analysis, logical reasoning)
- Language tests — assessing foreign language proficiency
What tests can you give candidates during recruitment?
You can administer tests that assess the candidate’s ability to perform the specific work required by the position. Conversely, you should not test areas that are irrelevant to the job.
An important rule: psychometric tests must not assess the candidate’s mental health. For this reason, psychometric tests should be designed by professionals who ensure they don’t probe beyond what’s necessary for recruitment.
Are there any requirements for who can administer or evaluate recruitment tests?
For psychometric tests, preparation and evaluation should be done by people with appropriate qualifications. However, this doesn’t mean every psychometric test can only be administered by a licensed psychologist — it depends on the specific test and its potential impact on the person being tested.
For other tests, there are no formal requirements about who can create or evaluate them, though obviously it should be someone knowledgeable in the area being tested.
Do you need the candidate’s consent to administer tests?
For psychometric tests, we recommend obtaining explicit, documented consent from the candidate — via email or in writing.
For other recruitment tests, we agree that explicit consent is not necessary. The candidate’s act of taking the test is treated as implied consent, and this is sufficient.
Can test results determine a candidate’s fate in the recruitment process?
According to our expert, negative results from non-psychometric tests can be standalone grounds for rejecting a candidate. For psychometric tests, however, the expert says you should not reject a candidate based solely on test results.
Here again, I feel the regulations (or their likely interpretation by the data protection authority) don’t match the needs of recruitment processes. Employers invest resources in psychometric testing precisely so that results can inform hiring decisions. It’s worth noting again that Anna Zmijewska pointed out during the webinar that other European countries are less strict about this than Poland.
Is candidate testing the same as profiling?
Let’s start with GDPR’s legal definition of profiling.
Article 4(4) of GDPR says: “Profiling means any form of automated processing of personal data consisting of the use of personal data to evaluate certain personal aspects relating to a natural person, in particular to analyse or predict aspects concerning that natural person’s performance at work, economic situation, health, personal preferences, interests, reliability, behaviour, location or movements.”
The key phrase is “automated processing of personal data” — meaning in practice it involves computer algorithms.
Another important distinction is between ordinary and qualified profiling. Only qualified profiling requires separate consent from the candidate. Qualified profiling is profiling where:
- Decisions are based solely on automated processing, with no human involvement.
- The process produces legal effects or similarly significantly affects the person being profiled.
Can administering a test be considered automated decision-making? No, because the candidate answers the questions themselves, a human (not an algorithm) evaluates the results, and a human makes the decision based on those results (possibly along with other factors).
Can a candidate share test results with another employer?
In our view, a candidate cannot share test results with other employers without the consent of the employer who administered the test. The test may constitute the employer’s intellectual property. The employer purchased or created the test and holds certain rights over it (ownership, license, copyright).
Summary of tests under GDPR:
- Tests should only assess what’s necessary for the position in question.
- Standard tests don’t require explicit consent — taking the test implies consent.
- For psychometric tests, we recommend obtaining explicit consent.
- Psychometric test results should not be the sole factor in a hiring decision.
- Psychometric tests must not assess the candidate’s mental health, unless specifically required by law.
- Non-psychometric test results can be standalone grounds for a hiring decision.
- Tests evaluated by a human, where a human makes the decision, do not constitute profiling.
- A candidate cannot share test content or results without explicit consent from the employer who administered the test.
Additional questions
Is processing candidate data in an ATS system a form of profiling?
I’ve encountered the question of whether collecting data in an employer’s recruitment system (ATS) counts as profiling. I have no doubt that systems like Element don’t involve qualified profiling (which requires separate consent). But could ordinary profiling be occurring? In my view, it depends on the interpretation of the word “analysis” in the GDPR definition above. If analysis includes storing and displaying information, then yes — ordinary profiling occurs. If analysis means drawing conclusions from stored data, then in my view, not even ordinary profiling is happening.
Do the GDPR rules above also apply to candidates being hired on a B2B basis?
For candidates who will work as independent contractors (B2B), labor law provisions don’t apply. However, GDPR’s data minimization principle still does.
We recommend that even for B2B candidates, you only collect data that’s necessary for recruitment purposes and obtain consent for processing that data.
We note that there are still very few court rulings resolving many of the gray areas around GDPR compliance. Given this legal uncertainty, we recommend a cautious approach — applying similar rules regardless of the legal form of the working relationship.
Expert contact
For anyone interested in data protection support, I recommend contacting the experts at Creativa Legal directly:
- Email: office@creativa.legal
- LinkedIn: Creativa Legal
- Website: creativa.legal
DISCOVER ELEMENT!
Maciej Michalewski
CEO @ Element. Recruitment Automation Software
Recent posts:
HR services market in Poland 2025 – key findings from the PFHR report
Polskie Forum HR has published its annual report on the condition of the HR services market in Poland. Element is a technology partner of PFHR,
I Don’t See a Future for MS Office
Three phases of transition from clicking buttons to AI commands. Why Microsoft Office in its current form is destined to disappear.
Postings up 11%, Dorsey cuts 40%. What’s going on with dev jobs?
Postings up 11%, Dorsey cuts 40%. What’s going on with dev jobs? The data that surprised me I’ve been writing about work automation for years.
AI intensifies work instead of reducing it – consequences for HR
AI intensifies work instead of reducing it – consequences for HR The promise I personally believe in is tempting — artificial intelligence will take over
AI is not causing mass layoffs – what the report really says
It’s worth confronting opposing views and data that challenge our intuitions. That’s exactly the case with the “The Fire to Hire Cycle” report, which I
Automation: How Capitalism Is Leading Us to Socialism
Paradoxically, leaders of modern capitalism like Elon Musk are paving the way toward a socialist reality — through relentless automation that eliminates the need for human labor.
