How do the 6 GDPR processing conditions relate to employment screening?

How do the 6 GDPR processing conditions relate to employment screening?

Our employment-screening expert, Mark Sugden, looks at the new processing conditions released under GDPR, and how they relate to employment screening

When GDPR (General Data Protection Regulation) comes into force on 25 May 2018 in Europe, the underlying premise of the new legislation is data must be processed fairly and lawfully.

For more information and guidance check our GDPR compliance plan or join our experts for FREE 15-minute webinar.

To categorise how data is processed, there are six processing conditions from which each company’s data controller must choose.

When a business is challenged by an individual or the Information Commissioner’s Office on why personal data has been processed in a particular way, the data controller must be able to advise which law the data is being processed with, and why.

Here are the six processing conditions in which data can be processed, from 25 May:

GDPR processing condition



Legal Obligation

“Processing is necessary for compliance with a legal obligation to which the controller is subject.”

A legal obligation can cover several processing operations carried out by the controller, so it may not be necessary to identify a specific legal obligation for each individual processing activity.

Businesses looking to employ a person to carry out regulated activity (working with children or caring for adults) is legally required to carry out a DBS check before making an offer of employment.

An employer has a legal obligation to ensure that a person has the right to work in the UK and so carries out a Right to Work check on an individual.

Legitimate Interests


“Processing is necessary for the purposes of the legitimate interests pursued by the employer.”

An employer, such as a courier company, may complete a basic Criminal Records Check on an employee (driver). This isn’t a legislative requirement, but could be deemed best practice as the employer may want to ensure the person is trustworthy. 

Businesses that employ HGV Drivers must ensure their employees have the correct permissions to drive the relevant vehicle type.

NB: Even where the Balance of Interests is clearly in favour of the employer the data controller should undertake a Legitimate Interests Assessment (LIA).

Contractual Obligation

“Processing is necessary for the performance of a contract to which the data subject is party.”

Contractual obligation is a valid condition where a contract is in place with the individual, and you need to process their personal data to comply with your obligations under the contract.

A company that undertakes an employment check in order to fulfil a contract with their customer, i.e. a recruitment firm providing a supply teacher to a school and undertaking a range of employment checks including a criminal record check. In this instance the recruitment firm will be contracted to assess the teacher prior to entering into a contract.

Employers who carry out pre-employment identity checks (where this is not a legal requirement) may be able to process under this condition.


“The data subject has given consent to the processing of his or her personal data for one or more specific purposes.”

GDPR is more restrictive on the use of consent as a processing condition; in particular it seeks to ensure that consent is specific to distinct purposes of processing.

Consent means offering individuals real choice and control. Genuine consent should put individuals in charge, build customer trust and engagement, and enhance your reputation.

To be compliant under GDPR, consent must be specific, granular and easy to withdraw. Consent should not be a precondition to receiving a service.

Employers will need to take extra care to show that consent is freely given, which is challenging as there is notable imbalance of power between an employer and a perspective employee.

Where an individual has to agree to an employer contacting a third party to obtain a reference before starting a new role.

NB: Whist a relevant factor, a customer asking for consent to carry out a check won’t always mean that this should be the primary reason for processing.

Where pre-employment checks are carried out, but not legally required, this could fall under ‘Contractual Necessity’ or ‘Legitimate Interest’

Public Interest

“Processing is necessary for the performance of a task carried out in the public interest or in the exercise of official authority vested in the controller.”

This ground will apply only where the task carried out is laid down in Union law or Member State law to which the controller is a subject (Article 6(3) and Recital 45)

A council checking the criminal record of prospective foster parents.

Vital Interests

“Processing is necessary in order to protect the vital interests of the data subject or of another natural person.”

GDPR extends the "Vital Interests" processing condition to other individuals (e.g. children of the data subject). The regulations suggest this condition may apply to processing that is necessary for humanitarian purposes (e.g. monitoring epidemics, disaster response).

GBG does not believe employment screening will meet this vital interests processing condition.

An example is where an individual is admitted to the A & E department of a hospital with life-threatening injuries following a serious road accident. The disclosure to the hospital of the individual’s medical history is necessary in order to protect his/her vital interests.

NB: It’s clear from the GDPR Vital Interests are intended to cover only interests that are essential for someone’s life. So this lawful basis is very limited in its scope, and generally only applies to matters of life and death.


And finally

Under GDPR, all data controllers must satisfy certain criteria in order to legally process personal data. As such, personal data may be processed only in accordance with one of the 6 Lawful Processing Conditions.

No single basis is considered ’better’ or more important than the others – which basis is most appropriate will depend on the reasons for processing and the Data Controller’s  relationship with the individual (Data Subject).

GBG’s customers are ultimately responsible for deciding which Lawful Processing Conditions apply to them and they must be ready to defend their decisions to an individual, a data supplier or the ICO if needed. 

For more information and guidance check our GDPR compliance plan or join our experts for FREE 15-minute webinar.

.red { fill: #b0013a; }