Hey Google, tell me something about an applicant!

 Employers who google applicants must not lose sight of data protection.

Hey Google, tell me something about an applicant!

Employers may be tempted to conduct background research on applicants on the Internet during the application process. Data controllers need to bear in mind data protection, otherwise the company faces the risk of compensation payments.

Google, background research, and the GDPR

During the application process, employers sometimes use Internet search engines to find out more about applicants than is contained in their application.

While research into an applicant’s background using Internet search engines can be permissible, this only applies if the search is required for pre-contractual measures (Art. 6 (1) sentence 1 letter b GDPR) and milder means of obtaining specific information are not available.

Even then, when companies use search engines to conduct background research, the applicants must be informed about the personal data processed in the course of the research (Art. 14 GDPR).

“AGG hopper” fails during application process

A man had applied for a temporary position at a university where he would also have been responsible for duties such as the equal treatment complaints office.

An employee recognized the applicant’s name and a Google search revealed that the man had been convicted (ruling not yet legally binding) of fraud in connection with “AGG hopping”. He had submitted multiple fake applications with the aim of claiming compensation pursuant to the General Equal Treatment Act (AGG) if they failed.

For this reason, the university decided to reject his application and hire a woman who was also considered to have the more suitable professional qualifications.

Compensation demanded as per GDPR

When the man reviewed his application documents and discovered that his name had been googled, resulting in his rejection, he sued the university for compensation in accordance with Art. 82 of the GDPR. He argued that both the search engine research and the use of the findings obtained represented a breach of data protection. Not only had his name been researched using the Internet search engine but he had also not been informed afterwards that information about his conviction had been found via public sources as a result of the search engine research.

Googling yes but informing is mandatory

The Düsseldorf Higher Labor Court ruled that, in this specific constellation, it was necessary in order to carry out pre-contractual measures within the meaning of Art. 6 (1) sentence 1 letter b of the GDPR to google his name (Düsseldorf Higher Labor Court, decision dated April 10, 2024, Ref.: 12 Sa 1007/23).

Nevertheless, the court awarded the man compensation in accordance with Art. 82 (1) of the GDPR: The applicant should have been informed about the categories of personal data processed pursuant to Art. 14 (1) letter d of the GDPR because the search results, namely the knowledge of the criminal conviction, had been used and documented in the course of the selection process. The fact that the man had not been informed about the search and the use of the data reduced the applicant to “a mere object of data processing”. Accordingly, this justified compensation for non-material damage suffered.

What do employers need to consider?

Companies are moving on thin ice if they use search engines to perform background checks on applicants during the application process.

Even if there is a justifiable reason for a background search using internet search engines, the person concerned must be informed in exact detail about this afterwards. Otherwise, applicants can assert claims for compensation in accordance with the GDPR.

What can we do for you?

Do you have questions about the legal limits of background searches using search engines in application procedures? Do not hesitate to contact us!

Summary of the key facts:

  • If there is evidence legally justifying a background search on an applicant via Google, this is possible in compliance with the GDPR.
  • However, the data subject must be informed about the categories of personal data being processed, among other things.
  • The rules which applied using search engines in specific cases do not apply 1:1 to social media.