Are reference checks still GDPR compliant in 2022?

Are reference checks still GDPR compliant in 2022?

How to execute a solid and compliant reference check?

Executing a solid and compliant reference check is the first step to ensure that you are hiring the right candidate for your organization. References are important because they can verify information that you might not be able to get from other sources or from a simple interview.

For the duration of an interview, you should never ask any questions about family or religion, but there are three main categories to keep in mind when talking with references: past job experience, performance, and character.

A solid reference check is important to understand your next colleagues' background. Think of it like you're asking for a friend's contact information in order to get in touch with them in the future.

There are many types of pre-employment screening including financial background checks, criminal records checks, driver's license records, education verification, and more. Employers use these screenings to ensure that prospective employees are not only qualified for the job they are applying for, but that they are trustworthy as well.

In Europe, for GDPR reasons most of the checks are offered by proof of records that the candidates are providing mainly on volunteer basis. For instance, usually the financial records check and and the criminal records check processes involve directly the candidate providing documents issued by financial or governmental institutions.

The only exception is made by the future provision from the employer fo a special clearance (i.e. security) or access to some very restricted places (i.e. airports).

What is left from this very limited list of possible screening for the future employer is usually the screening of past employment posts and also in this case usually this process is executed on references that the candidate him/herself provided.

Also the employer, should be very careful about what to ask and try to keep the information request:

  • Always covered by the candidate consent that is balanced and limited to some specific and mentioned fields or areas (specified in the famous art.4 of the GDPR);
  • Obviously together with it also a data collection and processing agreement with the candidate;

What is also important is that in the consent and agreement employers or future employers might be in a dominant role against the candidate and for this reason it is strictly needed to inform them about what you will do with the information they provide you.

The GDPR say that people have a right to be informed about the collection and use of their personal data, including for what purpose, who you will share it with and for how long you will keep it with a proper privacy notice.


Registering a candidate's consent can be done in written form or verbally, whichever is most appropriate for the hiring process currently in place. In the application process, if it happens digitally, it can be a little checkbox on alongside the privacy policy of the talent acquisition platforms and applicant tracking systems.

Once consent happened, you already passed a good first step but don't be tricked! It won't be enough to be GDPR compliant.


In the pre-employment as much as in the employment period, candidates are usually in a situation of unbalance of power because they could perceive or fear potential ripercussions on the success of the interview process not providing the "consent". For this reason, as already mentioned, consent is not enough!

Candidates and current employees are equally considered "employment data" and at the end will end up in the same big drawer (hopefully) of the sensitive data of the HR department.

Employment data covers the basis of legitimate interest but it needs to be matching some specific parameters:

  • Represent the public's interest;
  • Relate to informing a contractual decision;
  • Meet the industry standards;
  • Have reasonable privacy expectations (no personal questions, no questions that could lead to further discriminations, questions on topics that are not related strictly to the canidate's performance as an employee in the previos workplace).

A quick example of privacy infringement could be asking to a referee if they met the candidate also outside the workplace for different activities and how was it. Also the referee should pay some attention to mention some of the candidate's behaviours outside the workplace. Also, referees are not legally compelled to answer any of the questions. There are only few exceptions due to some industries where references are legally binding and/or some previous employment closed with a mutual agreement where the company commits to provide good references to future employers.

What if a candidate doesn't want to provide one or more referee? Or the referees don't answer or don't want to be involved. Can their potential next employer disqulify them?

This is a very wide and delicate topic. Usually for a talent acquisition professional these might look like some ringbells for a red flag and they usually get suspicious. In the best case, they just lose their genuine interest in the candidate. Whatever might be the reason for a lack of evidences in the screening and the reactions of the hiring party, one important element needs to be considered:

If you disqualify a candidate for not providing some information, the same request and relevance fo this information should have been made clear in advance.

In few words, there should be a hiring policy, HR policy or at least a mention on the job notice that the provision of references would be an essential requirement for the pre-selection or selection process.

This information can also be provided in a job offer or a pre-contractual phase and be binded to the provision of consistent and positive references.

Alright then, that's it? Is it enough?

It seems easier than it is but you need to pay attention to the execution of the reference check because the candidate could still appeal to the fact that during the reference check, the potential employer could have obtained more information that the legitimate interest allows and therefore made a decision to not hire him/her.

Should I disclose what referees said regarding a candidate to the candidate?

By GDPR, this is an information regarding them that you possess and they can ask about it in every moment although you should pay attention to disclosing only relevant topics and parts of the feedback (i.e. in the hiring of a Finance Manager: "Yes, he said you are a hardworker and always insisted on the importance of executing more Controlling in the process").

I was called as a referee, what should I say?

It is very surprising how generally people thinks that average reference checks are very short, brief and superficial and this is true especially for young managers or those who are not used to give tons of references per year. People called as referees, usually tries always to give better insights and a 360 degree background of the person. In many cases, they don't even let the interviewer talk and try to anticipate their questions. This is a very dangerous habit that can take to disclosing even some small details that can contribute to create more bias in a recruitment process. The best behaviour is to focus on the specific questions of the interviewer that generally are not more than 3. Don't get tricked by the potential last question "anything to add"? They don't want to know if the candidate is a nice person or comes from a good family. Often this question is impacted by some emotional bindings the referee has with the candidate. At RED. Recruitment, our best advice to referees is to focus on tasks and grade the skills based on the candidate previous job role and description.

young lady checking details in a microscope


Let's make a practical example with Balint, a Sales Manager in the B2B IT industry.

Reference assessor question:

Balint told us he used to work with mixed KPIs, Revenue and Profit target. What was his average performance during his job at XY IT distribution company?

The right answer for a referee:

His average achievement was always above 80% vs. targets. In some months his team was impacted by internal fluctuation or seasonality but in many cases he has also shown significant overachievements compensating them.

Reference assessor question:

So you worked together at the same company for three years - is that correct?

The right answer for a referee:

(if you remember!) Yes, it was from 2018 to 2021. If you can't remember and we are really talking about some "past" dates just provide some generic time references.

Reference assessor question:

How was he managing his team?

The right answer for a referee:

If Balint was a good manager: He was great! Always motivated and mentored people with challenges and constantly tried to reward top performers. Obviously, he was involved also on the business and he had to focus also on numbers and not only on people. He had to report to Senior Management and did it also very precisely and with great presentation skills.

If Balint was bad at managing people: He always took care of APRs (Annual Performance Reviews) and collected the figures from the team and reported to Senior Management precisely.

Reference assessor question:

Anything to add?

We already answered to this question before. You can just add some considerations regarding the cultural fit vs. current / future workplace. Balint is coming from a corprorate environment and I think he will very much benefit from a startup environment at your company.


Please be aware there are nor right answers but for sure there are wrong ones, especially if you are trying to give to an unlucky colleague who was not so fortunate and got fired due to cost cutting, a second chance in their professional endavours. Here we just try to direct you towards compliant answers.


As you can see, there is no real negative feedback but in many cases the answers in a negative feedback are less qualitative and descriptive. Balint is described as per his job description and not for the additional efforts he put into his team's performances. This is a typical diplomatic approach that good assessors spot immediately in a conversation if they have some good empathy or some psychological studies in their background.

What we just described is a very common situation and leaving the reference check to a trainee at your company, a simple email request or a form in 90% of the cases wouldn't spot the difference within a top performing candidate and a candidate that would just cover the essentials of his duty list and get home as soon as possible.

Would you like to check some of the most common reference check questions? We prepared for you a pretty comprensive list in this article

Do you want to know why you should outsource your reference checks and why you should trust us on this delicate matter?

Do you want to find out how RED. Recruitment is so different in reference checks?

Visit our Outsourced Reference Checks Process page within our HR Solutions portal to find out how we put the referees' words under the magnifying lenses of a complex cutting edge AI processing sentiment and emotional analysis.