AI background checks and social-media screening of candidates
Adopted 2026-06-21 ยท ≈ 2 min read ยท 
edited by Dirk Baaijen
AI that screens candidates via social media or background checks quickly clashes with the GDPR: proportionality, special-category data and transparency. Add reliability risks (false matches) and discrimination through irrelevant private information.
Short answer: AI tools that "vet" candidates โ via social media, news sources or automated background checks โ quickly clash with the GDPR. The core questions are proportionality (is it really necessary?), special-category data and transparency. On top come reliability risks (confused identities, false matches) and discrimination through irrelevant private information. If the tool scores for suitability, the high-risk regime also applies.
Proportionality: is this allowed at all?
The GDPR requires processing to be necessary and proportionate. A broad social-media scan "to get a picture" almost never passes that test: you collect much private information unrelated to the job. Limit yourself to what is demonstrably job-relevant, and record the assessment โ see GDPR in the workplace.
Special-category data: the biggest stumbling block
Social media often reveal health, religion, political opinion or sexual orientation โ special-category personal data with a strict prohibition regime (Art. 9 GDPR). A tool that hoovers up such data processes categories you, as an employer, may almost never use for selection.
Reliability: the wrong person
Automated checks confuse people with the same name, pull up outdated or out-of-context information, and present it as fact. A rejection based on a false match is not only unfair but also legally risky.
Discrimination and transparency
Private information irrelevant to the job but correlated with a protected characteristic quietly introduces discrimination. And the candidate has a right to know they are being screened; an automated rejection also engages Article 22 GDPR.
What to do
- Test necessity up front: which job-relevant question does the check really answer?
- Limit the source and scope โ no broad social-media sweep.
- Filter out special-category data and do not use it for selection.
- Verify matches by a human before attaching any consequence.
- Inform the candidate and offer a chance to respond.
A background check may cover risks, but not floodlight the whole person. The more the tool sees, the greater the chance you see something you may not use โ and may not let weigh in.
Sources
- https://eur-lex.europa.eu/eli/reg/2016/679/oj
Regulation (EU) 2016/679 (GDPR): necessity, proportionality, special-category data (Art. 9) and transparency when screening candidates. - https://eur-lex.europa.eu/eli/reg/2024/1689/oj
Regulation (EU) 2024/1689 (AI Act): Annex III where the screening assesses or scores candidate suitability.
Read next
AI predicting sickness absence: almost always a legal no-go
AI predicting which workers will fall ill or be absent touches health data โ special-category personal data with a strict prohibition regime (Art. 9 GDPR). The risk of discriminating against sick or disabled workers is high. In most cases such prediction is not lawful.
AI in legal services: reliability and confidentiality
AI in law firms and legal services is rarely high-risk, but sets sharp demands on reliability, confidentiality and transparency. Hallucinations, professional secrecy and GDPR processing set the limits, alongside the AI Act's transparency duties.
GDPR Article 88 and employee data: what does it mean for AI at work?
GDPR Article 88 lets Member States set their own rules for processing in the employment context. The Netherlands has no specific Art. 88 law, so the general GDPR plus the Dutch Implementation Act apply. With the weak basis of consent, purpose limitation and the role of works councils.