Social Media Background Checks

The widespread use of social media has led to an increasing trend among employers to conduct social media checks as part of their recruitment process. However, employers must be aware of the GDPR and FCRA implications of such checks, which set out strict rules for the processing of personal data, including data collected from social media checks. Employers must ensure that social media checks are conducted in a lawful, fair, and transparent manner and that the data collected is relevant, accurate, and necessary.

GDPR and FCRA implications of Social Media Background Checks

In today’s world, social media has become an integral part of our lives, and many of us use social media platforms to share personal information, opinions, and views. However, the widespread use of social media has led to an increasing trend among employers to conduct Social Media checks as part of their recruitment process.
While Social Media checks can help employers gather information about a candidate’s character, qualifications, and work history, it is essential to be aware of the General Data Protection Regulations (GDPR) and the Fair Credit Reporting Act (FCRA) implications of such checks. The GDPR and FCRA sets out strict rules for the processing of personal data, including data collected from Social Media checks.

Personal Data

Social Media checks involve an employer or other organization gathering information about a person from their social media profiles, which can include sensitive personal data. Firstly, it is important to understand what is meant by personal data. Personal data includes any information that can be used to identify a living individual, such as their name, address, email address, or even their IP address. Additionally, the GDPR also includes special categories of personal data, such as race, ethnicity, political opinions, religious beliefs, health data, and sexual orientation.

When conducting Social Media checks, employers are likely to gather personal data from a candidate’s social media profiles. This data could include their name, age, gender, location, employment history, education, and other personal information such as political views, religious beliefs, or health-related information.

Personal data must be processed lawfully, fairly, and transparently. This means that the person whose data is being processed must be aware of the processing and have given their consent for it to take place, or the processing must be necessary for a legitimate reason, such as for the employer to carry out their duties.

Legitimacy

When it comes to Social Media checks, an employer must have a legitimate reason for conducting them. For example, an employer may want to verify a candidate’s work history, or assess their character or cultural fit. However, employers must ensure that the information gathered is relevant, accurate and not excessive. They must also inform job candidates that they plan to conduct social media checks and explain why they are necessary.

Data Integrity

Employers must ensure that they process personal data in a manner that ensures appropriate security of the personal data, including protection against unauthorized or unlawful processing and against accidental loss, destruction or damage, using appropriate technical or organizational measures. Ensuring your supplier is accredited to standards e.g. ISO27001 and ISO27701 provides a good level of confidence.

Employers must keep personal data secure, only keep it for as long as necessary and not to use it for any purposes other than those for which it was collected. This means that employers cannot use Social Media checks to discriminate against candidates based on their race, gender, age, sexual orientation, or any other protected characteristic.

FAQs on GDPR and FCRA implications of Social Media Background Checks

Q: What is the GDPR, and how does it relate to social media background checks?

The GDPR is the General Data Protection Regulation, a European Union regulation that governs the protection of personal data. It relates to social media background checks when employers process personal data from social media platforms during the hiring process.

Q: Do GDPR regulations apply to all social media background checks, or only those involving EU citizens?

GDPR regulations apply to social media background checks that involve the personal data of EU citizens, regardless of where the employer is located. If the checks involve candidates from the EU, GDPR compliance is mandatory.

Q: Can employers conduct social media background checks without explicit consent from the job candidate under the GDPR?

No, employers must obtain explicit consent from job candidates before conducting social media background checks. Consent must be freely given, specific, informed, and unambiguous, as per GDPR requirements.

Q: Are there any specific guidelines on data retention periods for social media background checks under the GDPR?

While the GDPR does not provide specific data retention periods, employers should only retain social media data for as long as necessary to fulfill the purpose for which it was collected. They must establish clear retention policies and delete data once it becomes irrelevant.

Q: Can employers use automated decision-making based on social media data without violating the GDPR?

Employers can use automated decision-making based on social media data, but they must ensure it complies with the GDPR’s principles, such as transparency and the right to human review of automated decisions.

Q: Can candidates request access to the social media data obtained during the background check process under the GDPR?

Yes, candidates have the right to request access to the personal data collected from social media background checks. Employers must provide this information upon request, along with details of how the data was processed.

Q: Can social media data obtained during background checks be shared with third parties under the GDPR?

Social media data obtained during background checks can be shared with third parties only if there is a lawful basis for such sharing and if the candidate has been properly informed about it.

Q: What specific disclosures must employers provide to candidates under the FCRA when conducting social media background checks?

Under the Fair Credit Reporting Act (FCRA), employers must provide a clear and separate disclosure to candidates before conducting social media background checks. The disclosure must inform the candidate that the check may be used for employment decisions and must obtain written consent.

Q: Can employers use information obtained from social media checks to make “adverse employment decisions” under the FCRA?

Yes, employers can use information from social media checks to make adverse employment decisions under the FCRA, but they must follow specific procedures outlined in the law. This includes providing the candidate with a pre-adverse action notice and allowing them time to dispute the accuracy of the information.

Q: How long can employers retain social media data obtained during background checks under the FCRA?

The FCRA does not specify a specific data retention period for social media data. However, employers are encouraged to retain the data only for as long as necessary and in compliance with other relevant laws.

Q: Can job candidates dispute the accuracy of social media data used in background checks under the FCRA?

Yes, job candidates have the right to dispute the accuracy of social media data used in background checks under the FCRA. Employers must provide a process for candidates to dispute any inaccuracies and correct the information if necessary.

Q: Can social media background checks be conducted on current employees under the GDPR and FCRA?

Yes, social media background checks can be conducted on current employees, but employers must ensure that they have a legitimate reason and comply with relevant GDPR and FCRA regulations. Consent or a legitimate interest must be established before conducting such checks.

Q: Can employers use publicly available social media data without obtaining consent under the GDPR and FCRA?

Yes, employers can use publicly available social media data without obtaining consent, as long as the data is legitimately obtained and used for lawful purposes, and it complies with applicable GDPR and FCRA guidelines.

Q: How should employers inform job candidates about the social media background check process under the GDPR and FCRA?

Employers should provide clear and transparent information to job candidates about the social media background check process. This includes disclosing the types of data they will collect and how they will use it, ensuring candidates are fully informed.

Q: Are there any restrictions on the types of social media data that employers can collect under the GDPR and FCRA?

While there are no specific restrictions on the types of social media data that can be collected, employers should only gather data that is relevant and necessary for the job-related purpose and avoid collecting sensitive or irrelevant information.

Q: Can social media background checks be outsourced to third-party vendors under the GDPR and FCRA?

Yes, social media background checks can be outsourced to third-party vendors, but employers must ensure that the vendors comply with GDPR and FCRA requirements and protect the privacy of the candidates’ data.

Q: Can employers use social media data to discriminate against candidates based on their race, religion, or other protected characteristics under the GDPR and FCRA?

No, employers cannot use social media data to discriminate against candidates based on protected characteristics under the GDPR and FCRA. Such practices are strictly prohibited and can lead to legal consequences.

Q: Can social media background checks impact a candidate’s right to be forgotten under the GDPR?

Yes, if a candidate requests their data to be deleted under the right to be forgotten provision of the GDPR, employers must comply and remove any social media data obtained through the background check process, provided there are no legitimate reasons to retain it.

Q: What should employers do if they find misleading or false information about a candidate during a social media background check?

If employers find misleading or false information during a social media background check, they should not use it to make hiring decisions. Instead, they should inform the candidate and provide them with an opportunity to clarify or dispute the information.

Q: Can employers use automated tools or algorithms to process social media data during background checks under the GDPR and FCRA?

Employers can use automated tools or algorithms to process social media data during background checks, but they must ensure that such tools comply with the principles of transparency, fairness, and accountability under the GDPR and FCRA.

Q: Are there any additional requirements for social media background checks when dealing with candidates who are minors under the GDPR and FCRA?

When dealing with candidates who are minors, employers must be especially cautious. They should obtain consent from the candidate’s legal guardian, ensure the information obtained is relevant to the job, and comply with any additional regulations related to minors’ data protection.

Q: Can employers use social media data to assess a candidate’s suitability for remote work positions under the GDPR and FCRA?

Yes, employers can use social media data to assess a candidate’s suitability for remote work positions, provided they do so in a fair and non-discriminatory manner and comply with all applicable privacy regulations.

Q: What should employers do with social media data after the hiring process is complete under the GDPR and FCRA?

After the hiring process is complete, employers should ensure they have a proper data retention and deletion policy. Social media data that is no longer relevant should be securely deleted to comply with GDPR and FCRA requirements.

Q: Can employers use social media data obtained during background checks for purposes other than hiring decisions under the GDPR and FCRA?

Employers should use social media data obtained during background checks only for the purpose for which it was collected, typically for making informed hiring decisions. Using the data for other purposes could lead to non-compliance with GDPR and FCRA regulations.

Q: What measures can employers take to ensure compliance with both GDPR and FCRA during social media background checks?

Employers can ensure compliance by obtaining explicit consent from candidates, providing clear disclosures, using reputable third-party vendors, maintaining data accuracy, and establishing appropriate data retention and deletion policies.

Q: Can social media background checks be conducted on candidates applying for internships or volunteer positions under the GDPR and FCRA?

Yes, social media background checks can be conducted on candidates applying for internships or volunteer positions, but employers should follow the same GDPR and FCRA guidelines as they would for regular job candidates.

Q: Can employers conduct periodic social media background checks on their current employees under the GDPR and FCRA?

Yes, employers can conduct periodic social media background checks on their current employees, but they must have a legitimate reason and comply with GDPR and FCRA requirements. Employee consent or a legitimate interest must be established.

Q: Can candidates refuse to undergo a social media background check without it negatively affecting their job application under the GDPR and FCRA?

In general, candidates have the right to refuse a social media background check, and employers should not negatively impact their job application solely based on their refusal, as long as the refusal does not violate any legal or regulatory obligations.

About Neotas Social Media Background Checks

At Neotas, We understand the importance of conducting thorough and compliant Social Media Screening Checks, and our team of experts is dedicated to ensuring that the process is safe and reliable. Receive accurate and up-to-date information while complying with all relevant regulations, including GDPR and FCRA. Our advanced OSINT technology and human intelligence allow us to uncover valuable insights that traditional checks may miss.

Related Content on Social Media Screening and Social Media Background Check

Neotas Enhanced Due Diligence

Neotas Enhanced Due Diligence covers 600Bn+ Archived web pages, 1.8Bn+ court records, 198M+ Corporate records, Global Social Media platforms, and more than 40,000 Media sources from over 100 countries to help you screen & manage risks.

Book a Demo

Explore Neotas Enhanced Due Diligence

Cookie	Duration	Description
AWSALBTG	7 days	AWS Application Load Balancer Cookie. Load Balancing Cookie: Used to encode information about the selected target group.
AWSALBTGCORS	7 days	AWS Classic Load Balancer Cookie: Used to map the session to the instance. This cookie is identical to the original ELB cookie except for the attribute &SameSite=None;
cookielawinfo-checkbox-advertisement	1 year	Set by the GDPR Cookie Consent plugin, this cookie is used to record the user consent for the cookies in the "Advertisement" category .
cookielawinfo-checkbox-analytics	11 months	This cookie is set by GDPR Cookie Consent plugin. The cookie is used to store the user consent for the cookies in the category "Analytics".
cookielawinfo-checkbox-functional	11 months	The cookie is set by GDPR cookie consent to record the user consent for the cookies in the category "Functional".
cookielawinfo-checkbox-necessary	11 months	This cookie is set by GDPR Cookie Consent plugin. The cookies is used to store the user consent for the cookies in the category "Necessary".
cookielawinfo-checkbox-others	11 months	This cookie is set by GDPR Cookie Consent plugin. The cookie is used to store the user consent for the cookies in the category "Other.
cookielawinfo-checkbox-performance	11 months	This cookie is set by GDPR Cookie Consent plugin. The cookie is used to store the user consent for the cookies in the category "Performance".
CookieLawInfoConsent	1 year	Records the default button state of the corresponding category & the status of CCPA. It works only in coordination with the primary cookie.
debug	never	Cookie used to debug code and website issues
shown	session	Session cookie to control number of times a pop up is shown.
viewed_cookie_policy	11 months	The cookie is set by the GDPR Cookie Consent plugin and is used to store whether or not user has consented to the use of cookies. It does not store any personal data.

Cookie	Duration	Description
__cf_bm	30 minutes	This cookie, set by Cloudflare, is used to support Cloudflare Bot Management.
AnalyticsSyncHistory	1 month	Used to store information about the time a sync took place with the lms_analytics cookie
bcookie	2 years	LinkedIn sets this cookie from LinkedIn share buttons and ad tags to recognize browser ID.
bscookie	2 years	LinkedIn sets this cookie to store performed actions on the website.
lang	session	LinkedIn sets this cookie to remember a user's language setting.
lidc	1 day	LinkedIn sets the lidc cookie to facilitate data center selection.
UserMatchHistory	1 month	LinkedIn sets this cookie for LinkedIn Ads ID syncing.

Cookie	Duration	Description
li_gc	2 years	Used to store consent of guests regarding the use of cookies for non-essential purposes
rl_anonymous_id	1 year	Generates an unique anonymous Id to identify a user and attach to a subsequent event.
rl_user_id	1 year	to store a unique user ID for the purpose of Marketing/Tracking

Cookie	Duration	Description
_ga	2 years	The _ga cookie, installed by Google Analytics, calculates visitor, session and campaign data and also keeps track of site usage for the site's analytics report. The cookie stores information anonymously and assigns a randomly generated number to recognize unique visitors.
_gat_gtag_UA_107495977_1	1 minute	Set by Google to distinguish users.
_gat_UA-107495977-1	1 minute	A variation of the _gat cookie set by Google Analytics and Google Tag Manager to allow website owners to track visitor behaviour and measure site performance. The pattern element in the name contains the unique identity number of the account or website it relates to.
_gcl_au	3 months	Provided by Google Tag Manager to experiment advertisement efficiency of websites using their services.
_gid	1 day	Installed by Google Analytics, _gid cookie stores information on how visitors use a website, while also creating an analytics report of the website's performance. Some of the data that are collected include the number of visitors, their source, and the pages they visit anonymously.
attribution_user_id	1 year	This cookie is set by Typeform for usage statistics and is used in context with the website's pop-up questionnaires and messengering.
CONSENT	2 years	YouTube sets this cookie via embedded youtube-videos and registers anonymous statistical data.

Cookie	Duration	Description
_fbp	3 months	This cookie is set by Facebook to display advertisements when either on Facebook or on a digital platform powered by Facebook advertising, after visiting the website.
fr	3 months	Facebook sets this cookie to show relevant advertisements to users by tracking user behaviour across the web, on sites that have Facebook pixel or Facebook social plugin.
IDE	1 year 24 days	Google DoubleClick IDE cookies are used to store information about how the user uses the website to present them with relevant ads and according to the user profile.
test_cookie	15 minutes	The test_cookie is set by doubleclick.net and is used to determine if the user's browser supports cookies.
VISITOR_INFO1_LIVE	5 months 27 days	A cookie set by YouTube to measure bandwidth that determines whether the user gets the new or old player interface.
YSC	session	YSC cookie is set by Youtube and is used to track the views of embedded videos on Youtube pages.
yt-remote-connected-devices	never	YouTube sets this cookie to store the video preferences of the user using embedded YouTube video.
yt-remote-device-id	never	YouTube sets this cookie to store the video preferences of the user using embedded YouTube video.
yt.innertube::nextId	never	This cookie, set by YouTube, registers a unique ID to store data on what videos from YouTube the user has seen.
yt.innertube::requests	never	This cookie, set by YouTube, registers a unique ID to store data on what videos from YouTube the user has seen.

Enhanced Due Diligence

Corporate Intelligence and Forensics

Financial Intelligence Unit

Open Source Intelligence (OSINT)

Events & Webinars

Neotas Blogs

Neotas News

Neotas Careers

About Neotas

Neotas Partners

Neotas Awards

Life at Neotas

Schedule a Call

Request a Demo

Social Media Background Checks

GDPR and FCRA implications of Social Media Background Checks

FAQs on GDPR and FCRA implications of Social Media Background Checks

About Neotas Social Media Background Checks

Share:

Neotas Enhanced Due Diligence

Book a Demo

Related Blog Posts

The Perils of AI-Based Social Media Checks Without Human Intervention

Developing an Effective Third Party Risk Management Framework

How GDPR and FCRA Apply to Social Media Background Checks – The Do’s and Don’ts of Social Media Background Checks for Employers

Social Media checks for Lawyers and other legal professionals

Social media checks for doctors and healthcare specialists

Importance of using Social Media checks for Police Officers

Social Media Screening Checks for Education Industry To Aid Safeguarding – Social Media Checks for School Staff

Overcoming Enhanced Due Diligence Challenges on High Risk Customers

How OSINT Can Help Challenger Banks Create More Robust AML Controls

about

Knowledge Base

Solutions

get in touch

Other Solutions

© 2023 Neotas. All rights reserved.