Exero Group, Professional Private Detectives
    Assign a Case
    All articles
    Corporate Due Diligence

    Background Check Compliance: EU vs USA Guide

    By Exero Group · Exero Group, Prague

    Side-by-side comparison of EU GDPR and US FCRA background check compliance documents over a world map

    Cross-border hiring and investor due diligence look superficially similar on both sides of the Atlantic, collect a candidate's history, verify it against authoritative sources, return a defensible report. The legal frameworks underneath are not similar at all. A background check that is routine and lawful in Texas can be unlawful in Prague, and a check that is standard in Prague can produce a discrimination claim in California. This is the practical comparison we walk our clients through before any cross-border engagement.

    Topic European Union (incl. Czech Republic) United States
    Primary statute GDPR + national labour codes (Act No. 262/2006 Sb. in CZ) Fair Credit Reporting Act (FCRA) + state equivalents
    Lawful basis Article 6(1)(b) contract preparation and 6(1)(f) legitimate interest, balanced against the candidate Written, standalone disclosure and authorisation from the candidate
    Special-category data (health, religion, union, biometric) Prohibited unless an Article 9 exception applies, generally not available for hiring Permitted with consent in many states; restricted by ADA, GINA, Title VII

    Criminal records

    This is where the two regimes diverge most sharply.

    • EU / Czech Republic. Only the candidate can request their own extract from the criminal register (Rejstřík trestů). An employer may require the candidate to produce one, but only when the role objectively requires it, childcare, healthcare, financial services, security. Asking every candidate is unlawful.
    • USA. Employers may run third-party criminal record checks on every candidate, subject to FCRA disclosure, the EEOC's "individualised assessment" guidance and a growing patchwork of ban-the-box laws (over 35 states and many cities) that delay the question until after a conditional offer.

    Credit and financial history

    • EU. No general consumer credit-reporting industry comparable to the US. Insolvency and execution registers are public; bank credit data is not. Use is limited to roles with a clear financial nexus.
    • USA. Credit reports are widely used for any role with financial responsibility, again under FCRA. A growing number of states (CA, CO, IL, NY, WA) restrict credit checks to roles where credit history is genuinely relevant.

    Social media and OSINT

    Both regimes accept OSINT as input to a hiring decision, but with very different process requirements:

    • In the EU, the candidate must be informed in advance that publicly available information will be reviewed, and the controller must document a legitimate-interest assessment. Special-category data inferred from social media (religion, political views, sexual orientation, health) cannot lawfully feed the decision.
    • In the US, the same data points may legally feed the decision in some states, but doing so creates Title VII disparate-impact exposure that most sophisticated employers now avoid.

    AI and automated scoring

    The EU AI Act classifies AI systems used for recruitment and worker evaluation as high-risk, triggering documentation, human-oversight, bias-testing and registration obligations from 2026. The US has no federal equivalent; state laws (NYC Local Law 144, Illinois AIVIDA, California SB 7) impose narrower bias-audit and notice obligations on automated employment decision tools.

    Retention

    • EU. Background-check data must be deleted once the purpose ends, typically immediately after the hiring decision for unsuccessful candidates, and no longer than the limitation period for the successful candidate.
    • USA. FCRA imposes a duty to securely dispose of consumer-report data; the practical retention window is set by employment-litigation statutes of limitation (commonly 2-4 years).

    Cross-border practical guidance

    1. Run two parallel templates: one EU, one US. Don't try to harmonise them, you will breach one or the other.
    2. For multinational hires, locate the lawful basis in the candidate's country of residence at signature, not the employer's headquarters.
    3. For investor and M&A due diligence on a target with EU operations, treat employee data the same way, even when the deal is being negotiated in New York or London.
    4. Never copy a US "consent to all background checks" form into an EU process. It is invalid as a GDPR consent (no granularity, no genuine choice) and exposes the employer.

    Exero Group runs cross-border due diligence and background checks for European and American clients daily, with 35+ years of combined experience inside both frameworks and verified field partners across the EU and the United States.

    Practical compliance checklist

    • Define the lawful basis before you start. In the EU, this is almost always legitimate interest (Article 6(1)(f) GDPR) for employment screening, with a documented balancing test. In the U.S., it is the candidate's written authorization under the Fair Credit Reporting Act (FCRA).
    • Localize candidate notices. EU candidates must receive an Article 13 privacy notice in their working language before screening begins. U.S. candidates receive a stand-alone FCRA disclosure plus written consent.
    • Limit scope to job relevance. Criminal-record checks in Germany, France, and the Czech Republic are restricted to roles where the conviction would directly disqualify the candidate. Blanket criminal screening of all hires is unlawful.
    • Mind the seven-year rule. Most U.S. states cap reportable adverse information at seven years. The EU's GDPR storage-limitation principle is shorter and case-by-case.
    • Adverse action workflow. Before declining a U.S. candidate based on a report, send a pre-adverse action notice with a copy of the report and FCRA Summary of Rights. In the EU, give the candidate a chance to comment under Article 22 before any automated decision.

    Common pitfalls we see

    Multinational employers frequently apply a single U.S.-style screening package across all jurisdictions. This routinely violates EU law in three ways: criminal-record requests beyond what national law permits, social-media screening without a documented balancing test, and cross-border transfer of results without a valid transfer mechanism such as Standard Contractual Clauses or an adequacy decision.

    The fix is rarely a separate vendor, it is a tiered screening matrix that specifies, per country and per role family, which checks are run, on what legal basis, with what retention period, and through which subprocessor. Exero Group builds and operates these matrices for clients hiring across the EU and U.S.

    EU vs U.S. background checks: practical questions employers ask us

    Can I run a U.S.-style criminal history check on an EU candidate?

    Generally no, at least not in the same form. Most EU member states (Germany, France, the Netherlands, the Czech Republic) restrict access to criminal records to the data subject or to a narrow list of authorised public bodies. The compliant approach is to require the candidate to obtain and submit their own extract from the national criminal register (in the Czech Republic the výpis z rejstříku trestů), with the role-relevance and retention period documented in advance. Running a third-party "global criminal search" against an EU resident without this framework is one of the fastest ways to trigger a GDPR complaint and a regulatory fine.

    Are credit checks allowed in the EU for employment?

    Only for a narrow set of roles where financial integrity is genuinely material, typically positions with signing authority, fiduciary duties, access to client funds, or roles regulated by AML, financial services or insurance law. Even then, the check is normally limited to insolvency and enforcement registers, not the full consumer-credit report common in the U.S. The legal basis must be documented before the check is ordered, and the candidate must receive clear information about what is being verified and why.

    Social media screening: what is the line?

    Reviewing publicly accessible professional content (LinkedIn, conference talks, published articles) is generally defensible if it is restricted to job-relevant information and documented. Searching private personal profiles, requesting login credentials, or using pretext accounts to view restricted content is unlawful across the EU and increasingly restricted in U.S. states such as California, New York and Illinois. The safest rule is: if the candidate has not made it public for a professional audience, do not collect it.

    Building a tiered screening matrix

    The compliant operating model for transatlantic employers is a written matrix that maps, for each country and role family, exactly which checks are run, on what legal basis, with what retention period and through which subprocessor. The matrix is signed off by counsel and reviewed annually. This single document is the difference between a defensible global hiring program and an ad-hoc process that produces both legal exposure and inconsistent decisions.

    How to localise background checks across EU and US requirements

    Start with role relevance

    A compliant screening programme should begin with the position, not with a fixed global checklist. Finance, childcare, executive leadership, security and regulated professional roles justify different levels of verification. In the European Union, employers must connect each check to a lawful basis, a defined purpose and a data minimisation analysis. In the United States, the same employer must also consider disclosure forms, authorisation language, adverse-action notices and state-specific limits on criminal history, salary history or credit information.

    Separate consent from necessity

    Multinational employers often overuse consent because it feels simple. In the EU employment context, consent may not be freely given because of the imbalance between employer and candidate, so legitimate interest, legal obligation or contract preparation may be more appropriate depending on the check. In the United States, candidate authorisation remains central under the Fair Credit Reporting Act when a third-party consumer report is used. Treating both systems as identical can create invalid notices in one jurisdiction and insufficient documentation in the other.

    Document retention, transfers and decisions

    The report is only one part of compliance. Companies also need rules for how long results are retained, who can access them, how cross-border transfers are protected and how adverse findings are reviewed before a decision is made. EU teams should avoid collecting special-category data through broad social media review, while US teams should apply consistent assessment criteria to reduce discrimination risk. A country-by-country matrix makes the process easier to defend during audits, disputes or candidate complaints.

    The safest approach is a modular screening framework: define permitted checks by country and role, keep notices current, record the reason for each data source and ensure final decisions are made by trained people rather than automated scoring alone.

    Need investigative support on a similar matter?

    Talk to a senior Exero Group investigator in confidence.

    Assign a Case

    Related insights