In response to a number of enquiries, we looked at the requirements for staff security checks in the private sector and drew up some guidelines on the issue.
We were asked by a number of service providers to financial institutions to say to what extent data protection law allows them to pass on certain data on their employees, such as extracts from the debt enforcement register or register of criminal convictions, to the financial institutions for which they work. The financial institutions allegedly require this information in order to establish that data security is ensured.
In response to these enquiries we took a closer look at this issue. We met with both financial institutions and the supervisory authority concerned in order to hear about the various requirements and needs in relation to staff security checks. We learnt how checks vary depending on the employee's risk potential and which sector-specific regulations apply. It was also explained to us that it would be inappropriate to have different systems for internal and external staff.
We then analysed the circumstances in the light of the applicable provisions in the Data Protection Act and Code of Obligations. In particular we considered the issue of proportionality, which, however, can only be assessed in detail on a case-by-case basis. For private employers and the employees concerned, we developed guidelines based on data protection law to be followed when a risk profile is drawn up; these are published on our website.