Most companies think about staff background checks as a compliance obligation. Something you do because you have to, handled somewhere between sending the offer letter and the first day. But there’s a real cost to treating it that way, and it’s not the one you might expect.
The cost is not legal. It’s operational. Candidates who don’t understand why they’re being asked for documents, who don’t know what will happen to their data, or who feel like they’re being treated as suspects rather than future colleagues , those candidates drop out. Or they start their employment already suspicious of the company’s processes. Neither is a great outcome.
This article is about how to run a staff background check process that is both legally sound in Romania and under EU law, and actually decent for the person going through it. Those two things are not in conflict.
They’re just rarely treated together. Here we have the AI podcast, in case you do not have time to read:
Why Most Background Check Processes Create Friction Without Meaning To
The problem usually isn’t intent. HR teams don’t set out to make candidates anxious or confused. The friction builds up from small decisions that each seem reasonable in isolation: sending a consent form written in legal language, collecting documents for checks that aren’t relevant to the role, not explaining how long data will be kept, or simply never telling candidates what happens next.
In Romania, this gets worse because there’s a tendency to copy-paste consent notices that were drafted for one purpose and reuse them across all roles. A staff background check for a junior accountant and one for a senior finance director with access to treasury systems are not the same process. Treating them identically is both legally risky and practically confusing for candidates.
Then there’s the timing problem. Background check requests that arrive after a verbal offer but before a written contract put candidates in an uncomfortable position. They’re asked to share data while still uncertain about their employment status. And if this is an uncommon practice that candidates are not used to then this combination of vulnerability and opacity is where trust erodes.
The Legal Framework: What Romanian and EU Law Actually Require
Before thinking about candidate experience, it helps to be clear on what the law says, not because compliance is the endpoint, but because a well-designed legal basis is also the clearest foundation for candidate communication.
GDPR and the Romanian Context
Romania transposed GDPR through Law no. 190/2018, which doesn’t fundamentally change the EU framework but adds some national nuances worth knowing. For employers, the key question in any staff background check is: what is the legal basis for processing this data?
Consent is often cited as the default answer. But it’s not always the right one. Under GDPR Article 7, consent must be freely given and in an employment context, regulators including the European Data Protection Board have noted that the imbalance of power between employer and candidate means consent can rarely be considered truly voluntary. This doesn’t mean consent is never appropriate, but it does mean it needs to be handled carefully.
For most pre-employment checks, the more defensible bases tend to be:
- Article 6(1)(b) — processing necessary for the performance of a contract, where checks are needed to establish the employment relationship
- Article 6(1)(c) — processing required to comply with a legal obligation, relevant for regulated industries like banking, healthcare or critical infrastructure
- Article 6(1)(f) — legitimate interests, where the employer can demonstrate a genuine need that is proportionate and not overridden by the candidate’s rights
Criminal record data is a special category under GDPR Article 10. Processing it requires either a specific legal authorization or compliance with official authority oversight. In Romania, for many regulated roles, this is covered by sector-specific legislation. But for roles where no specific legal basis exists, requesting a criminal record extract just because it feels like due diligence is not compliant.
Data Minimization: The Principle Most Employers Ignore
GDPR Article 5(1)(c) requires that data collected must be adequate, relevant, and limited to what is necessary. Applied to background screening, this means checks should be designed around the actual risks of the role, not around what’s administratively convenient to collect.
An identity document check is relevant for almost every role. Financial credit history is relevant for treasury or procurement roles but not for a software developer. A professional reference check is relevant for senior appointments. An academic verification is relevant where qualifications are a genuine requirement of the role.
Designing checks by role — rather than applying a single standard to everyone — is both better compliance and a significantly better candidate experience. Candidates understand proportionality intuitively. Being asked for a bank statement when you’re applying for an IT support role feels invasive because it is.
Retention and Deletion: The Step Most Processes Skip
Collecting data with a clear legal basis and then keeping it indefinitely is a common compliance gap. GDPR Article 5(1)(e) requires that personal data be kept in a form that permits identification of data subjects for no longer than necessary.
For background check data, this means having a defined retention policy: how long is verification data kept after the employment decision, what happens to data for candidates who were not hired, and who is responsible for ensuring deletion actually occurs. These questions should be answered to candidates, which also functions as part of the Article 13 information duty.
| Data Type | Typical Legal Basis | Retention Consideration |
| Identity document copy | Art. 6(1)(b) or (c) | Duration of employment + statutory retention period |
| Education verification | Art. 6(1)(b) — legitimate requirement of role | Until verification confirmed; discard originals |
| Criminal record extract | Art. 6(1)(c) / Art. 10 — regulated roles only | Minimum retention; delete after decision |
| Financial credit report | Art. 6(1)(f) — treasury/finance roles only | Until employment decision; do not retain |
| Professional references | Art. 6(1)(b) or (f) | Employment file or fixed retention period |
Table: common background check data types mapped to GDPR legal basis and retention considerations. This is general guidance; role-specific and sector-specific rules may apply.
What a Good Candidate Experience Actually Looks Like
Here’s where most HR process guides fall short: they describe what you must do legally, then stop. But compliance is a floor, not a ceiling. The question of what makes a background check process actually decent for a candidate is worth thinking through separately.
Transparency Before the Request
Candidates should know a staff background check is part of your process before they apply, or at the very latest before they receive an offer. Surfacing it only at the final stage, when candidates have already invested time and emotional energy in the process — makes it feel like a trap. A single sentence in the job description or the opening communication of the hiring process is enough.
When the check is triggered, candidates should receive a clear explanation of:
- what specific checks will be conducted and why
- what data is needed and how it will be processed
- who will have access to the results
- how long the process takes
- what their rights are and how to exercise them
That’s not a long list. Most of it fits in half a page of plain language. The problem is that most consent notices are written by lawyers for legal defensibility, not by communicators for candidate clarity, so to make the process more smooth you can add the information in the e-mail with the consent. Both goals are achievable, but it requires someone to actively make that happen.
Plain Language in Consent Notices
Consent notices in Romania often mix Romanian Labor Code references, GDPR article citations, and operational details into a single dense document. Candidates sign because they feel they have to, not because they understood what they signed.
A better approach separates the legal notice from the candidate communication. The legal notice can be comprehensive and formally structured. The candidate communication — which references or accompanies the legal notice — should explain in plain terms:
- We will run the following checks as part of your hiring process: [specific list for this role].
- Here is why each check is relevant to this role.
- Your data will be processed by [controller name] and handled by [processor, if applicable]. It will not be shared with any third party except as required to complete the verification.
- If you are hired, your verification records will be kept as part of your employment file for [X years]. If you are not hired, they will be deleted within [X days].
- You have the right to access, correct, or request deletion of your data. Contact [DPO or data contact] to exercise these rights.
This structure is GDPR-compliant and readable. Candidates who understand what they’re consenting to are more likely to cooperate promptly, which also reduces the administrative back-and-forth that slows down hiring.
Timing and Communication During the Check
Once the process is underway, silence is the enemy. Candidates waiting for a background check to clear don’t know if there’s a problem, if the company is slow, or if they’ve been forgotten. A simple status update — even just confirming that the check is in progress and giving a realistic timeline — reduces anxiety and reduces the volume of inbound queries to HR.
If a discrepancy or issue arises, candidates should be informed promptly and given the opportunity to provide context or correction before any employment decision is made based on the finding. This is not just good practice. In many EU jurisdictions, including Romania, candidates have rights in relation to automated or semi-automated decisions that affect their employment. Making a hiring decision based on a background check result without giving the candidate a chance to respond creates both legal and reputational exposure.
Practical Framework: Role-Based Checks That Scale
The most operationally efficient background check program is one where check types are defined by role category, not decided fresh for each hire. This reduces decision fatigue, ensures proportionality, and makes candidate communication consistent.
A workable structure for most Romanian employers looks like this:
| Role Category | Standard Checks | Additional Checks (where applicable) |
| All roles | Identity verification, right to work, employment history (last 2 positions) | — |
| Finance / Treasury / Procurement | All standard + financial credit report, professional references | Criminal record check where legally required |
| Healthcare / Regulated professions | All standard + professional licence verification, criminal record check | Sector-specific regulatory requirements |
| Senior leadership | All standard + full professional reference check, education verification | Directorship history, media/sanctions screening |
| IT / Data access roles | All standard + employment history (extended) | Security clearance where contractually required |
Having this documented and consistently applied means candidates receive a check-specific consent notice that is accurate and proportionate, HR doesn’t need to reinvent the process for each hire, and any audit or regulatory review has a clear documented rationale for each check type.
Cross-Border Hiring in the EU
Romanian employers increasingly hire across EEA borders — remote roles filled by candidates in Germany, the Netherlands, France, or elsewhere. The compliance landscape shifts when this happens.
The candidate’s home country data protection authority may take a different view of consent or legitimate interests in employment contexts. Cross-border data transfers of background check results need to comply with GDPR Chapter V requirements. And the checks themselves may need to be adapted — criminal record extracts from different EU countries have different formats, different issuance timelines, and different legal weight.
For EEA-wide hiring, working with a verification partner who understands multi-jurisdictional screening is not a luxury. It’s a meaningful risk reduction measure.
A Real Example: What a Well-Run Process Looks Like End to End
Here’s how this works in practice for a mid-sized Romanian employer with a mix of finance, IT, and operational roles.
Before the offer: The job description includes a sentence noting that the role requires a background verification as part of the hiring process. No detail at this stage, just awareness.
At offer stage: The candidate receives a written offer conditional on verification, alongside a role-specific consent notice in plain Romanian and English (for EEA candidates). The notice covers exactly which checks apply to this role, the legal basis, data handling, retention timeline, and contact for data rights queries. A separate DPO-reviewed notice accompanies this for the formal GDPR record.
During the check: The candidate receives a confirmation that the process has started, with an expected completion window. If documents are missing or unclear, a single consolidated request is sent rather than multiple separate chasers.
At completion: If a discrepancy was found, the candidate was contacted to provide context before any decision was made.
Post-hire: Verification data is stored in the HR system with a defined retention flag. Candidates who were not hired have their data deleted within 30 days of the hiring decision.
This process takes no longer than a poorly designed one. It generates fewer inbound questions from candidates and fewer compliance queries from the DPO. And candidates who join through this process start with a clear sense that the company handles data responsibly.
Common Mistakes That Create Both Compliance and Experience Problems
Most background check process failures come from the same handful of mistakes:
- Using a single consent form for all roles — it is either over-broad or under-specific, and both create legal risk.
- Collecting criminal record data without a clear legal basis — particularly common for roles that aren’t legally regulated but where employers feel it seems thorough.
- Not having a retention and deletion policy — data sits in HR systems indefinitely because no one has defined who is responsible for deleting it.
- Treating the consent notice as a legal document to be signed, rather than a communication to be understood.
- Running checks after the start date — creating situations where an employee is already working while verification is still outstanding.
- Failing to give candidates a chance to respond to discrepancies before making a hiring decision.
Each of these creates both a compliance exposure and a candidate experience problem. They’re worth addressing as a set rather than individually.
What Good Looks Like: A Checklist for HR Teams
If you want to quickly audit where your current process stands, run through this:
- Is the existence of a background check communicated to candidates before they apply or before the interview process begins?
- Are your consent notices role-specific, or do you use a single standard form for all positions?
- Has a DPO or qualified legal advisor reviewed your consent notices and legal basis documentation within the last 12 months?
- Do your check types reflect the actual risk profile of each role, with documented rationale?
- Do you have a defined and enforced retention policy for background check data, including for unsuccessful candidates?
- Do candidates receive a status update during the verification process?
- Is there a defined process for giving candidates the opportunity to respond to discrepancies before a decision is made?
These aren’t hypothetical questions. Each one corresponds to a failure mode that shows up regularly in Romanian and EU employment audits.
How Mindit Consulting Can Help
Mindit Consulting works with HR and legal teams across Romania and the EU to design staff background check processes that are GDPR-compliant, proportionate, and built around candidate transparency.
Our approach starts with a process audit that maps your current checks against your role categories, your legal bases, and your retention practices. We identify gaps, document the rationale for each check type, and help you build consent notices that work as both legal records and candidate communications.
If your background check process is generating compliance questions, candidate friction, or just a lot of administrative back-and-forth, it’s worth taking a structured look at how it’s designed.
Contact us to schedule a process review: https://mindit.ro/contact/
