Background Check Compliance: EU vs USA — A Practical Comparison
By Exero Group · Exero Group, Prague
Cross-border hiring and investor due diligence look superficially similar on both sides of the Atlantic — collect a candidate's history, verify it against authoritative sources, return a defensible report. The legal frameworks underneath are not similar at all. A background check that is routine and lawful in Texas can be unlawful in Prague, and a check that is standard in Prague can produce a discrimination claim in California. This is the practical comparison we walk our clients through before any cross-border engagement.
Legal basis to process the data
| Topic | European Union (incl. Czech Republic) | United States |
|---|---|---|
| Primary statute | GDPR + national labour codes (Act No. 262/2006 Sb. in CZ) | Fair Credit Reporting Act (FCRA) + state equivalents |
| Lawful basis | Article 6(1)(b) contract preparation and 6(1)(f) legitimate interest, balanced against the candidate | Written, standalone disclosure and authorisation from the candidate |
| Special-category data (health, religion, union, biometric) | Prohibited unless an Article 9 exception applies — generally not available for hiring | Permitted with consent in many states; restricted by ADA, GINA, Title VII |
Criminal records
This is where the two regimes diverge most sharply.
- EU / Czech Republic. Only the candidate can request their own extract from the criminal register (Rejstřík trestů). An employer may require the candidate to produce one, but only when the role objectively requires it — childcare, healthcare, financial services, security. Asking every candidate is unlawful.
- USA. Employers may run third-party criminal record checks on every candidate, subject to FCRA disclosure, the EEOC's "individualised assessment" guidance and a growing patchwork of ban-the-box laws (over 35 states and many cities) that delay the question until after a conditional offer.
Credit and financial history
- EU. No general consumer credit-reporting industry comparable to the US. Insolvency and execution registers are public; bank credit data is not. Use is limited to roles with a clear financial nexus.
- USA. Credit reports are widely used for any role with financial responsibility, again under FCRA. A growing number of states (CA, CO, IL, NY, WA) restrict credit checks to roles where credit history is genuinely relevant.
Social media and OSINT
Both regimes accept OSINT as input to a hiring decision, but with very different process requirements:
- In the EU, the candidate must be informed in advance that publicly available information will be reviewed, and the controller must document a legitimate-interest assessment. Special-category data inferred from social media (religion, political views, sexual orientation, health) cannot lawfully feed the decision.
- In the US, the same data points may legally feed the decision in some states, but doing so creates Title VII disparate-impact exposure that most sophisticated employers now avoid.
AI and automated scoring
The EU AI Act classifies AI systems used for recruitment and worker evaluation as high-risk, triggering documentation, human-oversight, bias-testing and registration obligations from 2026. The US has no federal equivalent; state laws (NYC Local Law 144, Illinois AIVIDA, California SB 7) impose narrower bias-audit and notice obligations on automated employment decision tools.
Retention
- EU. Background-check data must be deleted once the purpose ends — typically immediately after the hiring decision for unsuccessful candidates, and no longer than the limitation period for the successful candidate.
- USA. FCRA imposes a duty to securely dispose of consumer-report data; the practical retention window is set by employment-litigation statutes of limitation (commonly 2-4 years).
Cross-border practical guidance
- Run two parallel templates: one EU, one US. Don't try to harmonise them — you will breach one or the other.
- For multinational hires, locate the lawful basis in the candidate's country of residence at signature, not the employer's headquarters.
- For investor and M&A due diligence on a target with EU operations, treat employee data the same way — even when the deal is being negotiated in New York or London.
- Never copy a US "consent to all background checks" form into an EU process. It is invalid as a GDPR consent (no granularity, no genuine choice) and exposes the employer.
Exero Group runs cross-border due diligence and background checks for European and American clients daily, with 35+ years of combined experience inside both frameworks and verified field partners across the EU and the United States.
Need investigative support on a similar matter?
Talk to a senior Exero Group investigator in confidence.
Assign a Case