TL;DR — What is an employer allowed to research about you? Under the GDPR, only what is relevant and proportionate to the specific role, disclosed to you in advance, and not kept once the decision is made. "You applied, so you consented" usually fails as a lawful basis. A public post is not automatically fair game, and special-category data stays largely off-limits whatever your seniority. The lawful version of screening is narrow. The informal version that happens on most senior hires is not, and no rule reliably reaches it. What you can control is what that search finds.
The higher the role, the deeper the look. By the time a serious offer is on the table — a board seat, a C-suite hire, a partner appointment — someone has almost certainly run a search on you. Often several. The question candidates rarely ask, because the process is built to feel routine, is a simple one: what are they actually allowed to look at?
In Europe the answer is more restrictive than most employers behave as if it is. The gap between what the law permits and what a hiring team, a headhunter, or a third-party vetting firm actually does is the part worth understanding, because that gap is where your exposure does the talking, whether or not anyone is supposed to be reading it.
The starting point: they need a lawful basis, and "you agreed to it" usually isn't one
Every check an employer runs on you is processing of personal data, and under the GDPR processing needs a lawful basis. The instinct is to assume the basis is your consent: you applied, so you agreed.
In an employment context that argument largely fails. The European Data Protection Board's position is that consent is rarely "freely given" where there is a clear imbalance of power between the parties, and the employer–candidate relationship is the textbook example. You are not in a position to refuse without fear of losing the role, so consent you give isn't really consent.
What that leaves an employer with, in practice, is legitimate interest, and legitimate interest is not a blank cheque. It requires the employer to show the check is necessary for a genuine purpose, and to balance that purpose against your rights and reasonable expectations. A check that is relevant and proportionate to the role can clear that bar. A general trawl through your life cannot.
What the law actually permits: relevant, proportionate, and out in the open
Three principles from Article 5 of the GDPR govern what a lawful check looks like.
Relevance and minimisation. An employer may only gather information that bears on your ability to do the specific job. The more senior and sensitive the role, the more a thorough check is defensible, but it has to connect to the role, not to curiosity.
Proportionality and subsidiarity. If there is a less intrusive way to establish the same thing, the employer is expected to use it. A regulated-sector reference check or a formal qualification verification is a different proposition from reading ten years of someone's social media.
Transparency. This is the one most often ignored. You are supposed to be told. Articles 13 and 14 require an employer to inform you about what data they collect and from where, including data they gather from third parties or from your online presence. A check you were never told about is, on its face, an unlawful one.
The lines they are not supposed to cross
Some categories are close to off-limits regardless of seniority.
Special-category data — your health, religion, political views, sexual orientation, trade union membership — carries a much higher bar under Article 9. And here is the point candidates miss: the fact that you posted something publicly does not make it fair game. The Dutch data protection authority is explicit that whether your profile is public, and whether you "consented," is not the deciding factor. Public is not the same as permitted, and the line between legitimate research and surveillance is drawn by purpose and proportionality, not by what happens to be visible.
Secret or open-ended checks. A vetting process that is never disclosed, or data that is kept indefinitely "in case it's useful later," breaches the transparency and storage-limitation rules. Guidance across the UK and EU expects the information to be deleted once the recruitment decision is made.
Conflating the researcher and the decider. The ICO's guidance recommends that the person who carries out a background or social-media check should not be the same person who makes the hiring decision, precisely so that irrelevant or protected information doesn't quietly tip the outcome.
Social media and search: the most misunderstood area
This is where lawful theory and common practice diverge most sharply.
The Article 29 Working Party's Opinion 2/2017, the reference text EU regulators still work from, says an employer may only inspect a candidate's social media where it is relevant to the role, must inform the candidate first, cannot require access to private profiles, and must not retain the data afterwards. The Dutch regulator goes further: screening applicants via social media is, as a starting rule, not permitted, with an exception only where it is strictly necessary for the specific vacancy. The ICO's line is materially the same, holding that intrusive or targeted online checks are unlikely to be lawful, appropriate, or necessary in most hiring.
Read those together and the lawful position is narrow: a relevant, announced, role-specific check, rather than the open-ended "let's just Google them" that happens in practice on almost every senior hire.
The distance between what an employer may lawfully see and what a determined searcher can actually assemble about you is the real risk in any senior appointment. Knowing what that search returns, before someone else runs it, is the first move. A Snapshot Scan shows you what a search on your name and email surfaces across people-search sites, breaches, and the open web.
Talk to an AnalystThe executive layer: enhanced due diligence and fit-and-proper checks
For senior and regulated roles, a further layer applies, and it is more lawful, not less, because it is purpose-bound.
Candidates for controlled functions in financial services, board members of regulated institutions, and senior fiduciaries are subject to formal "fit and proper" or suitability assessments. In the United Kingdom, the Senior Managers and Certification Regime requires firms to assess named senior-manager functions for honesty, competence, and financial soundness before regulatory approval. In the euro area, the European Central Bank runs fit-and-proper assessments of bank board members under the Single Supervisory Mechanism, weighing experience, reputation, conflicts of interest, and time commitment. These regimes give the employer a firmer legal footing to check criminal records, financial history, and regulatory background, but only to the extent the regime requires.
Two things are worth knowing here. First, much of this work is outsourced to third-party screening and due-diligence firms, who act as data processors on the employer's behalf. They are bound by the same proportionality and transparency rules, and you retain your rights against the employer who instructed them. Second, reputational due diligence — the discreet, relationship-based enquiry that surrounds top appointments — is the least regulated and least visible part of the process, and the part most likely to be shaped by whatever is publicly findable about you. Much of what feeds it sits in the commercial data and people-search records that screening firms can buy off the shelf.
When an algorithm screens you: the EU AI Act
Increasingly the first reader is not a person. AI systems used to filter applications, rank candidates, or evaluate people for a role are classified as high-risk under Annex III of the EU AI Act, with the full obligations becoming enforceable on 2 August 2026.
For you as the candidate, that classification carries concrete entitlements. The employer deploying such a system owes you transparency that it is being used, must maintain meaningful human oversight rather than letting the model decide, and is subject to bias and documentation requirements. Non-compliance is not a footnote: penalties reach into the millions of euros. If a role rejected you and an automated system was involved, you are entitled to know.
Your rights as the person being screened
The same law that constrains the employer arms you.
You have the right to be informed of what is collected and from where (Articles 13–14). You have the right of access: a data subject access request compels an employer or a screening firm to disclose what they hold and processed about you (Article 15). And you can object to processing built on legitimate interest, and seek erasure where data was collected unfairly or kept too long.
These are not theoretical. A well-placed access request to a screening provider is one of the few ways to see what a professional check actually surfaced about you, and it is a right, not a favour.
The gap that actually matters
Here is the uncomfortable summary. The lawful version of executive screening is narrow, disclosed, relevant, and bounded. The real version — the informal search a hiring manager runs at 11pm, the headhunter's quiet enquiries, the reputational soundings around a board seat — is none of those things, and no regulation reliably reaches it. The same exposure also feeds risks that have nothing to do with hiring, from targeted doxxing to impersonation.
You cannot legislate your way out of that gap. What you can do is know what it exposes. Everything a lawful check is restricted from using, and everything an unlawful one might quietly weigh, is sitting in the same place: the publicly findable record of you. People-search listings, old accounts, search results, breach appearances, and the profile a stranger can assemble in an afternoon.
The candidates who manage this well are not the ones with nothing online. They are the ones who looked first.