Direct Answer
Yes. The General Data Protection Regulation (GDPR) applies to employment references because references contain personal data — names, job titles, performance evaluations, and behavioral assessments — about identifiable individuals. Any organization that collects, processes, or stores reference information about individuals in the European Union must comply with GDPR requirements, including having a lawful basis for processing that data and respecting the rights of the individuals whose data is being processed.
Why It Matters
Imagine you are a hiring manager in France. A candidate gives you three references from former employers in Germany, Spain, and the United States. You send each reference provider a questionnaire asking them to rate the candidate’s work performance, reliability, and interpersonal skills. Every response you collect — every rating, every written comment, every email address — is personal data under the GDPR. And you are processing that data across borders.
This is not a hypothetical scenario. It is the reality of modern hiring in a global economy, and it is exactly the kind of data processing the GDPR was designed to regulate. Getting it wrong can result in significant fines — up to 4% of global annual turnover or EUR 20 million, whichever is higher.
The Science Behind It
The GDPR provides six lawful bases for processing personal data under Article 6(1). For employment references, the two most relevant are:
Legitimate interests (Article 6(1)(f)) — Processing is necessary for the legitimate interests of the employer, provided those interests are balanced against the fundamental rights of the data subject. An employer’s interest in making informed hiring decisions through reference checks is generally recognized as legitimate, but must be proportionate and transparent.
Contract performance (Article 6(1)(b)) — Processing is necessary for steps taken at the request of the data subject prior to entering into a contract. When a candidate consents to a reference check as part of a job application, processing reference data may fall under this basis.
Consent (Article 6(1)(a)) is available but problematic in employment contexts because of the inherent power imbalance between employers and candidates or employees. The European Data Protection Board has noted that consent in the employment relationship is rarely “freely given” as the GDPR requires.
Article 88 of the GDPR specifically addresses employee data processing. It grants Member States the power to adopt “more specific rules to ensure the protection of the rights and freedoms in respect of the processing of employees’ personal data in the employment context” — including recruitment (Abraha, 2023). In the landmark Hauptpersonalrat der Lehrerinnen ruling (30 March 2023), the Court of Justice of the European Union interpreted Article 88 for the first time, ruling that national laws adopted under this provision must contain “normative content that is distinct from, but compatible with, the GDPR” and must include “suitable and specific measures to safeguard the data subject’s human dignity, legitimate interests and fundamental rights” (Abraha, 2023).
This means that the rules governing employment references can vary by Member State — but they cannot fall below the GDPR floor. In Germany, for example, Section 26(1) of the Federal Data Protection Act (BDSG) provides that personal data of employees may be processed where “necessary for hiring decisions” (Abraha, 2023). France’s transposition through the Loi Informatique et Libertés and the CNIL’s guidance similarly governs how employers may collect and process reference data.
For organizations operating across borders — as Open HR’s glossary audience includes employers in the EU, UK, and US — this creates a layered compliance obligation: the GDPR as the baseline, Member State laws as additional specifications, and non-EU jurisdictions (such as the UK’s post-Brexit UK GDPR and the US patchwork of state laws) adding further complexity.
Common Misconceptions
A common misconception is that if a candidate provides the reference provider’s name and contact details, no further GDPR obligations apply. This is incorrect. Even when a candidate nominates their references, the employer still processes personal data about both the candidate and the reference provider. Both individuals have rights under the GDPR — including the right to be informed about how their data is used, the right of access, and the right to rectification. The reference provider must know why they are being contacted, what data will be collected, how it will be stored, and who will have access to it.
Another misconception is that the US has no equivalent protections. While the US lacks a comprehensive federal data privacy law comparable to the GDPR, several states have enacted consumer privacy laws (California’s CCPA/CPRA, Virginia’s VCDPA, Colorado’s CPA) that may apply to certain employment-related data processing, and the Fair Credit Reporting Act (FCRA) governs third-party background checks conducted by consumer reporting agencies (Voss & Houser, 2019).
How This Connects to Better Hiring
Data protection compliance is not an obstacle to good reference checking — it is a design constraint that, when followed, produces better outcomes. Structured reference checks are inherently more GDPR-friendly than unstructured ones because they collect only job-relevant, predefined data points rather than open-ended personal opinions. They make it easier to demonstrate proportionality, to document the lawful basis for processing, and to respond to data subject access requests. The same structure that improves psychometric validity also improves compliance — a rare case where scientific rigor and legal obligation point in exactly the same direction.