Background Screening as a Service

Zurich, Switzerland - September 17, 2025

How Validato and CypSec conduct background screening for the DACH region

Human risk is one of the most underestimated elements of cybersecurity and organizational resilience. In Germany, Austria and Switzerland, companies face the challenge of mitigating insider threats and fraud while operating under some of the strictest data protection regimes in the world. Screening candidates and employees, especially those in sensitive positions, is a necessary measure. Yet, the process must comply with the General Data Protection Regulation (GDPR) and its local implementations such as the German Federal Data Protection Act (BDSG), the Austrian Data Protection Act (DSG), and Switzerland's Federal Act on Data Protection (FADP). This article explores how organizations can design lawful, effective background checks and human risk analysis, and highlights how solutions from Validato and CypSec help align operational security with compliance obligations.

GDPR sets the foundation for data processing across Europe, and its principles are reflected in Austria's DSG and Germany's BDSG. Switzerland's FADP, while separate, has been modernized to mirror GDPR standards. In all three jurisdictions, data must be processed lawfully, transparently, and only for a clear purpose. For employment-related checks, organizations typically rely on the legal basis of legitimate interest, as consent is often considered invalid due to the imbalance of power between employer and applicant. Consent can still play a role in Austria and Switzerland, where written authorization is commonly obtained, but any use of personal data must remain proportionate to the role in question. Sensitive data, such as criminal records or financial history, require particularly strong justification and must be handled with strict confidentiality.

The key to compliant and effective screening is proportionality. High-risk positions such as executives, system administrators, finance officers and HR managers demand thorough vetting, including identity verification, employment and education checks, professional licenses, financial reliability assessments and, where permissible, criminal record extracts. These checks are justified by the potential impact of these roles on corporate security and data protection. Medium-risk positions, such as project leads or departmental managers, require a more limited scope, usually focusing on identity and employment history with selective verification of references or credentials. Low-risk roles, such as entry-level staff or administrative personnel, typically only require identity and right-to-work checks. This tiered model ensures that privacy is respected while safeguarding critical assets.

Identity verification remains the most basic but essential measure, ensuring that applicants are who they claim to be and that they have the right to work. Employment and education checks are necessary to confirm qualifications and protect against résumé fraud. Professional licenses, particularly in regulated industries, should be validated with issuing authorities. Criminal record checks are tightly controlled in the region: in Germany, employers cannot directly access criminal databases and instead rely on official certificates provided voluntarily by candidates; Austria and Switzerland also require explicit consent and a clear legal need. Credit and financial checks are permissible only in roles with fiduciary responsibility and must be proportionate and clearly justified. These measures should never be applied indiscriminately, and social media screening remains discouraged due to legal risks and the potential for discrimination.

To remain compliant, organizations must demonstrate a clear legal basis for each check, maintain transparency by informing candidates about the process, and ensure data minimization. Information should be retained only as long as necessary for the hiring decision or employment relationship. For unsuccessful candidates, this usually means deletion within a few months. For employees, certain data may be kept longer where required by labor, tax or regulatory obligations, but never beyond what is justified. Security of the data is paramount, with strict access controls, encryption and audit trails. Organizations should also maintain internal policies and document their legitimate interest assessments to prepare for potential regulatory inquiries.

"In the DACH region, companies must balance strict data protection laws with the need to prevent insider threats. We help them achieve that balance by making background screening both compliant and effective," said Reto Marti, Chief Operating Officer at Validato AG.

Screening should not be treated as a one-off administrative exercise but as part of a broader human risk framework. HR and security teams should jointly classify roles by risk level and define the appropriate checks. Processes should be standardized so that every high-risk role undergoes consistent vetting, reducing the possibility of gaps or bias. Embedding these workflows into digital platforms ensures efficiency, while periodic reviews of screening policies keep them aligned with evolving regulations and business needs. Employee trust can be maintained by explaining the rationale behind checks and ensuring that they are not excessive.

Technology and expert guidance play a decisive role in making human risk management both effective and compliant. Validato provides a modern background screening and identity verification platform that automates checks and streamlines workflows. The platform offers modular screening packages, ranging from basic identity confirmation to comprehensive credential, financial and integrity assessments. Validato ensures that data is processed securely, stored under strict retention controls, and handled in alignment with GDPR and local data protection laws. Validato integrates consent management, audit trails and risk-tiered workflows to reduce the administrative burden on HR and security teams while accelerating decision-making.

CypSec complements this with strategic cybersecurity and compliance expertise. As a trusted advisory partner, CypSec helps organizations embed human risk management into their broader security frameworks. This includes aligning background checks with insider threat programs, integrating screening results into access-control decisions, and ensuring compliance across all company branches and jurisdictions. Together, Validato and CypSec provide a combined solution that addresses both the operational and strategic dimensions of human risk: Validato automates and secures the vetting process, while CypSec ensures that these processes reinforce the organization's overall security posture.

It is important to keep in mind that human risk analysis in the DACH region always requires careful navigation of data protection law, organizational risk priorities and operational efficiency. Organizations need to adopt a role-based, proportional approach to protect themselves against insider threats while respecting employee privacy. Screening must be transparent, justified and limited to what is necessary for each role. With the right tools and partners, compliance and security can reinforce each other rather than compete. Validato's technology and CypSec's advisory support allow companies to achieve this balance, enabling HR and security leaders to mitigate risks effectively and lawfully while building trust within their workforce.

About Validato AG: Headquartered in Zurich, Switzerland, Validato AG specializes in GDPR-compliant background screening and identity verification for companies operating in the DACH region. Its platform helps organizations design lawful, risk-based vetting processes that align with BDSG, DSG, and FADP while reducing insider threats. For more information on Validato AG, visit validato.com.

Media Contact: Daria Fediay, Chief Executive Officer at CypSec - daria.fediay@cypsec.de.