A fintech hires a Senior Security Engineer after three rounds of interviews. Impressive CV - 10 years of experience, CISSP and CISM certifications, previous employer a renowned Big4 firm. Three months later an internal audit discovers: the engineer was stealing customer data. Investigation: CV was falsified, previous employer never heard of them, certifications invalid. Background check before hiring? There wasn’t one.
Read also: Employee Referral Program in IT 2026: How to Build an Effect
This is an extreme case, but the problem is real. Research shows that 30-50% of CVs contain some inaccuracies - from minor ones (exaggerated employment dates) to serious ones (fake education, non-existent companies). In IT, where specialists have access to sensitive systems and data, the risk is elevated.
At the same time, background check in Poland is a sensitive topic. GDPR, Labor Code, personal data protection law - all impose limitations on what an employer can verify. The line between due diligence and privacy violation is thin and not always clear.
What is a background check and why is its importance growing in IT?
“87% of companies worldwide report that they either already have a skills gap or expect to have one within the next few years.”
— McKinsey & Company, Closing the IT Skills Gap | Source
Background check is verification of information provided by the candidate: identity, education, employment history, possibly criminal record, credit, social media. Scope depends on: position, industry, regulations, and company policy.
Growing importance in IT has several causes. First, remote hiring - you’re hiring someone you’ve never met in person, with a CV that’s easy to fabricate. Second, cyber threats - insider threats are one of the biggest security risks. Third, regulatory requirements - fintech, healthcare, government contractors have employee verification requirements.
The IT market is competitive. Candidates know there’s demand. Some exaggerate experience, others provide fake certifications. In HireRight research, 85% of employers discovered inaccuracies in candidates’ CVs.
Costs of a bad decision are high. Hiring the wrong person means: recruitment costs, onboarding, termination, possible damages (data breach, IP theft, reputational harm). Background check costs a fraction of that.
What data can you legally collect about a candidate in Poland?
Labor Code Article 22¹ defines the catalog of data an employer can request from a candidate:
- first name(s) and surname
- date of birth
- contact information
- education
- professional qualifications
- employment history
After hiring, additionally: PESEL (national ID number), residence address, bank account number, family status data (for benefits purposes).
Expanding the catalog requires legal basis. If separate regulations require criminal record check (e.g., for financial sector, security services) - you can request certificate of no criminal record. Without such basis - you cannot.
Candidate consent is not a universal solution. GDPR says consent must be voluntary. In employer-candidate relationship there’s power asymmetry - candidate “must” agree to get the job. UODO (Personal Data Protection Office) holds that candidate consent cannot be the basis for expanding data scope beyond Labor Code.
Exception: data necessary for contract performance or legal obligation. If the position requires specific qualifications (e.g., certificate, credentials) - you can require documentation.
How to verify education and certifications in compliance with law?
Education is in the Labor Code catalog - you can request it. Candidate presents diploma. Can you verify it by contacting the university? In practice - difficult. Universities often refuse to confirm personal data without graduate’s consent.
Solution: ask candidate for consent to verification. Consent for specific action (confirming diploma at university X) is more targeted than blanket consent for “all checks.”
IT professional certifications. Most certifying organizations (Cisco, Microsoft, AWS, (ISC)², ISACA) have public registries where you can verify certificate by number or name. This is public data - verification is allowed.
Fake certifications are a real problem. On dark web you can buy “certificates” with numbers that look legitimate but don’t exist in registry. Always verify in official source.
Academic titles. Registry of PhDs and habilitated doctors is public (POL-on database). Verification of dr/dr hab. titles is simple.
How to conduct reference check without violating GDPR?
Reference check: you contact previous employer, ask about candidate. Is this legal?
Previous employer has the right to confirm fact of employment. This isn’t disclosure of specially protected data - it’s confirming a public fact (candidate claims they worked, employer confirms or denies).
Details about employment course require caution. “How do you rate their work?” - this is subjective opinion, not fact. Previous employer may refuse to answer (and often does).
Best practice: candidate consent. Ask candidate for written consent to contact previous employers and list of contacts. Candidate themselves indicates references - and thereby “authorizes” contact.
What can you ask in reference check?
- Employment dates (from-to)
- Position
- Scope of duties (generally)
- Would you rehire this person? (often refuse to answer)
What to avoid?
- Questions about health, pregnancy, family plans (discrimination)
- Questions about political views, religion (GDPR - special categories)
- Questions about reasons for leaving (previous employer may not want to disclose)
When and how can you check candidate’s criminal record?
Certificate of no criminal record (KRK) can only be requested when separate regulations require it. Examples:
- Financial sector (Financial Supervision Authority Act)
- Security services (Security Services Act)
- Working with children (Child Protection Act)
- Teachers (Teacher’s Charter)
- Public procurement (certain clauses)
For “regular” IT position - there’s no legal basis to request KRK. Candidate can refuse and would be right.
Exception: positions with special responsibility. Labor court case law allows criminal record checks for positions where no criminal record is “essential condition for proper job performance.” But this is risky interpretation requiring individual assessment.
International projects. If employee will work for foreign client requiring background check - client may have their own requirements. But this doesn’t change Polish law - you must have basis in Polish regulations or valid consent.
How to verify employment history and avoid pitfalls?
Employment dates verification. You can ask candidate for employment certificates - public document. Alternatively, with candidate’s consent, contact previous employer’s HR.
CV gaps. Candidate has 6-month gap. You can ask “what did you do during this period?” - candidate can answer or refuse. You cannot assume (e.g., they were in prison) and discriminate on that basis.
Freelance/B2B history. Harder to verify. Candidate claims they were “freelancer for company X.” Company X is a friend’s sole proprietorship. How to verify? You can ask for invoices, contracts - but candidate can refuse due to confidentiality.
LinkedIn as source. LinkedIn profile is public - you can check if it matches CV. But remember: LinkedIn is also self-reported data, not verified source.
LinkedIn recommendations. Public, visible to everyone. You can read them, but cannot contact people without candidate’s consent (that would be contact “about their matter”).
What are the limits of checking social media?
Public profiles are public. What candidate published on public Facebook or Twitter - is available to everyone, including potential employer.
But using this data is risky. If based on public post about sexual orientation you don’t hire candidate - that’s discrimination. If based on photo from church - religious discrimination.
Prohibition on obtaining special category data. GDPR Article 9 - data on orientation, views, health, religion are specially protected. You cannot “obtain” them even from public sources for recruitment decisions.
Practical advice. Avoid systematic browsing of candidates’ social media. If something appears accidentally (candidate is publicly known for controversial statements) - consult lawyer before making decision.
Checking professional presence. LinkedIn, GitHub, Stack Overflow, technical blogs - these are professional platforms. Checking candidate’s professional activity is more acceptable than browsing private vacation photos.
How to outsource background check to external companies?
Background check providers. Companies specializing in verification: HireRight, Sterling, local Polish firms. They offer: education verification, employment, criminal (where allowed), credential verification.
As data controller you’re responsible for compliance. If you outsource background check to external company - that’s data processing by a processor. You must have data processing agreement (DPA) and ensure company acts in compliance with law.
Scope of assignment must be legal. You cannot circumvent Labor Code restrictions by outsourcing background check to external company. If you cannot request KRK directly - external company cannot obtain it for you either.
International background checks. For candidates with work history abroad - verification is more difficult. Different jurisdictions, different rules, different systems. Specialized companies have global partner networks.
Costs. Basic verification (education, employment): 200-500 PLN. Comprehensive check (with criminal, international): 1000-3000 PLN. Corporations pay more for package deals.
How to build a background check policy compliant with law?
Define scope for different position levels. Entry level: education verification, reference check. Senior/management: +employment verification at key employers. High-risk (security, finance access): +criminal check if allowed.
Document legal bases. For each background check element - what’s the basis: Labor Code Art. 22¹, separate statute, candidate consent (and its limitations).
Transparency toward candidates. Inform candidates that you conduct background check, what scope, what sources. GDPR requires information about processing.
Procedure for negative results. What do you do when background check reveals CV discrepancy? Give candidate chance to explain - could be mistake. Document decision process.
Storage and retention. Background check data - how long do you keep? For non-hired candidates - short (3-6 months standard). For hired - employment period + legal requirements.
Training for hiring managers and HR. People conducting verification must know what they can and cannot do. One illegal question = risk for company.
What are consequences of violating regulations during background check?
GDPR: fines up to 20 million EUR or 4% of turnover. Processing data without legal basis, collecting excessive data, lack of processing information.
Labor Code: employee claims. Refusal to hire based on illegally obtained data - candidate can seek damages.
Discrimination: PIP (Labor Inspectorate) and labor court. Recruitment decision based on religion, orientation, pregnancy data - discrimination with compensation claims.
Reputational. Company known for invasive background checks - harder to attract talent. Glassdoor reviews, social media - information spreads.
Criminal liability (in extreme cases). Obtaining KRK data without legal basis or falsifying verification documents - potential criminal liability.
How to communicate background check to candidates?
Timing. Inform about background check early in process - in job posting or at start of recruitment. Candidate with something to hide may withdraw on their own.
Communication content. “As part of recruitment process we conduct verification of data provided in CV, including contact with previous employers. We ask for consent to this contact.” Clear, specific, no scaremongering.
Consent and its limits. Remember that consent in employer-employee relationship has limited value. Better to rely on Labor Code and specific regulation bases than on consent as sole basis.
Information about results. If background check reveals problem and you decide not to hire - candidate has right to know why (GDPR, right of access). Be prepared for this conversation.
Possibility to challenge. Candidate may claim verification is wrong. Give chance to explain/correct before final decision.
Table: What you can and cannot check - quick reference
| Element to Verify | Can You? | Basis | How? | Notes |
|---|---|---|---|---|
| Identity (name, surname) | Yes | Labor Code 22¹ | Identity document | Check at hiring |
| Education | Yes | Labor Code 22¹ | Diploma, contact with university (with consent) | Verify certifications in official registries |
| Employment history | Yes | Labor Code 22¹ | Employment certificates, reference check (with consent) | Previous employer may refuse details |
| Professional certifications | Yes | Labor Code 22¹ (qualifications) | Official registries (public) | Always verify at source |
| Criminal record (KRK) | Depends | Separate regulations (finance, children, security) | KRK certificate | Without legal basis - cannot request |
| Credit check | No* | No basis | N/A | *Only for financial sector with basis |
| Social media (public) | Technically yes | Public data | Browsing | Avoid - discrimination risk |
| Health | No | GDPR special categories | N/A | Only medical exams after hiring decision |
| Political views, religion | No | GDPR special categories | N/A | Discrimination |
| Sexual orientation | No | GDPR special categories | N/A | Discrimination |
| Family status, pregnancy | No | Labor Code discrimination | N/A | Prohibited questions in recruitment |
Background check in Poland is possible but requires legal caution. Boundaries are set by: Labor Code, GDPR, specific regulations, and proportionality principle. Not everything technically possible is legal; not everything legal is ethical.
Key takeaways:
- Labor Code Art. 22¹ catalog is the basis - education, employment, qualifications
- KRK only with specific regulation basis - not for “regular” IT positions
- Candidate consent is not universal solution - has limited power in employer-candidate relationship
- Reference check with candidate consent - previous employer may still refuse
- Verify IT certifications in public registries - legal and simple
- Social media - avoid systematic browsing, discrimination risk
- Document policy, train team, inform candidates transparently
Properly designed background check protects company from bad hires without violating candidate rights. This balance is achievable.
ARDURA Consulting offers IT recruitment services with professional candidate verification compliant with Polish law. Our process includes credential verification, reference checks, and due diligence tailored to client requirements and regulations. Contact us to discuss secure and effective IT specialist recruitment.