The organisation should identify and document the roles and positions within scope of background checks under relevant national and European laws. These typically include persons who:
- Hold sensitive functions in or for the benefit of the organisation, particularly in relation to its resilience
- Are authorised to access, directly or remotely, the organisation's premises, information, or control systems
- Are being considered for recruitment to such positions
The criteria that trigger a background check request to the competent authority should be documented. The criteria should reflect:
- The sensitivity of the role and the level of access involved
- The potential security risk to the organisation's resilience
- The events that initiate a check, such as recruitment, role change, change in access rights, and (where applicable) periodic re-checks for ongoing sensitive positions
For each request, the organisation should:
- Document a duly reasoned justification linking the individual and role to a specific security risk
- Ensure the request is proportionate and limited to what is necessary to assess that risk
- Submit the request to the competent authority designated under national law
Any processing of background check results should comply with applicable data protection law, including lawful basis, retention limits, access restrictions, and procedures for handling adverse findings.
.svg)
