Euro Security logo white
Certificates of good conduct for external service providers

October 2, 2025

Society & Politics

What security managers need to consider

In data centres, building security or the operation of critical infrastructure, trust in the personnel employed is crucial. Companies are therefore increasingly considering whether they can require external service providers to submit police certificates for their employees. At first glance, this seems like a logical step towards greater security – but in fact, it is a sensitive encroachment on the rights of the individuals concerned, which is only permissible within narrow legal limits.

A certificate of good conduct contains information about possible criminal convictions. It therefore falls within the special scope of protection of Article 10 GDPR. Companies may only process such data if there is a legal basis for doing so or if official supervision is provided for. A contractual agreement with the service provider alone is not sufficient. Even ‘voluntary’ consent from the employee cannot solve the problem. In practice, consent is often not free from pressure, because those who refuse to give their consent may be excluded from the contract – and thus consent loses its effectiveness.

The consequences of a careless approach can be significant. One example of this is Amazon in Spain, where self-employed drivers had to upload criminal records in order to work for the company. The national data protection authority classified this as a violation of Article 10 GDPR and imposed a fine in the millions. The case shows that violations not only pose financial risks, but can also result in reputational damage.

But how can the need for security be reconciled with data protection requirements? One possible solution is for the external service provider to check the certificate of good conduct itself and simply confirm to the client that there are no relevant entries. In this way, the client does not receive any details about previous convictions. However, caution is advised here too: some supervisory authorities already consider the statement ‘no entries available’ to be processing of data relating to criminal offences. Legal risks therefore remain.

For security managers, this means that certificates of good conduct cannot be requested across the board. A specific reason must always be given as to why this measure is necessary. For example, it may be justified in a data centre if technicians with physical access to server rooms have to prove their reliability. In other areas, such as maintenance work without access to sensitive data, the requirement for a certificate of good conduct is likely to be disproportionate.

The principle is therefore that every company must carefully consider whether the requirement for a certificate of good conduct is really necessary and whether there are less restrictive alternatives – such as internal training, access restrictions or certifications. Only if special trustworthiness cannot be proven in any other way can the inspection of a certificate of good conduct be legally justifiable.

Certificates of good conduct are therefore not an all-purpose tool, but a highly sensitive means. Anyone who extends their requirement to external employees without knowing the legal limits risks fines, loss of trust and conflicts with the supervisory authorities. For security managers, this means: security yes – but not at the price of a data protection violation.

Checklist: Admissibility of certificates of good conduct for external service providers

1. Check necessity

  • Is the activity particularly security-critical or trust-relevant?
  • Are there other ways to prove reliability (e.g. certificates, training, access restrictions)?

2. Ensure legal basis

  • Is there a legal obligation that allows the submission of a certificate of good conduct?
  • Is processing on the basis of Art. 6(1)(f) GDPR (legitimate interest) justifiable?

3. Clarify responsibilities

  • Who checks the certificates of good conduct – the company itself or an external service provider?
  • Is the company only sent confirmation that there are ‘no relevant entries’ instead of detailed data?

4. Weigh up data protection risks

  • Are the legitimate interests of the employees concerned protected?
  • Are there any potential pressure situations that could compromise the voluntary nature of consent?

5. Documentation and evidence

  • All decisions regarding the processing of certificates of good conduct should be documented.
  • Clearly state the reasons why less intrusive measures are not sufficient.

6. Conduct individual case reviews

  • Each request should be assessed individually.
  • Discuss risks with the data protection department or external experts.

Related Articles

Comment: German STEM education – federalism or national approach?

Sep 29, 2025

Germany is at a crossroads: tomorrow's technical education will determine the economic location of the day after tomorrow. The position paper of the National STEM Forum and the VDI's demand not to lose STEM education in the ‘confusion of federalism’ strike at the...

Mobile phone usage at Oktoberfest remains at record levels

Mobile phone usage at Oktoberfest remains at record levels

Sep 26, 2025

Over ten percent more data traffic than in the same period last year Virtually no dropped calls French visitors jump to third place in guest rankings The weather during the first week of Oktoberfest was cold and rainy. That didn't hurt cell phone usage. Compared to...

Share This