A basic principle of conducting international searches on an individual is that you need a lawful basis for processing personal data. This principle applies to both employment-purpose and commercial background checks.
Although the number and type of lawful bases vary from one country to another (especially with the enactment of new data protection and privacy laws in many countries over the last several years), a lawful basis for processing personal data common to all international searches is the consent of the individual search subject. From a compliance perspective, obtaining an individual’s consent for the searches is the best practice.
Other than the requirements that the subject’s express consent be unambiguous and freely given, there is no universally prescribed format or wording for an international consent form.
If the subject’s consent cannot be obtained, you can look to a country’s data protection and privacy laws to determine if a different legal basis may be applicable for processing personal data that does not require the subject’s consent. It is always up to the controller of the data to determine the appropriate legal basis for processing personal data.
For individuals located in the EU or UK, there are several legal bases that will satisfy the compliance requirements under the EU GDPR, the UK GDPR and the Data Protection Act of 2018 (UK) if consent cannot be obtained. The controller can still request these searches if it has a legitimate interest in obtaining the individual’s personal data or needs the data to perform a contract.
If the request for the searches is based on a legitimate interest or performance of a contract, the individual must receive a notice of the controller’s intention to process the data. Notice can be given in several different ways, including directly to the individual, in an engagement letter or similar document, or by publication on the client’s website. The way the controller gives notice is their decision.