When your employees come into contact with government contracts, classified information, or critical infrastructure, a standard hiring process quickly becomes a legally demanding procedure. Here’s what to expect – and where the pitfalls lie.
When Does This Apply to You?
Security screenings are not an issue exclusively for public authorities. Private companies are also affected as soon as they execute government contracts where employees gain access to security-relevant information or work in so-called security-sensitive positions.
The law identifies two main categories:
Personnel classified information protection: Employees who are to be given access to information classified as VS-CONFIDENTIAL, SECRET, or TOP SECRET must be vetted in advance.
Preventive personnel sabotage protection: Anyone working in a security-sensitive position within a facility that is vital to life or national defense – for example in energy supply, water supply, telecommunications, or the defense industry – also falls within the scope of the law.
Whether your company or specific positions are concretely affected is decided by the competent public authority. At the federal level, this is generally the Federal Ministry for Economic Affairs and Climate Action (BMWK); at the state level, the relevant state authority.
The Three Screening Levels
The Federal Security Screening Act (SÜG) – most recently amended by the Act Modernising the SÜG in January 2026 – provides for three graduated levels of screening:
Ü1 – Basic Security Screening Applies where there is the possibility of access to VS-CONFIDENTIAL classified information. Queries are made with the domestic intelligence service, the Federal Central Criminal Register, the Commercial Central Register, the Federal Criminal Police Office, and the police authorities at previous places of residence. An internet search of publicly visible content is also conducted – under current law explicitly including social media.
Ü2 – Extended Security Screening Applies where there is access to SECRET-classified information or a large volume of VS-CONFIDENTIAL material. Additionally, identity and previous addresses are examined in greater depth; social media may be reviewed.
Ü3 – Extended Security Screening with Security Investigations The most intensive level, applying to TOP SECRET matters or work at intelligence agencies. In addition, reference persons named by the individual concerned as well as other suitable informants are interviewed.
Your Obligations as an Employer
Registration: Before any screening of your employees can even be requested, you must register your company with the BMWK or the BDBOS under the preventive personnel sabotage protection scheme. This requires a formal letter from management designating a sabotage protection officer.
Security officer: The tasks associated with the security screening must be handled within the company by a unit separate from regular HR – HR must not have access to the outcome of the screening (§ 25(5) SÜG).
Initiating the process: You can trigger a screening by writing to the BMWK describing the security-sensitive activity and enclosing the written consent of the person concerned.
Outcome: The BMWK will only inform you whether clearance can be granted or not – you will not receive any substantive details from the screening.
Checking the prerequisites: Importantly, before initiating a screening you should carefully verify that the statutory requirements are actually met. A screening that is not justified can have consequences under employment and data protection law.
Employee Consent – Without It, Nothing Works
A security screening requires the written consent of the person concerned without exception. This is non-negotiable. Without consent, the process may not be initiated.
This puts you, as an employer, in a practical position: what happens if an employee or applicant refuses? The person simply cannot perform the security-sensitive role. Whether this has employment law consequences – for example at the point of hiring or in the context of an ongoing employment relationship – depends on the individual case and should be assessed legally.
The GDPR is, according to the prevailing view, not applicable to the security screening process itself (Art. 2(2)(a) GDPR). For your transmission of data as an employer to the authority, Art. 6(1)(b) GDPR may serve as the legal basis where the screening is necessary for the performance of the employment relationship, because the employees would otherwise be unable to fulfil their contractually owed duties.
What Is Examined and What Constitutes a Security Risk
The law defines three categories of security risk (§ 5 SÜG):
First, doubts as to the reliability of the person in carrying out a security-sensitive activity. Second, a particular vulnerability to approaches or recruitment attempts by foreign intelligence services or extremist organisations. Third, doubts about the person’s commitment to the free democratic basic order.
In practice, the following aspects are relevant: membership in anti-constitutional groups (including suspected cases), extremist statements on social media or in chats, liking or sharing such content, tattoos bearing relevant symbols, contacts with such persons, and false statements in the security declaration. The last point is particularly sensitive: anyone who provides false information in the security declaration regularly risks a finding of a security risk – regardless of the substantive allegation.
Important for practice: A finding of a security risk requires only actual indications. There is no need for a criminal conviction. In cases of doubt, the security interest takes precedence (§ 14(3) SÜG).
Excursus: Lie Detectors – Legal and Practical Considerations
In the context of security screenings, the question occasionally arises as to whether the use of a polygraph (colloquially: lie detector) is or could be permissible.
The answer in Germany is clear: its use is not recognised as a means of evidence in either criminal proceedings or employment law. The Federal Court of Justice has fundamentally rejected its admissibility on the grounds that the method lacks scientific reliability. Based on current knowledge, no clear connection can be established between physical reactions such as pulse, blood pressure, and perspiration and whether a person is lying.
The Federal Labour Court confirmed in 2023 (BAG, 28.02.2023 – 2 AZR 194/22; BGH 30 November 2010 – 1 StR 509/10 – para. 6; 24 June 2003 – VI ZR 327/02 – paras. 6 ff.; BVerwG 31 July 2014 – 2 B 20.14 – paras. 9 ff.) that a polygraph result does not constitute a suitable means of evidence in employment court proceedings.
Beyond this, there are significant data protection and personal rights concerns: the processing of biometric and health-related data captured in the process constitutes a serious interference for which there is generally no adequate legal basis. Given the typical dependency inherent in an employment relationship, truly voluntary consent is scarcely conceivable. Works council co-determination rights may also apply.
In short: the lie detector remains a legally impermissible instrument in Germany – including, and especially, in the context of security screenings.
What Does This Mean for Your Company in Practice?
If you are pursuing a government contract that requires security screening of your employees, we recommend the following steps:
First, verify whether the statutory requirements for a screening are actually met. Clarify at an early stage which employees are specifically affected and whether they are prepared to complete the required security declaration. Ensure that a unit separate from HR is responsible for handling the process within your company. Allow for the time involved: security screenings can take months and should therefore be initiated well in advance of the planned deployment of the employees. Document the consent of the persons concerned carefully and in the legally prescribed form.
Our Conclusion
Security screenings are not a bureaucratic end in themselves, but a legally regulated procedure with real consequences for both sides – companies and employees alike. Anyone who fails to carefully examine the prerequisites or initiates the process incorrectly risks not only the failure of the contract, but also employment and data protection law problems.
At Legal Living Hub, we advise you both on determining whether a screening is required in your specific case and on implementing the entire process in a data protection-compliant manner.
Legal status: June 2026 | This article is for general information purposes only and does not replace individual legal advice.
Further information is available from the Federal Commissioner for Data Protection and Freedom of Information (BfDI): https://www.bfdi.bund.de/DE/Buerger/Inhalte/SÜG/FAQ.html
