Article 10 of the General Data Protection Regulation (GDPR) specifically limits the processing of personal data relating to criminal convictions and offences or related security measures. A number of issues arise when trying to interpret this article and for this reason, the Commissioner for the Protection of Personal Data of Cyprus issued an Opinion (the Opinion) on the 16/01/2020.
What is Criminal Offence Data?
The GDPR provides extra protection for "personal data relating to criminal convictions and offences or related security measures". This includes a wide range of information about criminal activity, allegations, investigations, proceedings and any personal data about a specific criminal conviction or trial, but also any other personal data 'relating to' criminal convictions and offences. This covers any personal data which is linked to criminal offences, or which is specifically used to learn something about an individual's criminal record or behavior. Even though 'related security measures' is not defined under the GDPR, it can include personal data about penalties, conditions or restrictions placed on an individual as part of the criminal justice process or civil measures which may lead to a criminal penalty if not followed. In this article, the afore-mentioned data will be collectively referred to as 'Criminal Offence Data'.
One of the reasons why such data requires extra protection is because it is seen as more private and sensitive. GDPR explicitly mentions that this type of personal data merits specific protection, as the use of it could create significant risks to the individual's fundamental rights and freedoms and result to discrimination and stigmatisation.
However, even though Criminal Offence Data requires extra protection, this type of data is treated differently than other types of personal data. This is mainly because the interests of society at large and the need to protect the public from criminal activity are likely to justify the processing of Criminal Offence Data in a broader variety of situations, despite the potential impact on individual rights.
What are the rules for Criminal Offence Data?
According to Article 10 GDPR, processing of personal data relating to criminal convictions and offences or related security measures shall be carried out only in any of the following circumstances:
- Under the control of official authority; or
- When the processing is authorised by Union or Member State law providing for appropriate safeguards for the rights and freedoms of data subjects.
Further, Article 10 states that "any comprehensive register of criminal convictions shall be kept only under the control of official authority".
A number of questions arise when reading Article 10, for example, who is considered as an 'official authority', or what counts as a 'comprehensive register of criminal convictions'? The Opinion seeks to address these questions.
The binding Opinion has given much needed clarity on the issue of processing personal data relating to criminal convictions and offences under Article 10 GDPR. First, the Opinion states that in order for an organization to be considered as an 'official authority'. It should (i) have power exercising effective control and (ii) that power should be official i.e. to stem from national legislation. In Cyprus, that authority is the Cyprus Police (the Police). The police also keeps the Record of Previous Convicts, which serves as the full criminal record for Cyprus.
Moreover, in Cyprus the appropriate safeguards for the rights and freedoms of data subjects are ensured by Law No. 73(I)/2004 (the Law), Articles 9 and 10. When a national law requires specific employees to have a clean criminal record, an employer may request from them a criminal record certificate or to authorise them to obtain one by themselves. Such request will be made under the provisions of Article 10(1) of the Law. In a case where a national law requires a public authority to process Criminal Offence Data on the basis of a legal obligation or for the performance of a task carried out in the public interest, such processing will be made under Article 9 of the Law.
A private organisation is not allowed to keep a register of criminal convictions as it is not regulated by an official authority. A private organisation cannot collect Criminal Offence Data in advance from sources like the internet, in case such data will be needed in the future.
When can a private organisation process Criminal Offence Data?
The Opinion has clarified that a private organisation can process Criminal Offence Data relating to its employees or clients, only under the circumstances where the following are met:
1) The basic principles of GDPR, which are the following:
- to be processed lawfully, fairly and in a transparent manner, and also to be collected for specified, explicit and legitimate purposes only;
- to be limited to what is necessary, accurate and up-to-date;
- to be kept in a form which permits identification of data subjects for no longer than is necessary for the purposes for which the personal data are processed;
- to be processed in a manner that ensures appropriate security of the personal data.
- The organisation is responsible for complying with all the above and be able to demonstrate such compliance.
2) Any of the below legal basis:
- if the data subject has given his consent;
- if it is necessary for the performance of a contract which the data subject is party;
- for compliance with a legal obligation;
- for protecting the vital interests of a person;
- for the performance of a task carried out in the public interest and; for the purposes of the legitimate interests pursued by that organisation only if and to the extent that such interests do not override the interests or fundamental rights of the data subject.
3) The provisions of Article 10(1) GDPR, i.e. as already mentioned, a private organisation can request from its employees a criminal record certificate, which can only be issued by the Police to the applicant or to a duly authorised by the applicant person.
It is noted that the Criminal Offence Data should be kept separately for each employee/client for a specific and limited amount of time and most importantly, it should not be included in a register.
The Opinion has clarified a lot of the issues arising from Article 10 GDPR, but it should be kept in mind, that the processing of any data - including Criminal Offence Data - must always be lawful, fair, transparent and in compliance with all the other principles and requirements of the GDPR.
1 The full (Greek) text of the opinion can be found here.
The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.