Criminal Conviction and Offence Data Handling — GDPR Art. 10

Criminal Conviction and Offence Data Handling — GDPR Art. 10

Overview

Article 10 of the GDPR establishes a separate regime for processing personal data relating to criminal convictions and offences, or related security measures. Unlike Art. 9 special category data which is subject to a general prohibition with listed exceptions, Art. 10 permits processing only under the control of official authority, or when authorised by EU or Member State law providing appropriate safeguards. The maintenance of a comprehensive register of criminal convictions is restricted to processing under the control of official authority. This skill provides a framework for identifying, classifying, and lawfully processing criminal data within enterprise contexts.

Legal Framework — Art. 10

Text of Article 10

"Processing of personal data relating to criminal convictions and offences or related security measures based on Article 6(1) shall be carried out only under the control of official authority or when the processing is authorised by Union or Member State law providing for appropriate safeguards for the rights and freedoms of data subjects. Any comprehensive register of criminal convictions shall be kept only under the control of official authority."

Three Key Requirements

Relationship to Art. 6 Lawful Basis

Art. 10 operates as an additional layer on top of Art. 6. A controller processing criminal data must satisfy BOTH:

1. A lawful basis under Art. 6(1) — typically Art. 6(1)(c) (legal obligation) or Art. 6(1)(f) (legitimate interests, where national law permits)
2. One of the Art. 10 conditions — official authority control OR national law authorisation with appropriate safeguards

Relationship to Art. 9

Criminal data is NOT listed in Art. 9(1) as a special category, but Member States may impose Art. 9-equivalent protections. Some data may fall under both Art. 9 and Art. 10 — for example, data about a criminal offence that also reveals racial profiling concerns or political activity.

Scope of Criminal Data

Data Elements Within Art. 10 Scope

Data Elements Outside Art. 10 Scope

Boundary Cases at Vanguard Financial Services

National Law Derogations

United Kingdom — Data Protection Act 2018

• Schedule 1, Part 1: Conditions for processing criminal conviction data under Art. 10 — includes processing necessary for employment purposes, regulatory requirements, preventing or detecting unlawful acts, protecting the public
• Schedule 1, Part 2: Substantial public interest conditions — includes safeguarding of children and vulnerable adults, regulatory requirements relating to fraud
• Rehabilitation of Offenders Act 1974: Spent convictions must not be disclosed or used in most employment contexts. Exceptions exist for regulated activities (financial services, healthcare, childcare) listed in the Rehabilitation of Offenders Act 1974 (Exceptions) Order 1975
• DBS Checks: Enhanced DBS checks available only for prescribed positions; basic DBS check available for any purpose with the individual's consent

Germany — BDSG §§ 26, 85

• § 26 BDSG: Employee criminal data may be processed where necessary for the employment relationship and proportionate. Processing of criminal data of job applicants is permitted only where the offence is relevant to the specific role
• Criminal Register Act (Bundeszentralregistergesetz, BZRG): Federal Central Criminal Register managed exclusively by the Federal Office of Justice. Private entities cannot maintain criminal registers

France — Code pénal, Art. 226-19; CNIL Authorisation

• Criminal data processing by private entities requires specific CNIL authorisation or explicit legal basis
• Bulletin No. 3 of the criminal record (casier judiciaire) may be requested by employers only for positions specified by law

Netherlands — UAVG Art. 32

• Processing of criminal data by private entities permitted only where specifically authorised by law or with explicit consent of the data subject
• Verklaring Omtrent het Gedrag (VOG/Certificate of Good Conduct) system managed by Justis (Screening Authority)

Classification Methodology

Step 1: Identify Criminal Data Elements

For each system, scan for data elements that may contain criminal data:

Step 2: Determine Art. 10 Applicability

For each identified element:

1. Confirm the data relates to a criminal conviction, offence, or related security measure
2. Distinguish from civil, administrative, or disciplinary matters
3. For borderline cases (e.g., SARs, internal investigations), assess whether the underlying conduct would constitute a criminal offence

Step 3: Identify National Law Authorisation

For each Art. 10 data element:

1. Identify the specific national law provision authorising the processing
2. Confirm the law provides "appropriate safeguards" as required by Art. 10
3. Document any additional national restrictions (e.g., Rehabilitation of Offenders Act spent conviction protections)

Step 4: Assess Comprehensive Register Risk

Review whether any system maintains what could constitute a "comprehensive register of criminal convictions":

• A database aggregating criminal records across multiple individuals
• A system that enables searching/querying criminal history across a population
• Even partial aggregation may raise comprehensive register concerns if it covers a defined population comprehensively

Step 5: Apply Classification Label

• CRIMINAL_ART10: Data within Art. 10 scope with identified national law authorisation
• CRIMINAL_ART10_NO_AUTH: Data within Art. 10 scope WITHOUT identified national law authorisation (processing must cease until authorisation established)
• CRIMINAL_SPENT: Spent conviction data subject to additional Rehabilitation of Offenders Act protections
• NOT_CRIMINAL: Data reviewed and confirmed outside Art. 10 scope

Implementation at Vanguard Financial Services

Systems Processing Criminal Data

Safeguards Required

Enforcement Precedents

• Metropolitan Police Service v Information Commissioner (UK First-Tier Tribunal, 2014): Tribunal addressed the scope of "criminal offence data" and confirmed that allegations of criminal conduct, even where unproven, constitute criminal data requiring Art. 10-equivalent protections
• ICO Enforcement Notice — Experian Ltd (2020): ICO found Experian's processing of personal data in its marketing services business, which included data indicative of financial crime risk, lacked appropriate lawful basis and transparency
• CNIL Decision SAN-2022-023 — Clearview AI: While primarily an Art. 9 biometric case, the decision also addressed Clearview's processing of data relating to criminal investigations and the requirement for official authority control when aggregating such data
• Austrian DPA — CRIF GmbH (2021): Fined for maintaining a database of criminal-related financial data (insolvency linked to fraud convictions) without adequate national law authorisation under Art. 10

Integration Points

• special-category-data: Criminal data may overlap with Art. 9 categories (e.g., political offences revealing political opinions)
• data-inventory-mapping: Art. 30 RoPA must specifically identify Art. 10 data processing activities
• classification-policy: Criminal data classified as "Restricted" tier with enhanced handling procedures
• cross-jurisdiction-class: Criminal data protections vary significantly across jurisdictions — mapping required for multinational operations