Article 10 of the General Data Protection Regulation (GDPR) specifically limits the processing of personal data relating to criminal convictions and offences or related security measures.

A number of issues arise when trying to interpret this article and for this reason, the Commissioner for the Protection of Personal Data of Cyprus issued an Opinion[1] (the Opinion) on the 16/01/2020.

What is Criminal Offence Data?

The GDPR provides extra protection for “personal data relating to criminal convictions and offences or related security measures”. This includes a wide range of information about criminal activity, allegations, investigations, proceedings and any personal data about a specific criminal conviction or trial, but also any other personal data ‘relating to’ criminal convictions and offences. This covers any personal data which is linked to criminal offences, or which is specifically used to learn something about an individual’s criminal record or behavior. Even though ‘related security measures’ is not defined under the GDPR, it can include personal data about penalties, conditions or restrictions placed on an individual as part of the criminal justice process or civil measures which may lead to a criminal penalty if not followed. In this article, the afore-mentioned data will be collectively referred to as ‘Criminal Offence Data’.

One of the reasons why such data requires extra protection is because it is seen as more private and sensitive. GDPR explicitly mentions that this type of personal data merits specific protection, as the use of it could create significant risks to the individual’s fundamental rights and freedoms and result to discrimination and stigmatisation.

However, even though Criminal Offence Data requires extra protection, this type of data is treated differently than other types of personal data. This is mainly because the interests of society at large and the need to protect the public from criminal activity are likely to justify the processing of Criminal Offence Data in a broader variety of situations, despite the potential impact on individual rights.

What are the rules for Criminal Offence Data?

According to Article 10 GDPR, processing of personal data relating to criminal convictions and offences or related security measures shall be carried out only in any of the following circumstances:

Further, Article 10 states that “any comprehensive register of criminal convictions shall be kept only under the control of official authority”.

A number of questions arise when reading Article 10, for example, who is considered as an ‘official authority’, or what counts as a ‘comprehensive register of criminal convictions’? The Opinion seeks to address these questions.

The Opinion

The binding Opinion has given much needed clarity on the issue of processing personal data relating to criminal convictions and offences under Article 10 GDPR. First, the Opinion states that in order for an organization to be considered as an ‘official authority’. It should (i) have power exercising effective control and (ii) that power should be official i.e. to stem from national legislation. In Cyprus, that authority is the Cyprus Police (the Police). The police also keeps the Record of Previous Convicts, which serves as the full criminal record for Cyprus.

Moreover, in Cyprus the appropriate safeguards for the rights and freedoms of data subjects are ensured by Law No. 73(I)/2004 (the Law), Articles 9 and 10. When a national law requires specific employees to have a clean criminal record, an employer may request from them a criminal record certificate or to authorise them to obtain one by themselves. Such request will be made under the provisions of Article 10(1) of the Law. In a case where a national law requires a public authority to process Criminal Offence Data on the basis of a legal obligation or for the performance of a task carried out in the public interest, such processing will be made under Article 9 of the Law.

A private organisation is not allowed to keep a register of criminal convictions as it is not regulated by an official authority. A private organisation cannot collect Criminal Offence Data in advance from sources like the internet, in case such data will be needed in the future.

When can a private organisation process Criminal Offence Data?

The Opinion has clarified that a private organisation can process Criminal Offence Data relating to its employees or clients, only under the circumstances where the following are met:

1) The basic principles of GDPR, which are the following:

2) Any of the below legal basis:

3) The provisions of Article 10(1) GDPR, i.e. as already mentioned, a private organisation can request from its employees a criminal record certificate, which can only be issued by the Police to the applicant or to a duly authorised by the applicant person.

It is noted that the Criminal Offence Data should be kept separately for each employee/client for a specific and limited amount of time and most importantly, it should not be included in a register.

Importance

The Opinion has clarified a lot of the issues arising from Article 10 GDPR, but it should be kept in mind, that the processing of any data – including Criminal Offence Data – must always be lawful, fair, transparent and in compliance with all the other principles and requirements of the GDPR.

[1] The full (Greek) text of the opinion can be found here.

For more information please visit our website microsite on Data Protection & Cyber Law or contact Ms Munevver Kasif at [email protected]