GDPR - Information
Personal data relating to criminal convictions and offences
According to the general rule in Article 10 GDPR, processing of personal data relating to criminal convictions and offences is not permitted to be conducted by private actors. On the other hand, it may be permissible to process personal data relating to criminal convictions and offences in certain cases, by means of applicable exceptions to the general rule.
Examples of personal data relating to criminal convictions and offences
Information that an individual has:
- Committed a crime,
- Concretely suspected of a crime,
- A conviction by a court in relation to a criminal case;
- Been subjected to criminal coercion. For example, a seizure or if the person has been detained.
Suspicion of a crime may constitute criminal offence data
If there is information relating to a suspicion that an individual has committed a crime, this may constitute criminal offence data, even if no legal proceedings have been initiated. However, the data in question need to achieve a certain degree of concreteness. If the data relate to a certain category of crime or a certain crime, a sufficient degree of concretisation is considered to have been achieved. In addition, a sufficient degree of concreteness may be regarded as having been attained if the aggregated data correspond to the objective elements of a criminal law provision. Something that also indicates that it is criminal offence data, is whether the purpose of the processing is to process criminal offence data, either in whole or in part.
Member States are free to decide whether to authorise the processing of personal data relating to criminal convictions and offences
According to the general rule in Article 10 of the GDPR, private parties are prohibited from processing personal data relating to criminal convictions and offences. However, each Member State is free to decide whether or not to allow the processing of such data. Please note that the prohibition does not apply to processing carried out by law enforcement authorities, as it is regulated in another directive.
Private parties may process personal data relating to criminal convictions and offences in certain cases
A private company may, under certain exceptions to the general rule, process personal data relating to criminal convictions and offences. The following are examples of such situations.
If it is necessary for the purpose of defending, asserting or establishing a legal claim
Example: If there is a concrete reason for an insurance company to suspect that there has been an insurance fraud, the insurance company may process the data for the purpose of establishing a legal claim in a court of law.
If the processing is regulated by another law or regulation (legal obligation)
Example: Banks must both investigate and report if they suspect that one of their customers is committing money laundering. Banks may in such cases process the necessary personal data to investigate and report suspicions of money laundering.
Private actors can apply to process personal data relating to criminal convictions and offences
In addition to the possibility for national data protection authorities to decide which exceptions apply to the prohibition of the processing of personal data relating to criminal convictions and offences that are general, they may also take decisions in individual cases. In other words, a company may submit an application to the national data protection authority to process personal data relating to criminal convictions and offences. However, this does not automatically mean that the data protection authority will approve the processing.
Carry out an impact assessment
A company wishing to apply to the national data protection authority for the processing of personal data relating to criminal convictions and offences does not need to carry out an impact assessment before the application is made. However, the company may need to carry out an impact assessment before they start processing, i.e. after they have received permission to process personal data about breaches of the law.
Consent is not a valid legal basis for processing of personal data relating to criminal convictions and offences
Personal data relating to criminal convictions and offences constitute privacy-sensitive personal data, but are not sensitive personal data according to Article 9 of the GDPR. Processing of sensitive personal data may be allowed if the company obtains explicit consent to the processing of the data subject in question. However, this does not apply to the processing of personal data relating to criminal convictions and offences. It is not allowed to carry out the processing of personal data relating to criminal convictions and offences on the basis of the legal basis consent.
Learn More about GDPR
Personal identification numbers and coordination numbers form another group of privacy-sensitive personal data
Personal data relating to criminal convictions and offences and sensitive personal data are covered by special provisions of the GDPR. However, an individual’s personal identification number is not. Please note, however, that there are usually other laws and regulations within the respective EU countries that restrict the processing of personal identification numbers. In Sweden, for example, personal identification numbers are public information that everyone can access, while only the person to whom the personal identification number belongs can obtain it in Finland.