Article 10 of the GDPR speaks about a very important point about data relating to criminal convictions and offences. The Article is as follows:
“Processing of personal data relating to criminal convictions and offences or related security measures based on Article 6(1) shall be carried out only under the control of official authority or when the processing is authorised by Union or Member State law providing for appropriate safeguards for the rights and freedoms of data subjects. Any comprehensive register of criminal convictions shall be kept only under the control of official authority.”
The above indicates that data relating to criminal convictions and offences can only be processed only when-
- There is control of official authority or
- Union or Member State law has authorised the processing when adequate measures are in place to protect the freedom and rights of the data subject
However, Article 10 has brought to mind various questions such as what exactly constitutes criminal convictions and offences? Who is an official authority? Can private entities be interpreted to have official authority? Would it be unlawful for organizations to maintain criminal records of their employees?
These questions arise because the GDPR has failed to define the terms ‘criminal convictions and offences’ and ‘official authority’. However, many countries have made an attempt to interpret these terms and find an answer to these questions.
For instance, the Government of Cyprus has interpreted the term ‘official authority’ as the Police. Hence, the Police can maintain records relating to criminal offences. Further, coming to the question, what exactly constitutes criminal convictions and offences? This has again been left to interpretation and there are varying views. In one case, the learned advocate stated that this term would also include proceedings which have led to the acquittal of the individual. Even the Data Protection Act, 2018 of the UK has given a broad definition which is-
the alleged commission of offences by the data subject” and “ proceedings for an offence committed or alleged to have been committed by the data subject or the disposal of such proceedings, including sentencing“
As for private organisations being considered as an ‘official authority’, each Member State has put in place their own laws and regulations to deal with this matter. Some countries such as Poland and Sweden allow private entities to maintain the criminal records of their employees to a limited extent and only for those employees who deal with the vulnerable and at risk populations such as children.
It is to be seen during the course of time if GDPR is amended to define the terms which can lead to confusion amongst the Member States. The GDPR was mainly brought into force to bring in uniformity but due to lack of clarity and foresight, it has put the Member States in the same dilemma as before as they would have to enact their own laws to bring in protection to the citizens of their country and be more cautious about the privacy aspect. Till then, case laws will serve as the guiding light to answer some of the questions.
References:
-https://www.legal500.com
– https://www.lexology.com
– https://www.twobirds.com
– https://www.natlawreview.com
– https://www.scl.org