Author: András Jóri
Processing of personal data relating to criminal convictions and offences or related security measures based on Article 6(1) shall be carried out only under the control of official authority or when the processing is authorised by Union or Member State law providing for appropriate safeguards for the rights and freedoms of data subjects. Any comprehensive register of criminal convictions shall be kept only under the control of official authority.
I. Preliminary remarks
Art. 10 GDPR sets out specific rules for the processing of personal data relating to criminal convictions and offences or related security measures. While not covered by Art. 9 GDPR on the processing of special categories of data, processing these data nevertheless can be associated with a higher level of risk, such as stigmatisation or undue discrimination; this justifies such specific rules. Art. 10, on the one hand, sets out a general rule for any processing of personal data relating to criminal convictions and offences or related security measures based on Art. 6 para. 1; and, on the other hand, it contains rules on comprehensive registers of criminal convictions.
II. Legislative history
According to Art. 8 para. 5 of the DPD, “processing of data relating to offences, criminal convictions or security measures may be carried out only under the control of official authority, or if suitable specific safeguards are provided under national law, subject to derogations which may be granted by the Member State under national provisions providing suitable specific safeguards. However, a complete register of criminal convictions may be kept only under the control of official authority”. It is noted that the DPD regulated data relating to offences, criminal convictions or security measures in the article devoted to the processing of special categories of data. In the Comm-P, the processing of data relating to criminal convictions or related security measures was addressed by Art. 9 para. 1 and para. 2 lit. j (on the processing of special categories of personal data). Thus, the original intention was to have a general prohibition on the processing of such data; and an exception referring to the conditions now in Art. 10 GDPR. Eventually, these data were not included in the article on the processing of special categories of personal data but became subject to a separate provision (Art. 10 GDPR).
III. Analysis
1. Personal data related to criminal convictions and offences or related security measures
Art. 10 GDPR covers the processing of personal data relating to criminal convictions and offences, as well as related security measures. Information on ‘criminal convictions’ refer to an actual conviction; data on ‘criminal offences’ may not address actual convictions; and ‘related security measures’ concern measures related to criminal offences and stopping short of criminal convictions. Moreover, personal data relating to administrative sanctions or judgments in civil cases are not covered (it is noted that Art. 8 para. 5 of the DPD contained a derogation making possible for Member States to “provide that data relating to administrative sanctions or judgements in civil cases shall also be processed under the control of official authority”). As to the boundaries between criminal and administrative sanctions, it is settled case law that three criteria are considered for the determination of the concept of ‘criminal proceedings’: “(t)he first criterion is the legal classification of the offence under national law, the second is the very nature of the offence, and the third is the nature and degree of severity of the penalty that the person concerned is liable to incur”.
[…]