April 7th, 2022 | Stephanie Knipe

GDPR and the processing of criminal conviction data across Europe

The GDPR does not make criminal record checks illegal in Europe. Instead, Article 10 of the GDPR, entitled ‘Processing of personal data relating to criminal convictions and offences’ defers to the laws of each Member State to determine whether the processing of criminal record information is lawful or not. This has meant that across the EEA (and the UK) there is a wide range of legislation as to whether or not employers can consider relevant criminal record convictions as part of a hiring decision.

When deciding whether or not to require candidates to undergo a criminal record check, it is therefore necessary to look in detail at the applicable laws and regulatory guidance (a country’s data protection regulator will often have issued guidance as to the acceptability of criminal record checks on employees).

Recently, a major global retailer was found by the Spanish Data Protection Authority, the Agencia Española de Protección de Datos (AEPD), to have breached Article 10 of the GDPR and Article 10 of the Spanish Data Protection Act (Ley Orgánica 3/2018 de Protección de Datos Personales y Garantía de los Derechos Digitales) and handed a €2,000,000 fine.

In this case, the business was requiring its candidates to provide a criminal record certificate during the hiring process of delivery drivers: The hiring firm claimed that they had a legitimate interest in verifying that these candidates did not have previous criminal convictions in order to protect their customers since the delivery drivers would be entrusted with handling products that may be of high value, and would be coming within close proximity of customers’ homes. The retailer also required, and relied on, the candidates’ consent to process their personal data, including their criminal record certificate.

The business also argued that requiring a certificate stating the absence of criminal records did not amount to processing criminal data under Article 10 of the GDPR since the certificate would not contain any data on the commission of crimes. The AEPD, however, rejected this claim, and instead considered the absence of a criminal record to be criminal data. This is not a surprising judgment, as other European Data Protection Authorities had already reached the same conclusion, including the UK’s Information Commissioner’s Office.

Did it make any difference that this organisation required its candidates to obtain a criminal record certificate themselves, rather than the hiring firm running a full criminal record check on them? No, it did not, the AEPD explained: a criminal record certificate may contain sensitive information including, but not limited to, criminal convictions, and employers in Spain should refer to the restrictions on criminal record checks before requiring their candidates to obtain certificates themselves. The AEPD held that the only valid lawful basis for processing criminal data would be where it was required by law: legitimate interests cannot be a basis to process criminal conviction data under Spanish law. This case also emphasised the nature of consent: while the business claimed that the candidates consented to their data being processed, the AEPD held that as the candidate did not have the option of withholding consent for the processing of their criminal record data, consent was therefore not freely given or valid.

Therefore, the case rested on whether the organisation had any grounds under Spanish law to run a criminal record check on a candidate. To do so, there would have needed to be a legal requirement under Spanish organic law or any other Spanish legal norm. Examples of roles that would require a criminal record check would include those working with minors, senior positions in the banking industry, or the police force. As there is no Spanish law that would require a delivery driver to undergo a criminal record check, the business did not have any grounds to request a criminal record certificate.

This decision from the Spanish regulator stresses again the vital importance of taking into account applicable local law when checking a candidate’s criminal record, as the permissibility of performing these checks varies from country to country. Some countries, such as Spain, require there to be legislation in place that specifically permits a criminal record check to take place; other countries, such as the UK, are much less restrictive. Certain countries, such as Germany, permit the employer to require a criminal record certificate only in very specific circumstances.

As permissibility varies, so do lawful bases for processing: as we can see from the AEPD judgment, legitimate interest is not considered a lawful basis for processing criminal record data in Spain: however in other jurisdictions it may be acceptable. Additionally, it is always important when relying on consent to look at the specific question you are asking, and to determine whether it really is consent: can the candidate actually say no without any repercussions? If not, it may be deemed invalid.


Download our ‘GDPR and Background Checks: Considerations for Employers’ checklist to help with a robust and compliant screening program.

This publication is for informational purposes only and nothing contained in it should be construed as legal advice. We expressly disclaim any warranty or responsibility for damages arising out this information. We encourage you to consult with legal counsel regarding your specific needs. We do not undertake any duty to update previously posted materials.