A glimpse of criminal check in European Union countries under GDPR
The Professional Background Screening Association (PBSA) held its annual conference on September 14-15, 2021. Integrity Asia had the opportunity to attend this event virtually. At this annual conference, one of the interesting topics brought up was Criminal Record Checks in Europe: Navigating the Murky Waters of Article 10 by Mark Sward from Sterling and Kerstin Bagus from NetForce Global.
Article 10 of GDPR regarding processing criminal record information is important to discuss because it relates to the practice of screening companies in European Union countries. The article states that processing of personal data relating to criminal convictions and offenses or related security measures is based on Article 6. [Lawful basis for processing] shall be carried out only under the supervision of official authorities or when the processing is authorized by Union or Member State law that provides adequate safeguards for data subjects’ rights and freedoms. Any comprehensive register of criminal convictions should be kept only under the control of official authorities.
According to Article 4, processing means any operation or set of operations performed upon personal data or sets of personal data, whether or not by automated means, such as collection, recording, organisation, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction.
Based on article 10, basically, processing criminal data is not forbidden by GDPR, it is only restricted to what is specifically authorized by law. Therefore, a private company in EU member countries can still put criminal data into the database, but can not have a comprehensive database.
As for accessing criminal data in EU member states for criminal check purposes, it is also not forbidden, but it’s not always easy for each country. Some countries have restrictive regimes, some others have less restrictive ones. For example, in Ireland and Sweden, criminal checks are quite strict because they can only be carried out with a legal mandate on individuals whose fields of work are related to children and vulnerable people.
While in the UK, access to criminal data is quite easy, but they have a fairly complex set of criminal records consisting of three levels. As for Luxembourg, access to criminal data is also quite easy. Employers can obtain a candidate’s criminal record if specified in the job vacancy and the record must not be kept for more than one month. If the candidate does not pass the job selection, the data must be destroyed immediately. Each country has its own access policy depending on who is requesting access and for what purpose.