The General Data Protection Regulation (GDPR) is one of the most significant frameworks in the world for protecting personal data. Among its many provisions, Article 10 specifically addresses the handling of personal data related to criminal convictions and offences. This article ensures that such sensitive data is processed under strict control and only when permitted by law.
Article 10 is short but powerful, as it governs an area of information that can easily lead to discrimination or misuse if mishandled. It ensures that any data about criminal acts, investigations, or penalties is processed with appropriate legal safeguards. This article works closely with Article 9, which concerns special categories of personal data, but focuses exclusively on information about crimes and punishments.
In this article, we will explore five practical examples of GDPR Article 10 in action, illustrating how organizations in different sectors must handle criminal-related data responsibly and legally. These examples cover areas such as employment, background checks, financial services, law enforcement cooperation, and education.
Understanding GDPR Article 10
Before looking at the examples, let’s review what Article 10 actually says.
Article 10 (GDPR):
“Processing of personal data relating to criminal convictions and offences or related security measures shall be carried out only under the control of official authority or when the processing is authorized by Union or Member State law providing for appropriate safeguards for the rights and freedoms of data subjects.”
In simpler terms, this means:
- You can only process data about criminal offences or convictions if you are authorized by law.
- Only competent authorities or entities with legal permission may collect or handle this information.
- Adequate safeguards must protect individuals’ rights, preventing misuse, unauthorized disclosure, or discrimination.
Criminal data is especially sensitive because it can influence a person’s reputation, employment opportunities, and access to services. Therefore, the GDPR ensures that such information cannot be collected or stored casually or used for unrelated purposes.
Example 1: Criminal Background Checks for Employment
One of the most common real-world applications of GDPR Article 10 occurs during employment background checks. Many employers want to know whether a potential employee has a criminal record, especially when hiring for positions involving trust, safety, or financial responsibility.
However, under GDPR Article 10, employers cannot freely access or store this type of data unless national law permits it. For instance, in some EU countries, employers may only request criminal record certificates for specific roles, such as those in education, healthcare, or banking.
Scenario:
A hospital in Germany wants to hire a new nurse. Before the contract is finalized, the HR department requests a certificate of good conduct from the candidate, issued by the federal authorities. The document confirms that the person has no previous criminal convictions.
Compliance under Article 10:
- The hospital can only process this certificate because German law authorizes such checks for healthcare workers.
- The document must be used only for employment verification and not stored longer than necessary.
- The hospital must ensure data minimization—only the necessary information (whether or not the person has a record) should be processed, not detailed crime descriptions.
If the hospital used this information to profile or discriminate against the applicant without legal justification, it would violate Article 10 and face potential GDPR penalties.
Example 2: Financial Institutions Conducting AML (Anti-Money Laundering) Checks
Financial institutions such as banks, payment processors, and investment firms often perform anti-money laundering (AML) and counter-terrorism financing checks. These processes frequently involve assessing whether clients have prior criminal convictions related to financial crime.
Under GDPR Article 10, this processing is allowed only because it is authorized by law—specifically, by AML regulations that require institutions to verify customers' backgrounds to prevent illicit financial activity.
Scenario:
A bank in France opens an account for a new business client. During the due diligence process, the compliance department checks law enforcement databases and public records to ensure the client has no criminal record linked to fraud or tax evasion.
Compliance under Article 10:
- The processing of criminal-related information is lawful because EU AML directives and French legislation explicitly authorize it.
- The bank must ensure the collected data is used exclusively for AML purposes.
- The data must be stored securely and deleted once retention periods required by financial regulations expire.
In this case, the bank is not misusing sensitive data but fulfilling a legal obligation. However, if the bank shared the client’s past conviction with marketing teams or external partners, it would breach Article 10’s principles.
Example 3: Law Enforcement Cooperation with Private Companies
Another common example involves cooperation between law enforcement agencies and private organizations. Occasionally, police or judicial bodies request assistance or information from companies during investigations into criminal activity.
Private companies, however, cannot store or use that data for other purposes once the cooperation ends. Under GDPR Article 10, they may only process criminal-related data if authorized by specific legal frameworks, such as national criminal procedure codes.
Scenario:
An online marketplace suspects that some users are selling stolen electronics. The company reports this activity to the police, providing transaction data and user profiles. The police, in turn, share limited information about an ongoing investigation to help the platform prevent further illegal sales.
Compliance under Article 10:
- The marketplace processes this criminal data under police authority and within the scope of national law.
- The shared data must remain strictly confidential, accessible only to relevant staff.
- Once the cooperation ends, the company must erase or anonymize any investigation-related personal data.
If the company were to later use that information to ban unrelated users or for profiling, it would violate Article 10. The rule ensures private entities do not exploit data obtained through criminal investigations for unrelated commercial or reputational purposes.
Example 4: University Screening of Students for Professional Programs
Some universities or educational institutions that prepare students for sensitive professions—such as law, medicine, or childcare—may need to verify that candidates have no serious criminal history.
Under GDPR Article 10, universities can only perform such checks if required by national or professional regulations. For instance, nursing or teaching programs may require students to present clean records to ensure the safety of patients or minors.
Scenario:
A university in the Netherlands offers a teacher training program. Before accepting students for school placements, it asks them to submit a Certificate of Conduct (VOG) issued by the Dutch Ministry of Justice.
Compliance under Article 10:
- The university processes criminal record data under legal authorization tied to child protection laws.
- The certificate is checked but not retained indefinitely—only a confirmation that the student met the legal requirement is stored.
- Access to this data is restricted to authorized staff handling placements.
This process ensures compliance with GDPR while maintaining public safety and institutional integrity. Any attempt to collect additional criminal data outside the scope of these legal requirements would constitute a breach.
Example 5: Data Processing by Insurance Companies After Criminal Events
Insurance companies may occasionally process data related to criminal incidents, such as theft, arson, fraud, or traffic offences, when evaluating claims or risk profiles. However, they cannot process criminal conviction data for general marketing or pricing purposes unless national law permits it.
Scenario:
An insurance company in Spain receives a car accident claim. During investigation, it discovers that the driver was convicted of driving under the influence the previous year.
Compliance under Article 10:
- The insurer may process this information only if Spanish insurance law authorizes it for fraud detection or claim verification.
- The criminal conviction data must not be reused for marketing, advertising, or risk scoring unrelated to the claim.
- The company must ensure data accuracy and limit data access to the fraud investigation department.
If the insurer later shared this information with third parties or refused future coverage without legal justification, it would violate Article 10.
Key Principles Demonstrated Across All Examples
Across these five examples, several recurring principles of compliance emerge. Understanding them helps organizations ensure that their processing of criminal-related data remains lawful and ethical.
- Legal Authorization is Mandatory
- Article 10 requires a clear legal basis from either EU or national law. Without such authorization, processing criminal data is unlawful, even if individuals consent.
- Purpose Limitation
- The data can only be used for the specific legal purpose that justifies its collection (e.g., background screening, AML compliance).
- Reuse for unrelated goals like profiling, marketing, or discrimination is forbidden.
- Data Minimization and Storage Limitation
- Only necessary information should be collected, and it should not be stored longer than needed.
- Certificates or criminal records should be verified and then deleted, keeping only minimal proof of verification.
- Strict Access Control
- Access to criminal data must be limited to authorized personnel involved in the legitimate process (e.g., HR, compliance officers, investigators).
- Safeguards and Security Measures
- Organizations must implement technical and organizational measures to prevent unauthorized access, leaks, or misuse.
- Encryption, role-based permissions, and secure data deletion are key practices.
- Data Subject Rights
- Even though the data is sensitive, individuals retain the right to access, rectification, and erasure within the limits of legal obligations.
- Transparency and Documentation
- Entities should clearly inform data subjects about why and how their criminal data is processed, referencing the relevant legal authorization.
Risks of Non-Compliance
Violating GDPR Article 10 can lead to serious legal and financial consequences. Because criminal data is considered highly sensitive, improper handling can cause severe harm to individuals’ reputations or rights. Supervisory authorities may impose fines, restrict data processing activities, or require deletion of unlawfully obtained information.
Common violations include:
- Conducting background checks without a legal basis.
- Retaining criminal data indefinitely.
- Sharing or selling data about convictions to third parties.
- Using criminal information for discriminatory purposes (e.g., denying housing or services).
Organizations must not only comply with GDPR itself but also ensure they follow national data protection and criminal record laws, which can vary significantly between EU member states.
Conclusion
Article 10 of the GDPR emphasizes one of the strongest data protection principles: criminal-related personal data must never be processed arbitrarily or misused. It recognizes that this category of data can profoundly impact individuals’ lives, careers, and dignity.
The five examples discussed—employment background checks, AML procedures, law enforcement cooperation, university screening, and insurance investigations—show how different sectors can process such data legally when properly authorized and safeguarded.
Ultimately, Article 10 reinforces the balance between public safety and individual privacy, ensuring that while society has tools to prevent crime and protect institutions, individuals remain shielded from unnecessary exposure or unfair treatment.