GDPR Rules for Criminal Offense Data

General Data Protection Regulations become law in every European Union member state at the end of this month. Aimed at protecting the personal data of all European Union citizens, GDPR has a direct effect on Criminal Offense data and how it is collected, processed, used and stored in all EU states.

What is GDPR Criminal Offense Data?

In order for companies, organizations or businesses to process data of an EU citizen that pertains to any criminal charge, act or conviction, they must have reason to do so under either article 6 or 10.

Included in criminal offense data would be things like criminal allegations, court proceedings, and convictions. These would be sensitive and personal data.

This data is protected in the same way special category information is protected. If you are processing it you must have official authority to do it. However, removing it from your personal data file is not so automatic.

Data in criminal offenses cannot be collected, processed, used or stored without specific permission.

However, where special category data may NOT be used—except in special circumstances, criminal prosecutions and criminal convictions are a separate matter not covered by special circumstances. People cannot simply apply to have these records deleted from their personal file. Article 10 explains how these must be handled.

A business or individual can keep a file of criminal convictions only if they have official authority to do so. A legitimate reason for keeping this data would be if the record of criminal convictions and offences had been kept for security purposes.

What is different about Criminal Offence Data under GDPR?

Just like all personal data, there must be a specific way to collect, process, use, and store criminal data. Article 6 outlines this process. However, if you are processing personal criminal offence data, there is additional information about how to do this in Article 10.

“Processing of personal data relating to criminal convictions and offences or related security measures based on Article 6(1) shall be carried out only under the control of official authority or when the processing is authorized by Union or Member State law providing for appropriate safeguards for the rights and freedoms of data subjects. Any comprehensive register of criminal convictions shall be kept only under the control of official authority.”

What does this mean? You must be officially sanctioned to process this data. Further, you can keep criminal offence data only if your purpose fits the guidelines of article 10.