April 7th, 2022 | Sterling

GDPR and the processing of criminal conviction data across Europe

The GDPR does not make criminal record checks illegal in Europe.Instead, Article 10 of the GDPR, entitled ‘Processing of personal data relating to criminal convictions and offences’ defers to the laws of each Member State to determine whether the processing of criminal record information is lawful or not. This has meant that across the EEA (and the UK) there is a wide range of legislation as to whether employers can consider relevant criminal record convictions as part of a hiring decision.

When deciding whether to require candidates to undergo a criminal record check, it is therefore necessary to look in detail at the applicable laws and regulatory guidance (a country’s data protection regulator will often have issued guidance as to the acceptability of criminal record checks on employees).

Recently, Amazon Road Transport Spain was found by the Spanish Data Protection Authority, the Agencia Española de Protección de Datos(AEPD), to have breached Article 10 of the GDPR and Article 10 of the Spanish Data Protection Act(Ley Orgánica 3/2018 de Protección de Datos Personales y Garantía de los Derechos Digitales) and handed a €2,000,000 fine.

In this case, Amazon was requiring its candidates to provide a criminal record certificate during the hiring process of delivery drivers: Amazon claimed that they had a legitimate interest in verifying that these candidates did not have previous criminal convictions in order to protect their customers since the delivery drivers would be entrusted with handling products that may be of high value, and would be coming within close proximity of customers’ homes. Amazon also required, and relied on, the candidates’ consent to process their personal data, including their criminal record certificate.

Amazon also argued that requiring a certificate stating the absence of criminal records did not amount to processing criminal data under Article 10 of the GDPR since the certificate would not contain any data on the omission of crimes. The AEPD, however, rejected this claim, and instead considered the absence of a criminal record to be criminal data. This is not a surprising judgment, as other European Data Protection Authorities had already reached the same conclusion, including the UK’s Information Commissioner’s Office.

Did it make any difference that Amazon required its candidates to obtain a criminal record certificate themselves, rather than Amazon running a full criminal record check on them? No, it did not, the AEPD explained: a criminal record certificate may contain sensitive information including, but not limited to, criminal convictions, and employers in Spain should refer to the restrictions on criminal record checks before requiring their candidates to obtain certificates themselves. The AEPD held that the only valid lawful basis for processing criminal data would be where it was required by law: legitimate interests cannot be a basis to process criminal conviction data under Spanish law. This case also emphasised the nature of consent: while Amazon claimed that the candidates consented to their data being processed, the AEPD held that as the candidate did not have the option of withholding consent for the processing of their criminal record data, consent was therefore not freely given or valid.

Therefore, the case rested on whether Amazon had any grounds under Spanish law to run a criminal record check on a candidate. To do so, there would have needed to be a legal requirement under Spanish organic law or any other Spanish legal norm. Examples of roles that would require a criminal record check would include those working with minors, senior positions in the banking industry, or the police force. As there is no Spanish law that would require a delivery driver to undergo a criminal record check, Amazon did not have any grounds to request a criminal record certificate.

This decision from the Spanish regulator stresses again the importance of taking into account applicable local law when checking a candidate’s criminal record, as the permissibility of performing these checks varies from country to country. Some countries, such as Spain, require there to be legislation in place that specifically permits a criminal record check to take place; other countries, such as the UK, are much less restrictive. Certain countries, such as Germany, permit the employer to require a criminal record certificate only in very specific circumstances.

As permissibility varies, so do lawful bases for processing: as we can see from the AEPD judgment, legitimate interest is not considered a lawful basis for processing criminal record data in Spain: in other jurisdictions it may be acceptable.It is also always important when relying on consent to look at the question you are asking, and determining whether it really is consent: can the candidate actually say no without any repercussions? If not, then it is not valid consent.

Download our ‘GDPR and Background Checks: Considerations for Employers’ checklist to help with a robust and compliant screening program.

This content is offered for informational purposes only. First Advantage is not a law firm, and this content does not, and is not intended to, constitute legal advice. Information in this may not constitute the most up-to-date legal or other information.

Readers of this content should contact their attorney or lawyer to obtain advice concerning any particular legal matter. No reader, or user of this content, should act or refrain from acting on the basis of information in this content without first seeking legal advice from counsel or lawyers in the relevant jurisdiction. Only your individual attorney or legal advisor can provide assurances that the information contained herein – and your interpretation of it – is applicable or appropriate to your particular situation. Use of, and access to, this content does not create an attorney-client relationship between the reader, or user of this presentation and First Advantage.