April 7th, 2022 | Sterling

GDPR and the processing of criminal conviction data across Europe

The GDPR does not make criminal record checks illegal in Europe.Instead, Article 10 of the GDPR, entitled ‘Processing of personal data relating to criminal convictions and offences’ defers to the laws of each Member State to determine whether the processing of criminal record information is lawful or not. This has meant that across the EEA (and the UK) there is a wide range of legislation as to whether employers can consider relevant criminal record convictions as part of a hiring decision.

When deciding whether to require candidates to undergo a criminal record check, it is therefore necessary to look in detail at the applicable laws and regulatory guidance (a country’s data protection regulator will often have issued guidance as to the acceptability of criminal record checks on employees).

Recently, Amazon Road Transport Spain was found by the Spanish Data Protection Authority, the Agencia Española de Protección de Datos(AEPD), to have breached Article 10 of the GDPR and Article 10 of the Spanish Data Protection Act(Ley Orgánica 3/2018 de Protección de Datos Personales y Garantía de los Derechos Digitales) and handed a €2,000,000 fine.

In this case, Amazon was requiring its candidates to provide a criminal record certificate during the hiring process of delivery drivers: Amazon claimed that they had a legitimate interest in verifying that these candidates did not have previous criminal convictions in order to protect their customers since the delivery drivers would be entrusted with handling products that may be of high value, and would be coming within close proximity of customers’ homes. Amazon also required, and relied on, the candidates’ consent to process their personal data, including their criminal record certificate.

Amazon also argued that requiring a certificate stating the absence of criminal records did not amount to processing criminal data under Article 10 of the GDPR since the certificate would not contain any data on the omission of crimes. The AEPD, however, rejected this claim, and instead considered the absence of a criminal record to be criminal data. This is not a surprising judgment, as other European Data Protection Authorities had already reached the same conclusion, including the UK’s Information Commissioner’s Office.

Did it make any difference that Amazon required its candidates to obtain a criminal record certificate themselves, rather than Amazon running a full criminal record check on them? No, it did not, the AEPD explained: a criminal record certificate may contain sensitive information including, but not limited to, criminal convictions, and employers in Spain should refer to the restrictions on criminal record checks before requiring their candidates to obtain certificates themselves. The AEPD held that the only valid lawful basis for processing criminal data would be where it was required by law: legitimate interests cannot be a basis to process criminal conviction data under Spanish law. This case also emphasised the nature of consent: while Amazon claimed that the candidates consented to their data being processed, the AEPD held that as the candidate did not have the option of withholding consent for the processing of their criminal record data, consent was therefore not freely given or valid.

Therefore, the case rested on whether Amazon had any grounds under Spanish law to run a criminal record check on a candidate. To do so, there would have needed to be a legal requirement under Spanish organic law or any other Spanish legal norm. Examples of roles that would require a criminal record check would include those working with minors, senior positions in the banking industry, or the police force. As there is no Spanish law that would require a delivery driver to undergo a criminal record check, Amazon did not have any grounds to request a criminal record certificate.

This decision from the Spanish regulator stresses again the importance of taking into account applicable local law when checking a candidate’s criminal record, as the permissibility of performing these checks varies from country to country. Some countries, such as Spain, require there to be legislation in place that specifically permits a criminal record check to take place; other countries, such as the UK, are much less restrictive. Certain countries, such as Germany, permit the employer to require a criminal record certificate only in very specific circumstances.

As permissibility varies, so do lawful bases for processing: as we can see from the AEPD judgment, legitimate interest is not considered a lawful basis for processing criminal record data in Spain: in other jurisdictions it may be acceptable.It is also always important when relying on consent to look at the question you are asking, and determining whether it really is consent: can the candidate actually say no without any repercussions? If not, then it is not valid consent.

Download our ‘GDPR and Background Checks: Considerations for Employers’ checklist to help with a robust and compliant screening program.

Sterling is not a law firm. This publication is for informational purposes only and nothing contained in it should be construed as legal advice. We expressly disclaim any warranty or responsibility for damages arising out this information. We encourage you to consult with legal counsel regarding your specific needs. We do not undertake any duty to update previously posted materials.