EU: Processing of personal data related to criminal convictions for employment purposes - Part one
The processing of personal data relating to criminal convictions under Article 10 of the General Data Protection Regulation (Regulation (EU) 2016/679 ('GDPR') outlines that the processing of such data is subject to additional restrictions. OneTrust DataGuidance Research breaks down Member State requirements regarding the processing of personal data related to criminal offences for employment purposes in France, Portugal, and Italy, featuring insights from Ricardo Henriques, from Abreu Advogados, Sarah Delon-Bouquet, from Addleshaw Goddard LLP, and Rocco Panetta, from PANETTA Studio Legale. Part two focuses on Member State requirements in the Czech Republic, Germany, and Spain.
General legislation on the processing of criminal data for employment purposes
In particular, the GDPR outlines that the processing of personal data relating to criminal convictions must only be carried out under the control of an official authority, or when the processing if authorised by EU or Member State law providing appropriate safeguards for the rights and freedoms of data subjects (Article 10 of the GDPR).
Accordingly, the processing of criminal personal data varies on a jurisdictional basis, with specific legal bases required for the processing for employment purposes.
Rocco Panetta outlined that "under the current Italian legal framework, employers shall no longer process the employees' judicial data based on the Italian data protection authority's ('the Garante') general authorisation, as it lacks any prescriptive effectiveness.
[Furthermore,] it is worth noting that under Article 8 of Law No. 300/1970 ['the Workers Statute'], in laying down the prohibition for employers to investigate employee's political, religious, or trade union opinions and facts not relevant for the evaluation of the candidates/employees working aptitude, does not totally exclude the possibility of processing of data relating to criminal convictions and offences, provided that the respect of rights and freedoms of the data subject is ensured, with particular regard to Italian Constitution and European data protection legislation principles. Anyhow, the worker/candidate has the right to claim damages in court for failure to hire or for dismissal in violation of the aforementioned prohibition".
Concerning general regulation, Panetta states that "it seems important to point out that, under Article 2-octies of the Personal Data Protection Code, Containing Provisions to Adapt the National Legislation to General Data Protection Regulation (EU) (2016/679) ['GDPR'] ['the Privacy Code'] the lawfulness of the processing of personal data relating to criminal convictions and offences or related security measures, always in accordance with general conditions laid down by European legislation, which does not take place under the control of a public authority, is subject to the existence of an authorisation by a provision of law or, in cases provided for by law, regulations. In this regard, the Italian Legislator has given relevance only to primary normative sources (Laws, Decree-Laws, Legislative Decrees) and secondary (Regulations provided for by law).
Otherwise, when the processing of personal data relating to criminal convictions and offences neither take place under the control of a public authority, nor is already allowed by law or regulation, it may be considered legitimate only in compliance with the provisions established by a Decree of the Ministry of Justice identifying appropriate safeguards for the rights and freedoms of data subjects.
In this regard, it should be noted that on 24 June 2021, the Garante issued a positive opinion on the draft Regulation on the Processing of Personal Data relating to Criminal Convictions and Offences and the Related Appropriate Guarantees ['the draft Regulation'] adopted by the Italian Ministry of Justice pursuant to Article 2-octies(2) of the Privacy Code, while suggesting some changes.
The draft Regulation significantly strengthens the protection provided for the processing of judicial data and defines a set of minimum guarantees to be applied to all processing operations, including those carried out in the public context on the basis of other legal provisions (e.g. the compliance with the principles of proportionality and data minimisation provided for by the GDPR, verification of the reliability of data sources, the regular verification of data accuracy, and their updating on the judicial position of data subjects)."
On the other hand, the processing of personal data relating to criminal offences for employment purposes is subject to a different restriction in Portugal.
Ricardo Henriques provides that "with regard to applicable national law, it should be considered that the processing of criminal data in the employment context has to be assessed on a case-by-case basis. In general terms, national law authorises the processing of criminal data in this context, only when it is strictly necessary and relevant to assess the aptitude of the employee/candidate with regard to the execution of the employment contract, as are the cases specifically established by law (according with the Portuguese Labour Code). Additionally, for the processing to be considered necessary, these criteria should be analysed on a case-by-case basis.
[Furthermore,] national law further establishes that, where legitimate and lawful, criminal data concerning employees or candidates may only be provided, in the context of an employment relationship, if its content is limited to the elements specified in the Law No. 12.037 of October 1 2009 ['the Criminal Identification Law']".
Article 3 of the Criminal Identification Law notes that identification may occur when:
- the document is erased or has evidence of forgery;
- the document presented is insufficient to fully identify the accused;
- the accused has different identity documents with conflicting information;
- criminal identification is essential for police investigations, according to an order of the competent judicial authority, which will decide ex officio or through representation of the police authority, the Public Ministry or the defence;
- the use of other names or different qualifications appears in police records; and
- the state of conservation or the temporal distance of location of the issuance of the document presented makes it impossible to fully identify the essential characters.
Regarding the processing of personal data related to criminal offences in France, Sarah Delon-Bouquet provides that "[t]here is no general legislation under French law on the obtaining and processing of criminal data for hiring and employment purposes. As per general French law, the principles and the combination of several Civil Code and Labour Code provisions (Article 9 of the Civil Code on the respect of a person's privacy, Articles L.1221-6 et s. of the Labour Code), a job applicant would not be required to provide a criminal record unless this has a direct and necessary link with the proposed job (for example, specific functions with access to sensitive financial information or funds handling). Certain collective labour agreement also provide for the submission of criminal records if the position justifies it.
[Moreover], employers are not listed as persons able to process data relating to criminal convictions and offenses, pursuant to Article 46 of the Labour Code. Potential sanctions for saving or keeping private criminal records are five years' imprisonment and a fine of €300,000 for individuals, and €1.5 million for legal persons, pursuant to Articles 226-19(2), and 131 to 38 of the Penal Code. The employer should not process (save or keep) the criminal record, only indicate that this has been checked, without any further information".
Sector specific restrictions on the processing of personal data related to criminal convictions for employment purposes
In addition, the processing of personal data related to criminal offences, while subject to general legislative restrictions, will also be subject to sector specific restrictions, notably in finance and healthcare.
Concerning general regulation, Panetta states that "regarding the processing of judicial data, within the employment relationship, in its opinion on the draft Regulation, the Garante pointed out that the data subject's consent cannot be a legitimate legal basis. In fact, in the context of the employer-employee relationship, considering the weaker position of the employee, [their] consent cannot be considered freely given.
However, it should be noted that the content of the regulation may be destined to change, also in the light of the opinion rendered by the Italian Council of State on 15 February 2022, No. 355.
[Further,] the provisions of Article 2-octies(3) of the Privacy Code should also be taken into account, which provides that processing of data relating to criminal convictions and offences, or related security measures shall be allowed if authorised by law or, where so provided for by law, by a regulation concerning a long list of cases, including, among others:
- fulfilment of obligations and exercise of rights by the controller or data subject in connection with labour law or within the framework of employer-employee relations under the terms set out in laws, regulations, and collective agreements, and in pursuance of Article 9(2), letter b), and Article 88 of the GDPR;
- fulfilment of the obligations set out in laws or regulations concerning mediation for the purpose of resolving civil and commercial disputes;
- verification or establishment of the absence of criminal records, personal qualifications, and disqualifications where so provided for by laws or regulations (such as, for example, the verification of good repute requirements, pursuant to Legislative Decree No. 385/1993 ['the Consolidated Law on Banking'];
- determination of liability for accidents or events relating to human life, and preventing, detecting, or countering fraud or situations of factual risk to the appropriate performance of insurance activities under the terms set out in the relevant laws or regulations (such as the reporting obligations of insurance companies pursuant to the Legislative Decree No. 209/2005 ['the Private Insurance Code']; and
- fulfilment of the obligations set out in the applicable legislation concerning prevention of the use of the financial system for the purpose of money laundering the proceeds of crime and financing terrorism."
Equally, with regard to sector specific legislation on the processing of personal data related to criminal convictions for employment purposes in Portugal, Henriques notes "[i]n certain situations, the law specifically provides for the necessity to access the criminal record of the candidate or employee within the scope of the profession to be exercised. In particular, this is the case for the following sectors of activity: employment involving regular contact with minors; professional associations (such as doctors, lawyers, dentists, veterinarians, acupuncturists, among others); public procurement; private security; professions related to goldsmithery and silversmithing; financial sector; and for the practice of certain activities, such as hunting.
[In regard to sanctions,] failure to comply with the law and where access to criminal records is requested by the employer in violation of the specific provisions above, may constitute an administrative offence, punishable by a fine of up to €61,200, depending on the company's turnover and the degree of fault of the offender".
Likewise, Delon-Bouqet highlights that "there are no sector specific restrictions on the processing of criminal data per se. However, certain sectors (such as insurance/banking, safety/defence) permit such processing of criminal data for certain roles and positions. The sectors concerned are related to security, defence, games, bets, and gambling, giving access to protected zones or where dangerous equipment or products are used, or when directly linked with the safety of persons or goods within a public transportation company or of transportation of dangerous merchandise. There exist specific laws, for example authorising surveillance, security, and cash transport companies to check criminal records of their employees by obtaining so-called B2 or B3 criminal record extracts. Such laws would also refer to the period during which the criminal record may be kept. This is sometimes handled during an administrative investigation. Employees working in private security activities for example would need to obtain a professional card and during the process of obtaining such card, the Prefect would request a B2 criminal record extract.
[More specifically,] the data would be requested online and obtained by the applicant or employee (a B3 certificate giving details on convictions in central records or indicating that there are convictions) or for certain regulated professions by the Prefect on request of the employer or by certain authorities pursuant to an administration investigation. Also, prior to collecting such data, the applicant will need to be informed on the background check pursuant to Article 13 of the GDPR".
Harry Chambers Privacy Analyst
With comments provided by:
Ricardo Henriques Partner
Abreu Advogados, Lisbon
Sarah Delon-Bouquet Counsel
Addleshaw Goddard LLP, Paris
Rocco Panetta Managing Partner
PANETTA Studio Legale, Rome