General legislation on the processing of criminal data for employment purposes

In particular, the GDPR outlines that the processing of personal data relating to criminal convictions must only be carried out under the control of an official authority, or when the processing if authorised by EU or Member State law providing appropriate safeguards for the rights and freedoms of data subjects (Article 10 of the GDPR).

Accordingly, the processing of criminal personal data varies on a jurisdictional basis, with specific legal bases required for the processing for employment purposes.

Czech Republic

In particular, Bartoš Vojtěch and Ema Černá highlight that "Legislation covering the processing of criminal data in general is basically limited to a single rule enshrined in Act No. 262/2006 Coll., Labour Code ('the Czech Labour Code'), which makes such processing only admissible in practice for certain job positions/industries (Section 316(4) of the Czech Labour Code). The Czech Labour Code states that the employer may not require a (future) employee to provide any information that is not directly related to the work performed, nor other enumerated types of sensitive data, including criminal records of the employee. An exception from this general rule exists (i.e. criminal records of the employees may be required) if the following conditions are fulfilled cumulatively:

• there is a substantive reason consisting in the nature of the work that is to be performed; and
• the requirement is proportionate.

Blanket processing of criminal data of all employees is thus not acceptable in the Czech Republic. An individual assessment whether the criminal data can be required should be made in each case."

It should also be noted that the State Labour Inspection Office ('SUIP') is responsible for ensuring employers compliance with the provisions of the Czech Labour Code, as opposed to the Office for Personal Data Protection ('UOOU').

In addition, Vojtěch and Černá clarify that "There are not any further significant restrictions/guidelines on the processing of criminal data apart from the standard principles of data processing enshrined in the GDPR. In that regard, the processing of criminal data can be based only on the abovementioned national legal basis (i.e. either if the specific conditions of the Czech Labour Code are fulfilled, or if sectoral regulation requires so) and principles, such as data minimisation and storage limitation, must be complied with. Therefore, we often recommend to employers only to require that official excerpts of the criminal record be submitted for a check without its further storage by the employer".

Germany

Regarding federal law, Clemens Ganz and Dr. Isabelle Brams provide that "Under German law, there is no data protection legislation that specifically governs the processing of criminal data for employment purposes. However, Section 26 of the Federal Data Protection Act of 30 June 2017 (implementing the GDPR) (as amended) ('the BDSG') provides general requirements that employers should consider when processing criminal data in the employment or hiring context.

Under Section 26(1)(1) of the BDSG, employers may process employee data to the extent necessary for hiring decisions or, after hiring, for carrying out, or terminating, an employment contract. This legal basis may also apply to the processing of criminal data of candidates or employees - particularly in connection with background checks. Please note, however, that labour courts set strict restrictions for respective checks. In particular, employers may only process criminal data if the respective details are relevant with regard to the specific job position which the candidate or employee will fulfil (e.g., prior convictions relating to financial crimes of a candidate who should work as an analyst for a bank). Accordingly, the admissibility of criminal checks is dependent on a case-by-case [assessment], considering the specific job position.

Under Section 26(1)(2) of the BDSG, employers may process employee data in order to detect crimes if there is a documented reason to believe an employee has committed a crime in the employment context. Please note that this provision is mainly focused on the processing of employee data to uncover possible criminal misconduct by employees. It does not specifically regulate the processing of criminal data that the employer already holds about the employee".

Furthermore, it should be noted that the above provisions, pursuant to Section 26(1)(7) of the BDSG, also apply when processing special categories of personal data of employees without forming, or being intended to form, part of a filing system.

However, Ganz and Brams stipulate that "There is no conclusive guidance by German regulators and courts addressing the question whether the legal bases in Section 26 of the BDSG are considered as appropriate Member State law within the meaning of Article 10 of the GDPR. However, as to date, there are no high court rulings that prevent employers from performing criminal checks on this ground".

Spain

Concerning general regulation, Juan Ignacio Alonso Dregi provides that "Regarding applicable national data protection law, employers are not allowed to process the employee's criminal data, except in certain circumstances (basically, depending on the industry in which the company carries out its activity). In this regard, Article 10 of the Organic Law 3/2018, of 5 December, on the Protection of Personal Data and Guarantee of Digital Rights ('LOPDGDD') states that the processing of personal data related to criminal convictions and offences for purposes other than those of prevention, investigation, detection, or prosecution of criminal offences, or the execution of criminal sanctions, may only be carried out when it is covered by a rule of the EU, the national data protection law, or other rules of legal rank.

On the other hand, when the processing of criminal data takes place as part of an employment relationship, the processing can only be carried out if it meets the following requirements:

• the existence of a legal obligation that requires the company to collect criminal data (Article 6(c) of the GDPR); and
• the criminal data is necessary for the execution of the employment relationship (Article 6(b) of the GDPR).

In addition, in terms of processing criminal data, it is important to highlight that the Spanish data protection authority ('AEPD') clarified the question of the possibility of asking for 'negative' criminal records when the employee has no prior criminal convictions. Some entities argued that negative criminal record certifications are 'blank' certifications that do not contain information on convictions or criminal offences, noting that as the natural person has not committed any crime, they do not collect information on the type of crimes committed, the date of commission, or the sentencing body. However, the AEPD issued Proceeding No. PS-00267-2020, on 11 February 2022, clarifying that the criminal record certificate, whether it is positive or negative, involves the processing of information related to criminal convictions, emphasising that negative criminal record certifications show and prove that the natural person has no criminal convictions, which means a processing of criminal data".

On the other hand, Alonso Dregi notes that "some companies do not ask for criminal records, but they ask for 'responsible declarations' to employees stating that they had never committed any infringement or offences. This would also not be allowed since those declarations contain statements about criminal data and, therefore, it may be understood that information related to criminal convictions is being processed by entities".

Sector specific restrictions on the processing of personal data related to criminal convictions for employment purposes

Czech Republic

On sectoral requirements, Vojtěch and Černá outline that "In some sectors/job positions, such as the healthcare sector, aviation, and officers of state authorities (e.g. police personnel or firefighters), the possibility to require employees' criminal records (and hence process criminal data) is enshrined in the provisions of specific legal acts. In these sectors, only employees who are considered as 'without any criminal record' can be employed. The term 'without any criminal record' may be defined differently for each sector by the relevant legal regulation - for some sectors it can mean that the potential employee cannot have any criminal records of any nature, or any criminal records for intentional criminal offences. Also, it is quite common that the requirement for no criminal records relates only to offences in the area of employment - e.g. for workers in the healthcare sector, the applicant is considered as 'without any criminal record' if they did not commit any intentional or negligent criminal offence related to the provision of healthcare. The scope of the requirement may also be limited by the particular act, e.g. it may apply only to managerial employees".

Germany

Likewise, Ganz and Brams provide that "Some German laws require employers to perform criminal record checks before hiring candidates for certain job positions. For example, public youth welfare organisations have to ensure that their employees have not been convicted of certain relevant crimes. Therefore, respective employers are obliged to request in regular intervals an official certificate of good conduct ('Führungszeugnis') from employees. A similar obligation applies to employers who provide certain services to welfare recipients. For many business areas, on the other hand, there are no specific regulations on the processing of criminal data by employers. In certain sectors, however, the law requires that potential employees are cleared by public authorities in advance (e.g. clearance of certain personal in the aviation sector)".

Nonetheless, Ganz and Brams detail that "To date, there is only very limited guidance from German supervisory authorities on the processing of criminal data for employment purposes. For example, in a recent guidance¹ n employee privacy, the Baden-Württemberg data protection authority ('LfDI Baden-Württemberg') highlights that employers may only ask candidates about prior convictions if this information is relevant with regard to the envisaged job position. Furthermore, the LfDI Baden Württemberg emphasises that employers may only ask about ongoing criminal proceedings in exceptional cases where a respective investigation gives rise to reasonable doubts about a candidate's suitability.

There is also a widespread case law of German labour courts covering the performance of background checks in the employment context. For instance, the German Federal Employment Court ('Bundesarbeitsgericht') ruled in Decision 2 AZR 1071/12, of 20 March 2014,² that employers generally have no legitimate interest in asking candidates about dispensed investigation proceedings or prior convictions that were already deleted from the German Central Criminal Register ('Bundeszentralregister').

Given this strict legal framework, employers in Germany are well advised to only process criminal data of candidates and employees in exceptional cases. They should comprehensively document the reasons that require respective processing operations".

Spain

Equally, Alonso Dregi states that "In relation to the processing of personal data related to criminal convictions, within certain type of companies and positions, national laws specifically provide the necessity to access the criminal records of candidates or employees depending on the profession to be exercised.

For example, [in] the following sectors, the national regulations state the possibility of asking for criminal data of employees and candidates:

• employment involving regular contact with minors; in this regard, data about prior sexual crimes may be requested;
• employees of the Public Authorities, Police, or Army: with the purpose of exercising the activities, candidates and employees must be accredited 'good citizenship' by means of a negative criminal record;
• managing members of financial entities may not have been convicted of committing crimes or misdemeanours and, in particular, for money laundering, committing crimes against property, the socioeconomic order, and the Public Treasury and Social Security, among others; therefore, processing criminal data in this regard is allowed;
• insurance agents, agent mediators, and other personnel involved in this industry should not have criminal records for crimes of falsehood, violation of secrets, discovery, and disclosure of secrets against the Public Treasury and Social Security, misappropriation of public funds, and any other crimes against property;
• private security: those workers who provide their services in the field of private security will also have to provide a negative criminal record certificate as a required condition for the performance and maintenance of their activity; however, the judgement of the Spanish Audience of 10 February 2020 ('Judgement 14/2020') states that the processing of criminal data may not be done by the employer, but this processing is only authorised to be done by the General Directorate of Police since it is the authority that must issue the professional security card and check the criminal records previously;
• casino employees, partners, representatives, and/or directors may not have a positive criminal record to provide their services; and
• The processing of criminal data of clients is possible by lawyers and Court agents within the scope of their duties.

The general principle for employers is that the processing criminal data of candidates and employees is prohibited. Even when, due to the type of activity, it is required that employees do not have criminal records, it is important to analyse regulations with the purpose of checking whether an employer may ask for a criminal record, or, on the contrary, the processing of personal data is only lawful if it is carried out by a competent authority".

Harry Chambers Privacy Analyst
[email protected]

With comments provided by:

Bartoš Vojtěch Lawyer
[email protected]
Ema Černá Junior Associate
[email protected]
Havel & Partners s.r.o, Prague

Clemens Ganz Associate
[email protected]
Dr. Isabelle Brams Associate
[email protected]
Latham & Watkins LLP, Frankfurt

Juan Ignacio Alonso Dregi Partner
[email protected]
Ceca Magán, Madrid

1. Available at: https://www.baden-wuerttemberg.datenschutz.de/ratgeber-zum-beschaeftigtendatenschutz-4-auflage/ (only available in German) 2. Available at: https://www.bundesarbeitsgericht.de/entscheidung/2-azr-1071-12/ (only available in German)