The General Data Protection Regulation (GDPR) is designed to protect the personal data and privacy rights of individuals across the EU. While most articles address general personal data, GDPR Article 10 focuses specifically on a very sensitive category: information about criminal convictions and offences. This includes not only formal criminal records but also allegations, investigations, or security-related information that may imply criminal wrongdoing.
Because such data can significantly impact a person’s life — employment, housing, social inclusion, reputation — Article 10 imposes strict rules on how organizations can collect, store, and use this information. It ensures that people are not unfairly judged or have their freedoms restricted based on criminal-related data being misused or processed irresponsibly.
In this article, we break down everything you need to know about GDPR Article 10: what it covers, who can process criminal offence data, what conditions must be met, and examples of compliant and non-compliant practices.
What Is Criminal Conviction Data Under GDPR?
Article 10 applies to personal data relating to:
- Criminal convictions (court judgments)
- Criminal offenses (past or ongoing)
- Security measures taken against a person
- Alleged criminal conduct even without a conviction
This category is different from special category data under Article 9, but it has a similar level of protection because of its sensitivity.
Criminal data could include:
- Official criminal records from a government authority
- Information about arrests, investigations, charges, police reports
- Records on probation, imprisonment, or bail conditions
- Data implying suspected criminal behavior, even if unproven (e.g., CCTV footage flagged for theft)
Why special handling?
Because unlawful processing of criminal data can lead to:
- Discrimination and professional exclusion
- Reputational damage
- Wrongful denial of services (jobs, rentals, loans, etc.)
- Misjudgment of character based on false or outdated accusations
Therefore, GDPR Article 10 ensures that personal data linked to criminal activities is handled ethically, securely, and only with legitimate legal grounds.
The Core Rule of Article 10
The key requirement is clear:
Criminal offence data may only be processed under the control of an official authority OR when permitted by EU or Member State law.
This means ordinary companies cannot freely collect or use criminal records. They must meet two requirements:
1. A Legal Basis for Processing
This must come from:
- A specific provision in national or EU laws
- A regulation allowing criminal background checks for specific roles (e.g., teachers, security guards)
- A legal obligation to ensure public safety
Consent from individuals alone is not sufficient for most cases, because it could be coerced (e.g., a job applicant pressured to reveal records).
2. Safeguards Must Be in Place
Organizations must implement:
- Strict access control — only trained staff can view the data
- Data minimization — collect only what is necessary
- Retention limits — delete when purpose ends
- Record-keeping and audit trails
- Risk assessments before processing
- Secure storage and encryption
The GDPR expects “appropriate safeguards” to prevent misuse or unauthorized access.
Who Is Allowed to Process Criminal Conviction Data?
Authorized Public Authorities
Examples include:
- Courts
- Police or law enforcement agencies
- Immigration authorities
- Social services
These organizations process criminal data as part of their legal duties.
Private Organizations With Legal Authorization
Some sectors require criminal background checks to maintain trust and safety:
| Sector | Example of Justification |
|---|---|
| Education | Screening teachers for child safeguarding |
| Finance | Fraud prevention and regulatory compliance |
| Healthcare | Ensuring staff have no violent convictions |
| Transportation | Criminal record checks for taxi or bus drivers |
| Security services | Verifying suitability for handling weapons or sensitive premises |
These checks must always be:
- Proportionate
- Relevant
- Legally required
Key Principles That Apply to Criminal Data Processing
Even when legal grounds exist, Article 10 emphasizes full compliance with core GDPR principles:
- Lawfulness — There must be a specific law allowing it.
- Fairness — Individuals must not be judged unfairly.
- Transparency — Individuals must know what is collected and why.
- Purpose limitation — Criminal data cannot be used for unrelated purposes.
- Accuracy — Records must be up-to-date to prevent wrongful consequences.
- Storage limitation — Retain data only as long as necessary.
- Security — Strong technical and organizational measures required.
Any breach in these principles could lead to severe legal penalties.
Practical Examples of Compliant and Non-Compliant Processing
Understanding Article 10 is easier with real-world scenarios:
✔ Compliant Examples
| Scenario | Why It’s Allowed |
|---|---|
| A school requests a criminal background check before hiring a teacher | Required by national child protection laws |
| A bank screens applicants for money-laundering convictions | Mandatory under financial regulations |
| A security company checks guards for violent offences | Safety-related legal requirement |
| Police store and process criminal history information | Controlled by official authority |
In all cases, processing is tied to legal obligations and safeguards are in place.
✘ Non-Compliant Examples
| Scenario | Why It’s Prohibited |
|---|---|
| An online shop checking criminal records of customers | No lawful basis |
| A landlord searching a tenant’s criminal history using private databases | Discriminatory and unlawful if not regulated |
| An employer asking an applicant to disclose all past convictions “just in case” | Consent not valid; disproportionate |
| A company retaining background checks indefinitely | Breach of storage limitation principle |
Any organization performing these actions risks a violation of Article 10.
How Article 10 Protects Individuals
This regulation acts as a shield against misuse and profiling.
People are protected from:
- Systemic discrimination based on mistakes or past events
- Unlawful denial of opportunities due to misleading information
- Harassment by unauthorized access to police records
- Data breaches exposing highly sensitive personal information
The GDPR attempts to ensure that criminal history does not follow someone forever, especially if they have legally rebuilt their lives.
Many Member States even have provisions like:
- Automatic deletion of minor offences after a period
- “Rehabilitation” principles preventing disclosure of older records
Such protections reinforce dignity and fairness in society.
Security Measures Required Under Article 10
Because of the sensitivity of criminal data, organizations must implement strong protections, such as:
- Encrypted storage of criminal records
- Logging and controlling access to who views the data
- Secure transfer protocols between authorities and companies
- Privacy-enhancing technologies (anonymization or pseudonymization)
Additionally, organizations must:
- Conduct Data Protection Impact Assessments when high-risk processing is involved
- Train employees to handle such data responsibly
- Ensure third-party processors follow GDPR standards
If these safeguards are missing, processing becomes unlawful.
How Does Article 10 Relate to Other GDPR Articles?
- It complements Article 6 (legal bases for processing)
- It aligns with Article 9 regarding special categories of data
- It intersects with Article 5 on data protection principles
- It is connected to Article 32 — security of processing
- Supervisory authorities can enforce compliance under Articles 58 and 83
In cases of non-compliance, organizations may face significant administrative fines and legal claims from affected individuals.
Challenges Organizations Face When Applying Article 10
Many businesses struggle with:
- Understanding when processing is legally permitted
- Identifying proportionality — what is necessary and what is excessive?
- Obtaining up-to-date records from authorities
- Avoiding discrimination during hiring decisions
- Managing retention and secure deletion policies
To navigate this complexity, legal experts and Data Protection Officers (DPOs) are usually required to guide decision-making.
Conclusion
GDPR Article 10 is a critical regulation designed to protect one of the most sensitive forms of personal data — information relating to criminal convictions and offences. Its main purpose is to prevent discrimination, reputational damage, and misuse of criminal-related data by ensuring that such information is processed only under strict legal conditions and with strong security safeguards.
Key takeaways:
- Criminal conviction data is highly sensitive and tightly regulated.
- Processing is allowed only by official authorities or under specific Member State laws.
- Safeguards like access controls, limited retention, and accuracy checks are mandatory.
- Individuals must be protected from unjust consequences connected to their criminal past, allegations, or inaccurate data.
By following Article 10 requirements, organizations can build fair and accountable systems that respect privacy rights while balancing the need for public safety and trust.