A clean criminal record is no longer sensitive information
The EU’s General Data Protection Regulation enters into force tomorrow (25 May 2018). The GDPR changes the legal classification of data contained in certificates of a clean criminal record. Unlike other changes in the GDPR, this change represents a step toward liberalisation. How will data of this type be treated?
Special categories of personal data—today and tomorrow
As we have reported, under Poland’s current Personal Data Protection Act, in force through today, information contained in certificates of a clean criminal record is regarded as sensitive data. There has been a general prohibition against processing of personal data involving criminal convictions and offences (among other matters). The act has contained a list of 10 exceptions permitting processing of sensitive data, including processing on the basis of express written consent or a specific regulation permitting processing of such data without the consent of the data subject, while maintaining complete guarantees of protection of the data.
The GDPR largely abandons the notion of “sensitive data,” establishing instead a catalogue of “special categories of personal data” such as health, genetic and biometric data. It maintains a general ban on processing of data of this type, with exceptions for the most part analogous to those in place under the old regime permitting such data to be processed in certain situations.
The difference is that information about criminal convictions and offences has been removed from the legal regime applicable to special categories of data (Art. 9 GDPR) and included in a specific regulation under Art. 10 GDPR. It is a restrictive regulation, because instead of a catalogue of 10 exceptions there are only two specific ground rules for processing of this type of data: the processing must be carried out only under the control of official authority or when authorised by the law of the EU or a member state providing for appropriate safeguards for the rights and freedoms of data subjects.
What about data in certificates of a clean criminal record?
The old Art. 27 of the Personal Data Protection Act has prohibited processing of data concerning criminal convictions, sentencing, fines, and other rulings issued in judicial or administrative proceedings. The scope of this ban has been very broad, covering not only convictions (for both crimes and petty offences) but also information about other rulings, e.g. judgments conditionally discontinuing proceedings, acquittals, and other rulings (not judgments) by courts or administrative bodies.
By contrast, the new rules in Art. 10 GDPR prohibit processing of “data relating to criminal convictions and offences or related security measures”—clearly a narrow range of data.
Without entering into the nuances how these criminal-law concepts framed in English in the GDPR carry over to Polish legal practice, for practical purposes we can draw the following distinctions:
- If the certificate concerning a person’s criminal record states that the person has not been convicted of any criminal offence, then the information is not subject to this special legal regime but is treated as ordinary data—meaning that the standard rules on the grounds for processing of personal data under Art. 6 GDPR will apply, such as performance of a contract, legitimate interests pursued by the data controller, or the consent of the data subject.
- If the certificate does show a conviction (within the meaning of Art. 10 GDPR), then the general ban on processing of such data will apply, as well as the two grounds when processing is permitted (processing under the control of official authority or when authorised by the law of the EU or a member state providing for appropriate safeguards for the rights and freedoms of data subjects).
GDPR permits processing, but what about other regulations?
Sometimes legal regulations require certain persons to present a certificate of a clean criminal record. For example, contractors bidding for the award of public contracts must show that the members of their authorities (management board, supervisory board) and commercial proxies have not been convicted of certain offences set forth in the Public Procurement Law. The bidder has an affirmative obligation to prove this, because the consequence of failure to present the relevant documentation is exclusion from the tender. And sometimes prospective employers require such certificates, but due to the risk of discrimination they can do so only with respect to certain candidates, for example applying for work in security.
Thus, despite the lack of a general ban on processing of data about a person’s clean criminal record under the GDPR, it should be checked whether other regulations allow such a document to be requested from an employee or business partner.
Joanna Krakowiak, legal adviser, Data Protection practice, Wardyński & Partners