Does a Written Declaration by an Employee That They Have Not Been Convicted of a Criminal Offence Constitute Processing of Personal Data by the Employer Within the Meaning of Article 10 GDPR?

ANSWER

Information relating to criminal convictions is defined in Article 10 GDPR as information relating to criminal convictions and offences, or related security measures. The processing of such personal data is not prohibited under Article 9(1) GDPR — it is therefore not classified as a special category of personal data. This means that a controller may process such data on the basis of the conditions set out in Article 6(1) GDPR. Nevertheless, the permissibility of processing such information is contingent — in accordance with the text of Article 10 — on processing being carried out only under the control of official authority, or when the processing is authorised by EU law or Member State law providing for appropriate safeguards for the rights and freedoms of data subjects.

This means that a data controller (in this case: an employer) may process information on criminal convictions only where this is required by a specific provision of law. It is irrelevant whether such information takes the form of a certificate from the National Criminal Register (KRK) or is provided by the employee in the form of a declaration. Even the mere submission of a declaration regarding criminal convictions will be permissible only where this is required by a specific provision of law. The legal basis most frequently legitimising the processing of criminal conviction information will be Article 6(1)(c) GDPR in conjunction with a specific statutory provision imposing an obligation to process the data contained therein. It is also possible for the processing to be based on other grounds under Article 6(1) GDPR, but in every case the condition is that the law must provide for such a possibility.