Article 10

 Processing of personal data relating to criminal convictions and offences

Overview:

Article 10 of GDPR set forth certain conditions for processing of personal data related to criminal history such as convictions, details of offences, criminal proceedings. Only official authorities like court, law enforcement agencies,  other authorized government bodies are allowed the processing of personal data related to criminal convictions and offences.

Implementation Guidance

  1. Ensure that processing of personal data related to criminal convictions, offences on the following condition:
  2. Permission from concerned legal authorities to process the data
  3. Permitted by the law with appropriate safeguards for protecting the data
  4. If there is a necessity for processing personal data related to criminal convictions, identify the legal basis, whether there is permission from the concerned authorities or permitted by law and document the same.
  5. Consider conducting a DPIA (Data Protection Impact Assessment) for implementing appropriate controls to mitigate the risks related to this data.
  6. Implement access controls to ensure that only autorized personnel has access to this data. The access should be granted with a valid reason and should be time bound. Enable logs  and alerting mechanisms to identify anomalies. Review the logs on a regular basis.
  7. Clearly define and document the purpose for which the data will be processed and also ensure that you have necessary processes and mechanisms implemented to limit the use of this data for the identified purpose.
  8. Collect only the minimum necessary data  that is required to meet the purpose of processing.
  9. Clearly define and establish the retention period of this data. The data should not be kept for longer than necessary to meet the requirement. 
  10. Implemented mechanisms for secure deletion of the data. Ensure that data is securely deleted after the intended purpose or retention period.
  11. Clearly communicate to the data subject about the processing of their data regarding criminal convictions and offences and provide mechanisms to exercise their rights ( access, modify, erase etc.)

Compliance Checklist

  1. Privacy Policy
  2. Information Security Policy
  3. Privacy Notice
  4. DPIA
  5. Policies and procedures
  6. RoPA (Record of Processing Activities)

Examples and Use cases

  1. A law enforcement agency processes personal data including criminal convictions and offences as a part of their official duty.
  2.  A law firm processes details of the criminal records for representing the client in the court. The law firm has appropriate controls in place to protect the personal data.
  3. A privacy organization can perform background verification of its employees including criminal background checks if permitted by law of the land. The organization has to ensure appropriate controls for protecting the data.
Scroll to Top