Overview

This article ensures that personal data relating to criminal convictions and offences is processed only under official authority or as explicitly authorized by EU or Member State law. Organizations must implement safeguards to protect the rights of data subjects and maintain strict control over any registers containing such data.


Key Principles

  • Lawful Processing: Data may only be processed when authorized by law or official authority.

  • Data Subject Rights: Safeguards must protect individuals’ rights and prevent misuse.

  • Restricted Registers: Comprehensive records of criminal convictions should only be maintained under official authority control.

  • Accountability: Organizations must demonstrate compliance and restrict access to authorized personnel only.

Organizational Applicability

This article applies to all organizations that process personal data relating to criminal convictions or offences within the EU:

  • Public authorities and agencies processing criminal data under official authority.

  • Private organizations authorized by law to process such data.

  • Entities maintaining registers or records containing criminal convictions under legal control.

Implementation Requirements

  • Ensure all processing is authorized by law or official authority.

  • Implement technical and organizational safeguards to protect sensitive data.

  • Limit access to registers to authorized personnel only.

  • Maintain records demonstrating compliance with legal requirements for criminal data processing.

Implementation Guidance

  • Verify that all processing activities have legal authorization.

  • Apply encryption, access controls, and logging to secure criminal data.

  • Conduct periodic reviews to ensure continued compliance with legal restrictions.

  • Do not process criminal data in cloud environments unless explicitly allowed by law.

Periodic Review

  • Frequency: Annually or upon changes to applicable laws or processing activities.

  • Responsible Role: Data Protection Officer (DPO), Compliance Team, or authorized authority.

  • Outcome: Ensure all criminal data processing remains lawful, restricted, and safeguarded.

Non-Compliance Risks

  • Legal Penalties: Enforcement actions and fines for unlawful processing.

  • Operational Risk: Unauthorized access or misuse of criminal data.

  • Reputational Damage: Loss of public trust and regulatory scrutiny.

  • Compliance Risk: Failure to maintain restricted registers under official authority control.