Art 10

GDPR Article 10: Processing of Personal Data Relating to Criminal Convictions and Offences
A Scholarly Analysis for Advanced Practitioners
Introduction
GDPR Article 10 occupies a unique position within the General Data Protection Regulation because it regulates information associated with criminal convictions, criminal offences, alleged offences, investigations, prosecutions, and related security measures.
Unlike Article 9 special category data, criminal offence data constitutes a distinct regulatory category requiring its own legal analysis and governance framework. Article 10 does not create a standalone lawful basis; rather, it imposes an additional layer of restriction on processing that already satisfies Article 6.
The provision reflects a legislative judgment that criminal records possess extraordinary reputational, social, professional, and economic consequences for data subjects. Improper disclosure may result in exclusion from employment, housing, education, financial services, and public participation.
Key Framing Concept
Advanced practitioners should view Article 10 as a "restricted processing regime" — a specialised legal gateway layered on top of the general GDPR framework, not a replacement for it.
Article 10 does not create its own lawful basis. It adds a mandatory second layer of authorisation on top of Article 6.
The Textual Structure of Article 10
Article 10 establishes two fundamental requirements that practitioners must address independently and sequentially.
Requirement 1: Processing of Criminal Data
Must be based upon a valid Article 6 lawful basis, and must occur either:
Under the control of official authority; or
Pursuant to Union or Member State law providing appropriate safeguards
Requirement 2: Comprehensive Criminal Registers
Any comprehensive register of criminal convictions:
May only be maintained under the control of official authority
Private entities cannot lawfully build centralised criminal history databases
The second requirement is frequently overlooked by practitioners. Even where individual criminal background checks may be lawful, building a centralised and comprehensive criminal history database often becomes unlawful unless maintained by an authorised governmental authority.
Defining Criminal Conviction and Offence Data
❌ Narrow Interpretation (Incorrect)
Convictions only
Court-issued criminal judgments only
Generally inconsistent with modern European supervisory and judicial approaches.
✅ Broad Interpretation (Preferred)
Regulatory authorities consistently apply a wide scope to Article 10 data.
Article 10 Data May Include:
Criminal convictions and pending criminal proceedings
Criminal charges, arrest records, and police reports
Allegations of criminal conduct and prosecutorial investigations
Sentencing, probation, and bail conditions
Criminal background screening results — including certificates showing no convictions
Acquittal records and security measures associated with criminal proceedings
Important Example
An employer receives a criminal background check indicating "No Criminal Record Found." Many organisations mistakenly conclude no Article 10 processing exists because no conviction is present. Regulatory authorities have consistently treated such information as criminal conviction data because it directly relates to criminal record status.
The Dual-Lawfulness Requirement
Satisfying Article 6 alone is insufficient. Controllers must independently satisfy both layers before any processing of criminal offence data may lawfully commence.
Practitioner Error: A frequent compliance failure occurs when organisations identify Article 6(1)(f) Legitimate Interests but fail to identify a specific national law authorising criminal offence processing. This results in unlawful processing even though Article 6 appears satisfied.
Official Authority Processing
Who Qualifies as Official Authority?
Law Enforcement
Police services and prosecutorial authorities with statutory criminal enforcement functions
Judicial Bodies
Courts and correctional institutions operating under statutory authority
Regulatory Authorities
Criminal justice agencies and regulators possessing statutory criminal enforcement functions
Official Authority Status: What It Does NOT Mean
Official authority status generally permits broader processing because statutory safeguards already exist. However, it is not an exemption from GDPR. The following principles remain fully applicable:
Purpose Limitation
Data may only be used for the purpose for which it was collected
Data Minimisation
Only data strictly necessary may be processed
Retention Limitations
Data must not be kept longer than necessary
Security Requirements
Appropriate technical and organisational measures must be maintained
Private Sector Processing
Private organisations face significantly higher compliance burdens than official authorities. The absence of statutory oversight means each processing activity must be independently justified and documented.
Financial Institutions
Conducting fraud investigations under financial crime legislation
Healthcare Entities
Conducting safeguarding checks for patient-facing roles
Educational Institutions
Screening staff working with children and vulnerable persons
Aviation Operators
Performing security vetting under aviation safety regulations
Critical Infrastructure
Conducting background checks for sensitive operational roles
1
Specific National Legal Authorisation
2
Documented Necessity
3
Demonstrable Proportionality
4
Appropriate Safeguards
Examples of Lawful Processing
1
Child Protection Screening
A school performs legally mandated criminal background checks for teachers. National law specifically authorises screening. Access is restricted to HR personnel and retention periods are defined.
Typically Lawful
2
Anti-Money Laundering Investigations
A bank investigates suspected financial crime. Processing is required under financial crime legislation. Access controls and audit trails exist throughout the investigation lifecycle.
May Be Lawful Under Member State Authorisation
3
Court Administration
A judicial authority maintains conviction records. Processing occurs under statutory authority with established governance frameworks and defined access controls.
Generally Permissible Under Article 10
Examples of Unlawful Processing
The following scenarios represent common compliance failures identified by supervisory authorities across Member States.
❌ Informal Employee Blacklists
Multiple companies share names of workers suspected of theft. No conviction exists. No statutory authorisation exists.
Likely unlawful.
❌ Centralised Corporate Criminal Register
A multinational creates a database of criminal histories for all employees worldwide. No official authority oversight exists.
Likely violates Article 10's prohibition on comprehensive criminal registers.
❌ Excessive Recruitment Screening
A retail employer requests criminal records for every applicant regardless of role. No legal requirement exists for the positions in question.
Likely violates necessity and proportionality principles.
❌ Indefinite Retention of Background Checks
Screening records remain permanently in personnel files with no retention justification or scheduled disposal.
Likely violates Articles 5 and 10 simultaneously.
Articles Intersecting with Article 10
Advanced practitioners should understand Article 10 as a node within a larger compliance ecosystem. Compliance with Article 10 alone is insufficient — the following provisions interact directly with criminal offence data processing.
Each intersecting article imposes independent obligations. A controller processing criminal offence data must simultaneously satisfy all applicable provisions — not merely Article 10 in isolation.
The Accountability Model Under Article 10
Accountability under Article 10 is evidentiary rather than merely procedural. Organisations must be capable of demonstrating — not merely asserting — compliance across every dimension of their criminal data processing activities.
01
Necessity Justification
Why criminal data is necessary and why less intrusive alternatives are unavailable
02
Legal Authorisation
Which national law authorises processing and which safeguards are implemented
03
Access Governance
How access is restricted to those with a documented operational need
04
Retention Management
How retention is limited and automated disposal is enforced
05
Accuracy and Disclosure Controls
How accuracy is maintained and how disclosure to third parties is controlled
"Accountability is therefore evidentiary rather than merely procedural. Organisations that cannot produce documented evidence of each element face significant enforcement exposure."
Twenty Cross-Cutting Technical Controls for Article 10 Compliance
The following controls represent a comprehensive governance framework for organisations processing criminal offence data. Controls 1–11 are addressed here.
1
Article 10 Data Classification Framework
Establish a dedicated classification category for criminal offence data, separate from ordinary personal data and Article 9 data
2
Legal Authorisation Register
Maintain documented mappings between processing activities and applicable Union or Member State laws
3
Article 10 Lawfulness Assessment
Require formal legal review before collection begins for any new processing activity
4
Data Protection Impact Assessments
Mandatory DPIA review for criminal data processing activities, assessing stigma, discrimination, and exclusion risks
5
Purpose-Binding Controls
Technical enforcement preventing secondary uses without explicit authorisation
6
Role-Based Access Control
Restrict access according to operational necessity with documented justification for each role
1
Attribute-Based Access Control
Introduce contextual restrictions based on purpose, jurisdiction, and risk profile
2
Segregated Data Stores
Store Article 10 data separately from general HR or customer records with logical and physical separation
3
Strong Encryption
Encrypt criminal offence data at rest and in transit using current cryptographic standards
4
Cryptographic Key Separation
Separate encryption key management from operational processing teams to prevent insider access
5
Immutable Audit Logging
Record every access, modification, export, and deletion event with tamper-evident logging
Technical Controls 12–20: Advanced Governance Measures
Privileged User Monitoring
Monitor administrators handling criminal offence data with enhanced logging and behavioural analytics
Data Minimisation Rules Engine
Automatically suppress unnecessary fields at the point of collection and throughout the data lifecycle
Retention and Disposal Automation
Implement automated deletion aligned with legal requirements and documented retention schedules
Third-Party Due Diligence Programme
Assess processors handling criminal offence information before engagement and on a recurring basis
Cross-Border Transfer Controls
Validate transfer mechanisms before exporting Article 10 data internationally under Articles 44–49
Data Quality Validation Controls
Detect inaccurate, outdated, or expunged conviction information before it influences decisions
Continuous Compliance Monitoring
Conduct recurring control testing and assurance reviews against documented compliance standards
Incident Response Procedures
Define escalation paths specific to criminal data breaches, with accelerated notification timelines
Control 20 — Advanced Privacy Engineering: Pseudonymisation · Tokenisation · Field-level encryption · Dynamic masking · Differential disclosure controls where appropriate. These engineering controls should be embedded at the design stage, not retrofitted.
Emerging Regulatory Challenges
The regulatory landscape surrounding Article 10 continues to evolve rapidly. Advanced practitioners must anticipate enforcement trends in the following areas.
Artificial Intelligence
Criminal history data used in employment screening algorithms presents elevated discrimination risk. Profiling decisions based on criminal data may trigger Article 22 considerations regarding automated decision-making, requiring human review and explicit authorisation.
Data Brokerage
Aggregation of publicly available criminal information can still constitute Article 10 processing. The commercial assembly of criminal data from disparate public sources does not remove the obligation to identify lawful authorisation under Article 10.
Open-Source Intelligence (OSINT)
Organisations increasingly collect criminal allegations from online sources during due diligence and background screening. Public availability does not remove Article 10 obligations. The source of the data is irrelevant to the classification of the data.
Insider Threat Programmes
Internal investigations frequently generate criminal offence data as a by-product of monitoring activities. Organisations often fail to recognise Article 10 applicability until enforcement action occurs, at which point remediation is significantly more costly.
Advanced Teaching Conclusions
1
2
3
4
5
1
Foundational Requirement
Satisfy both Article 6 and Article 10 simultaneously — national law frequently determines permissibility
2
Broad Data Scope
Criminal offence data extends beyond convictions to include allegations, investigations, acquittals, and background check outcomes
3
Accountability as Evidence
Legal authorisation and accountability documentation must be maintained and producible on demand
4
Privacy Engineering
Access governance, technical controls, and continuous monitoring must be embedded by design
5
Highest Risk Regime
Article 10 processing demands control rigour comparable to — and often exceeding — Article 9 special category data
From a risk-management perspective, Article 10 processing should be treated with a control rigour comparable to — and in many contexts exceeding — that applied to Article 9 special category data, because of the heightened risk of stigma, exclusion, and irreversible reputational harm to data subjects.
Specialised High-Risk Processing Regime
Dual-Lawfulness Requirement