menu MENU
arrow_back Back to the list of all Articles
Change country (Currently : Spain) language
Contact our local member in Spain mail_outline
Visit the website of M & AD 4 Law account_balance

arrow_backPrevious Article
Article 10
Next Articlearrow_forward

Processing of personal data relating to criminal convictions and offences

Official
Texts Guidelines Caselaw Review of
EU Regulation Review of
Nat. Regulation
Show key term(s) and Article(s) related to article 10 of the Regulation keyboard_arrow_down Hide key term(s) and Article(s) related to article 10 keyboard_arrow_up

Key words related to article 10

Show the recitals of the Regulation related to article 10 keyboard_arrow_down Hide the recitals of the Regulation related to article 10 keyboard_arrow_up

(19)  The protection of natural persons with regard to the processing of personal data by competent authorities for the purposes of the prevention, investigation, detection or prosecution of criminal offences or the execution of criminal penalties, including the safeguarding against and the prevention of threats to public security and the free movement of such data, is the subject of a specific Union legal act. This Regulation should not, therefore, apply to processing activities for those purposes. However, personal data processed by public authorities under this Regulation should, when used for those purposes, be governed by a more specific Union legal act, namely Directive (EU) 2016/680 of the European Parliament and of the Council (7). Member States may entrust competent authorities within the meaning of Directive (EU) 2016/680 with tasks which are not necessarily carried out for the purposes of the prevention, investigation, detection or prosecution of criminal offences or the execution of criminal penalties, including the safeguarding against and prevention of threats to public security, so that the processing of personal data for those other purposes, in so far as it is within the scope of Union law, falls within the scope of this Regulation.

With regard to the processing of personal data by those competent authorities for purposes falling within scope of this Regulation, Member States should be able to maintain or introduce more specific provisions to adapt the application of the rules of this Regulation. Such provisions may determine more precisely specific requirements for the processing of personal data by those competent authorities for those other purposes, taking into account the constitutional, organisational and administrative structure of the respective Member State. When the processing of personal data by private bodies falls within the scope of this Regulation, this Regulation should provide for the possibility for Member States under specific conditions to restrict by law certain obligations and rights when such a restriction constitutes a necessary and proportionate measure in a democratic society to safeguard specific important interests including public security and the prevention, investigation, detection or prosecution of criminal offences or the execution of criminal penalties, including the safeguarding against and the prevention of threats to public security. This is relevant for instance in the framework of anti-money laundering or the activities of forensic laboratories.

There is no recital in the Directive related to article 10.

The GDPR

Instead, the Regulation introduces a specific provision for data processing on convictions for criminal offenses or security measures and proceeds with a clarification of that provision, the initial version of which was confusing (Article 10).

The data processing for these data can be performed only if:

- the data processing takes place under the control of official authority;

- the data processing is authorised by Union or Member State law providing for appropriate safeguards for the rights and freedoms of data subjects.

Unlike the text of the Directive, the national law may not derogate from these conditions.

Finally, the comprehensive centralization of criminal convictions may be carried out only under the control of the official authority.

The Directive

The Directive provided for a derogation from the prohibition to process sensitive data to the processing of data relating to offences, criminal convictions or security measures (Article 8 (5), provided that they are conducted under the supervision of the public authority or that suitable specific safeguards are provided under national law.

Paragraph 5 in fine of Article 8 of the Directive specified that a file containing exhaustively all the criminal convictions may be kept only under the control of the official authority.

Potential issues

Differences can occur between the Member States with respect to the data processing related to convictions or criminal offences or security measures as far as the conditions of data processing are determined in the national law (terms of official authority controls or specific legislative authorization).

arrow_back Previous ArticleArticle 10Next Article arrow_forward
arrow_back Previous ArticleArticle 10 Next Article arrow_forward

Summary

European Union

European Union

Guidelines 05/2022 on the use of facial recognition technology in the area of law enforcement (26 April 2023)

Facial recognition technology (FRT) may be used to automatically recognise individuals based on their face. FRT often is based on artificial intelligence such as machine learning technologies. Applications of FRT are increasingly tested and used in various areas, from individual use to private organisations and public administration use. Law enforcement authorities (LEAs) also expect advantagesfrom the use of FRT. It promises solutions to relatively new challenges such as investigations involving a big amount of captured evidence, but also to known problems, in particular with regard to under-staffing for observation and search tasks.

A great deal of the increased interest in FRT is based on the efficiency and scalability of FRT. With these come the disadvantages inherent to the technology and its application – also on a large scale. While there may be thousands of personal data sets analysed atthe push of a button, already slight effects of algorithmic discrimination or misidentification may create high numbers of individuals affected severely in their conduct and daily lives. The sheer size of processing of personal data, and in particular biometric data, is a further key element of FRT, as the processing of personal data constitutes an interference with the fundamental right to protection of personal data according to Article 8 of the Charter of Fundamental Rights of the European Union (the Charter).

The application of FRT of LEAs will – and to some extent already does – have significant implications on individuals and on groups of people, including minorities. These implications will also have considerable effects on the way we live together and on our social and democratic political stability, valuing the high significance of pluralism and political opposition. The right to protection of personal data often is key as a prerequisite to guarantee other fundamental rights. The application of FRT is considerably prone to interfere with fundamental rights beyond the right to protection of personal data.

The EDPB therefore deems it important to contribute to the ongoing integration of FRT in the area of law enforcement covered by the Law Enforcement Directive respectively the national laws transposing it and provide the present guidelines. The guidelines are intended to provide relevant information to lawmakers at EU and national level, as well as for LEAs and their officers when implementing and using FRT-systems. The scope of the guidelines is limited to FRT. However, other forms of processing of personal data based on biometrics by LEAs, especially if processed remotely, may entail similar or additional risks for individuals, groups and society. According to the respective ircumstances, some aspects of these guidelines may serve as a useful source in these cases, as well. Finally, individuals that are interested generally or as data subjects may also find important information, in particular as regards data subjects’ rights.

The guidelines consist of the main document and three annexes. The main document at hand presents the technology and the legal framework applicable. To help identifying some of the major aspects to classify the severity of the interference with fundamental rights to a given field of application, a template can be found in Annex I. LEAs that wish to procure and run a FRT system may find practical guidance in Annex II. Depending on the field of application of FRT, different considerations could be of relevance. A set of hypothetical scenarios and relevant considerations may be found in Annex III.

Link

Retour au sommaire
arrow_back Previous Article Article 10 Next Article arrow_forward

Summary

European Union

European Union

CJEU caselaw

C-141/12 ; C-372/12 (17 july 2014) - YS e.a.

1.      Article 2(a) of Directive 95/46/EC of the European Parliament and of the Council of 24 October 1995 on the protection of individuals with regard to the processing of personal data and on the free movement of such data must be interpreted as meaning that the data relating to an applicant for a residence permit contained in an administrative document, such as the ‘minute’ at issue in the main proceedings, setting out the grounds that the case officer puts forward in support of the draft decision which he is responsible for drawing up in the context of the procedure prior to the adoption of a decision concerning the application for such a permit and, where relevant, the data in the legal analysis contained in that document, are ‘personal data’ within the meaning of that provision, whereas, by contrast, that analysis cannot in itself be so classified.

2.      Article 12(a) of Directive 95/46 and Article 8(2) of the Charter of Fundamental Rights of the European Union must be interpreted as meaning that an applicant for a residence permit has a right of access to all personal data concerning him which are processed by the national administrative authorities within the meaning of Article 2(b) of that directive. For that right to be complied with, it is sufficient that the applicant be in possession of a full summary of those data in an intelligible form, that is to say a form which allows that applicant to become aware of those data and to check that they are accurate and processed in compliance with that directive, so that he may, where relevant, exercise the rights conferred on him by that directive.

3.      Article 41(2)(b) of the Charter of Fundamental Rights of the European Union must be interpreted as meaning that the applicant for a residence permit cannot rely on that provision against the national authorities.

Opinion of Advocate general

Judgment of the Court

C-439/19 ( 22 June 2021) - Latvijas Republikas Saeima (Points de pénalité)

1. Article 10 of Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (General Data Protection Regulation), must be interpreted as applying to the processing of personal data relating to penalty points imposed on drivers of vehicles for road traffic offences.

2. The provisions of Regulation (EU) 2016/679, in particular Article 5(1), Article 6(1)(e) and Article 10 thereof, must be interpreted as precluding national legislation which obliges the public body responsible for the register in which penalty points imposed on drivers of vehicles for road traffic offences are entered to make those data accessible to the public, without the person requesting access having to establish a specific interest in obtaining the data.

3. The provisions of Regulation (EU) 2016/679, in particular Article 5(1), Article 6(1)(e) and Article 10 thereof, must be interpreted as precluding national legislation which authorises the public body responsible for the register in which penalty points imposed on drivers of vehicles for road traffic offences are entered to disclose those data to economic operators for re-use.

4. The principle of primacy of EU law must be interpreted as precluding the constitutional court of a Member State, before which a complaint has been brought challenging national legislation that proves, in the light of a preliminary ruling given by the Court of Justice, to be incompatible with EU law, from deciding, in accordance with the principle of legal certainty, that the legal effects of that legislation be maintained until the date of delivery of the judgment by which it rules finally on that constitutional complaint.

Opinion of Advocate general

Judgment of the Court

C‑205/21, Ministerstvo na vatreshnite raboti (26 January 2023)

1)      L’article 10, sous a), de la directive (UE) 2016/680 du Parlement européen et du Conseil, du 27 avril 2016, relative à la protection des personnes physiques à l’égard du traitement des données à caractère personnel par les autorités compétentes à des fins de prévention et de détection des infractions pénales, d’enquêtes et de poursuites en la matière ou d’exécution de sanctions pénales, et à la libre circulation de ces données, et abrogeant la décision-cadre 2008/977/JAI du Conseil, lu à la lumière de l’article 52 de la charte des droits fondamentaux de l’Union européenne,

doit être interprété en ce sens que :

le traitement de données biométriques et génétiques par les autorités de police en vue de leurs activités de recherche, à des fins de lutte contre la criminalité et de maintien de l’ordre public, est autorisé par le droit d’un État membre, au sens de l’article 10, sous a), de cette directive, dès lors que le droit de cet État membre contient une base juridique suffisamment claire et précise pour autoriser ledit traitement. Le fait que l’acte législatif national contenant une telle base juridique se réfère, par ailleurs, au règlement (UE) 2016/679 du Parlement européen et du Conseil, du 27 avril 2016, relatif à la protection des personnes physiques à l’égard du traitement des données à caractère personnel et à la libre circulation de ces données, et abrogeant la directive 95/46/CE (règlement général sur la protection des données), et non à la directive 2016/680, n’est pas de nature, en lui-même, à remettre en cause l’existence d’une telle autorisation, pour autant qu’il ressort, de manière suffisamment claire, précise et dénuée d’équivoque de l’interprétation de l’ensemble des dispositions applicables du droit national que le traitement de données biométriques et génétiques en cause relève du champ d’application de cette directive, et non de ce règlement.

Conclusions de l'avocat général (fr)

Arret rendu (fr)

C-740/22 (7 March 2024) - Endemol Shine Finland

1.      Article 2(1) and Article 4(2) of Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (General Data Protection Regulation)

must be interpreted as meaning that the oral disclosure of information on possible ongoing or completed criminal proceedings to which a natural person has been subject constitutes processing of personal data, within the meaning of Article 4(2) of that regulation, and comes within the material scope of that regulation where that information forms part of a filing system or is intended to form part of a filing system.

2.      The provisions of Regulation 2016/679, in particular Article 6(1)(e) and Article 10 thereof,

must be interpreted as precluding data relating to criminal convictions of a natural person contained in a court’s filing system from being disclosed orally to any person for the purpose of ensuring public access to official documents, without the person requesting the disclosure of those data having to establish a specific interest in obtaining those data, it being irrelevant in that regard whether that person is a commercial company or a private individual.

Judgment of the Court 
Retour au sommaire Retour au sommaire
arrow_back Previous Article Article 10 Next Article arrow_forward
Regulation
1e 2e

Art. 10

Processing of personal data relating to criminal convictions and offences or related security measures based on Article 6(1) shall be carried out only under the control of official authority or when the processing is authorised by Union or Member State law providing for appropriate safeguards for the rights and freedoms of data subjects. Any comprehensive register of criminal convictions shall be kept only under the control of official authority.
1st proposal close

Art. 9

1. The processing of personal data, revealing race or ethnic origin, political opinions, religion or beliefs, trade-union membership, and the processing of genetic data or data concerning health or sex life or criminal convictions or related security measures shall be prohibited.

2. Paragraph 1 shall not apply where:

(a)     the data subject has given consent to the processing of those personal data, subject to the conditions laid down in Articles 7 and 8, except where Union law or Member State law provide that the prohibition referred to in paragraph 1 may not be lifted by the data subject; or

(b)     processing is necessary for the purposes of carrying out the obligations and exercising specific rights of the controller in the field of employment law in so far as it is authorised by Union law or Member State law providing for adequate safeguards; or

(c)     processing is necessary to protect the vital interests of the data subject or of another person where the data subject is physically or legally incapable of giving consent; or

(d)     processing is carried out in the course of its legitimate activities with appropriate safeguards by a foundation, association or any other non-profit-seeking body with a political, philosophical, religious or trade-union aim and on condition that the processing relates solely to the members or to former members of the body or to persons who have regular contact with it in connection with its purposes and that the data are not disclosed outside that body without the consent of the data subjects; or

(e)     the processing relates to personal data which are manifestly made public by the data subject; or

(f)      processing is necessary for the establishment, exercise or defence of legal claims; or

(g)     processing is necessary for the performance of a task carried out in the public interest, on the basis of Union law, or Member State law which shall provide for suitable measures to safeguard the data subject's legitimate interests; or

(h)     processing of data concerning health is necessary for health purposes and subject to the conditions and safeguards referred to in Article 81; or

(i)      processing is necessary for historical, statistical or scientific research purposes subject to the conditions and safeguards referred to in Article 83; or

(j)      processing of data relating to criminal convictions or related security measures is carried out either under the control of official authority or when the processing is necessary for compliance with a legal or regulatory obligation to which a controller is subject, or for the performance of a task carried out for important public interest reasons, and in so far as authorised by Union law or Member State law providing for adequate safeguards.A complete register of criminal convictions shall be kept only under the control of official authority.

3. The Commission shall be empowered to adopt delegated acts in accordance with Article 86 for the purpose of further specifying the criteria, conditions and appropriate safeguards for the processing of the special categories of personal data referred to in paragraph 1 and the exemptions laid down in paragraph 2.
2nd proposal close

Art. 9a

Processing of data relating to criminal convictions and offences or related security measures based on Article 6(1) may only be carried out either under the control of official authority (...) or when the processing is (...) authorised by Union law or Member State law providing for adequate safeguards for the rights and freedoms of data subjects. A complete register of criminal convictions may be kept only under the control of official authority.
Directive close

Art. 8

1. Member States shall prohibit the processing of personal data revealing racial or ethnic origin, political opinions, religious or philosophical beliefs, trade-union membership, and the processing of data concerning health or sex life.

2. Paragraph 1 shall not apply where:

(…)

5. Processing of data relating to offences, criminal convictions or security measures may be carried out only under the control of official authority, or if suitable specific safeguards are provided under national law, subject to derogations which may be granted by the Member State under national provisions providing suitable specific safeguards. However, a complete register of criminal convictions may be kept only under the control of official authority.

Spain
compare_arrows

Article 7.5.- Organic Law 15/1999 on the Protection of personal Data.-

Personal data on criminal or administrative offences may be included in files of the competent public administrations only under the circumstances laid down in the respective regulations.
Hungary close

Definitions

§ 3 Data Protection Act

[...]

(4) ‘personal data processed in criminal matters’ shall mean personal data that might be related to the data subject or that pertain to any prior criminal offense committed by the data subject and that is obtained by organizations authorized to conduct criminal proceedings or investigations or by penal institutions during or prior to criminal proceedings in connection with a crime or criminal proceedings;

[...]

Legal basis of data processing

§ 5 Data Protection Act

[...]

(4) Personal data that concern criminal offenses and are being processed for the purposes of preventing, investigating, detecting and prosecuting criminal offences and data files containing information pertaining to misdemeanor cases, civil cases and non-contentious proceedings may only be processed by central or local government authorities.

[...]

Internal data protection officer, data protection rules

§ 24 Data Protection Act

(1) The following data controllers and processors shall appoint or commission an internal data protection officer - who shall hold a law degree, a degree in economics or information technology or an equivalent degree in higher education - who is to report directly to the head of the organization:

a) authorities of nation-wide jurisdiction, and data controllers and processors engaged in processing data files of employment and criminal records;

[...]

Data protection register

§ 68 Data Protection Act

[...]

(4) If the application for registration is submitted in respect of processing operations under Subsection (5), pertaining to data files unaffected by any previous data processing operation of the controller, or for which a new processing technique that the controller has never used before for any previous processing operation is required, registration shall be granted on condition that the controller is able to meet the conditions for lawful processing.

(5) The condition for registration under Subsection (4) pertains, in accordance with what is contained therein, to:

a) data files concerning authorities of nation-wide jurisdiction, data files concerning employment and criminal records;

[...]
arrow_back Previous ArticleArticle 10 Next Article arrow_forward
close

2016 - www.itiplaw.eu.