Art. 10
Processing of personal data relating to criminal convictions and offences or related security measures based on Article 6(1) shall be carried out only under the control of official authority or when the processing is authorised by Union or Member State law providing for appropriate safeguards for the rights and freedoms of data subjects. Any comprehensive register of criminal convictions shall be kept only under the control of official authority.
|
Art. 9
1. The processing of personal data, revealing race or ethnic origin, political opinions, religion or beliefs, trade-union membership, and the processing of genetic data or data concerning health or sex life or criminal convictions or related security measures shall be prohibited.
2. Paragraph 1 shall not apply where:
(a) the data subject has given consent to the processing of those personal data, subject to the conditions laid down in Articles 7 and 8, except where Union law or Member State law provide that the prohibition referred to in paragraph 1 may not be lifted by the data subject; or
(b) processing is necessary for the purposes of carrying out the obligations and exercising specific rights of the controller in the field of employment law in so far as it is authorised by Union law or Member State law providing for adequate safeguards; or
(c) processing is necessary to protect the vital interests of the data subject or of another person where the data subject is physically or legally incapable of giving consent; or
(d) processing is carried out in the course of its legitimate activities with appropriate safeguards by a foundation, association or any other non-profit-seeking body with a political, philosophical, religious or trade-union aim and on condition that the processing relates solely to the members or to former members of the body or to persons who have regular contact with it in connection with its purposes and that the data are not disclosed outside that body without the consent of the data subjects; or
(e) the processing relates to personal data which are manifestly made public by the data subject; or
(f) processing is necessary for the establishment, exercise or defence of legal claims; or
(g) processing is necessary for the performance of a task carried out in the public interest, on the basis of Union law, or Member State law which shall provide for suitable measures to safeguard the data subject's legitimate interests; or
(h) processing of data concerning health is necessary for health purposes and subject to the conditions and safeguards referred to in Article 81; or
(i) processing is necessary for historical, statistical or scientific research purposes subject to the conditions and safeguards referred to in Article 83; or
(j) processing of data relating to criminal convictions or related security measures is carried out either under the control of official authority or when the processing is necessary for compliance with a legal or regulatory obligation to which a controller is subject, or for the performance of a task carried out for important public interest reasons, and in so far as authorised by Union law or Member State law providing for adequate safeguards.A complete register of criminal convictions shall be kept only under the control of official authority.
3. The Commission shall be empowered to adopt delegated acts in accordance with Article 86 for the purpose of further specifying the criteria, conditions and appropriate safeguards for the processing of the special categories of personal data referred to in paragraph 1 and the exemptions laid down in paragraph 2.
|
Art. 9a
Processing of data relating to criminal convictions and offences or related security measures based on Article 6(1) may only be carried out either under the control of official authority (...) or when the processing is (...) authorised by Union law or Member State law providing for adequate safeguards for the rights and freedoms of data subjects. A complete register of criminal convictions may be kept only under the control of official authority.
|
Art. 8
1. Member States shall prohibit the processing of personal data revealing racial or ethnic origin, political opinions, religious or philosophical beliefs, trade-union membership, and the processing of data concerning health or sex life.
2. Paragraph 1 shall not apply where:
(…)
5. Processing of data relating to offences, criminal convictions or security measures may be carried out only under the control of official authority, or if suitable specific safeguards are provided under national law, subject to derogations which may be granted by the Member State under national provisions providing suitable specific safeguards. However, a complete register of criminal convictions may be kept only under the control of official authority.
|
Section 17 GDPR Implementation Law. Fine in the event of unlawful processing of personal data
relating to criminal matters
1. The Dutch Data Protection Authority may impose an administrative fineof up to EUR 20,000,000 or, in the case of an undertaking, up to 4% of the total worldwide annual turnover generated in the preceding financial year,
whichever is higher, for a violation of any of the provisions of Article 10 of the Regulation or Section 31 of this Act.
2. Article 83 paragraphs (1) to (3) of the Regulation apply equally.
Section 31 GDPR Implementation Law. Exemptions from the obligation to carry out processing
operations under government control
Without prejudice to Article 10 of the Regulation, personal data relating to criminal law matters may only be processed in so far as it is authorised pursuant to Sections 32 and 33.
Section 32 GDPR Implementation Law. General grounds for exemption for data relating to criminal
law matters
Personal data relating to criminal law matters may be processed if:
a. the data subject has given explicit consent to the processing of those personal data for one or more specified purposes;
b. processing is necessary to protect the vital interests of the data subject or of another natural person where the data subject is physically or legally incapable of giving consent;
c. processing relates to personal data which are manifestly made public by the data subject;
d. processing is necessary for the establishment, exercise or defence of legal claims or whenever courts are acting in their judicial capacity;
e. processing is necessary for reasons of substantial public interest as referred to in Section 23(a) and (b); or
f. processing is necessary for scientific or historical research purposes or statistical purposes in accordance with Article 89(1) of the Regulation, and the conditions referred to in Section 24(b) to (d) have been met.
Section 33 GDPR Implementation Law. Other grounds for exceptions for data relating to criminal law
matters
1. Personal data relating to criminal law matters may be processed if:
a. processing is carried out by bodies that are responsible pursuant to the law for applying criminal law or by controllers who have acquired this responsibility pursuant to the Police Data Act or the Judicial Data and Criminal Records Act;
b. processing is carried out by and on behalf of alliances of controllers or groups of controllers governed by public law if:
1°. processing is necessary for the performance of the tasks of these controllers or groups of controllers; and
2°. safeguards have been put in place for the processing such that the data subject’s privacy is not disproportionately compromised; or
c. processing is necessary in addition to the processing of personal data concerning health referred to in Section 30(3), opening lines and (a), for the proper treatment or care of the data subject.
2. Personal data relating to criminal law matters may be processed by the controller that processes these data for its own purposes in order to:
a. assess a request from the data subject to take a decision on him or her or to provide a service to him or her; or
b. protect its interests in cases of criminal offences committed against it or which, based on facts and circumstances, can be expected to be committed against it or persons employed by it.
3. Personal data relating to criminal law matters on staff employed by the controller may only be processed if such processing is carried out in accordance with rules adopted in line with the procedure referred to in the Works Councils Act.
4. Personal data relating to criminal law matters may be processed on behalf of third parties:
a. by controllers acting pursuant to a licence under the Private Security Organisations and Detective Agencies Act;
b. if such third party is a legal person who is part of the same group as that referred to in Article 24b of Book 2 of the Civil Code; or
c. if the Dutch Data Protection Authority has granted a licence for such processing, with due observance of subsection 5.
5. A licence as referred to in subsection 4(c) may only be granted if the processing is necessary for reasons of a substantial interest on the part of third parties, and if safeguards have been put in place for the processing such that the data subject’s privacy is not disproportionately compromised. The licence may be subject to requirements.
|