General legal regime on the processing of data regarding criminal convictions and offences in Spain
In Spain, data protection rules mainly arise from the GDPR and the LOPDGDD. Both Articles 10 of the GDPR and LOPDGDD regulate the main conditions for processing data related to criminal convictions and offences:
|
GDPR
|
LOPDGDD
|
|
Article 10 - Processing of personal data relating to criminal convictions and offences
Processing of personal data relating to criminal convictions and offences or related security measures based on Article 6(1) shall be carried out only under the control of official authority or when the processing is authorised by Union or Member State law providing for appropriate safeguards for the rights and freedoms of data subjects. Any comprehensive register of criminal convictions shall be kept only under the control of official authority.
|
Article 10 - Processing of data of criminal nature
1. The processing of personal data relating to criminal convictions and offences, as well as to proceedings, and related security and precautionary measures, for purposes other than the prevention, investigation, detection or prosecution of criminal offences or the execution of criminal sanctions, may only be carried out where permitted by Union law, this organic law or other rules with rank of law.
2. The complete registry of data relating to criminal convictions and offences, as well as to proceedings, and related security and precautionary measures referred to in Article 10 GDPR, may be carried out in accordance with the provisions of the regulation on the administrative registries System in support of the Justice Administration.
3. In cases other than the ones above, the processing of personal data relating to criminal convictions and offences, as well as to proceedings, and related security and precautionary measures, shall only be possible when carried out by lawyers and attorneys and their purpose is to collect information provided by their clients for the exercise of their functions.
|
Notwithstanding that processing these categories of data will most probably be subject to additional data protection requirements (such as carrying out a data protection impact assessment (DPIA), designating a DPO, etc.), the main rule is clearly established above: any processing of this kind of data must be authorised by Union or Member State law. Otherwise, such processing will be unlawful and be deemed a very severe infringement of data protection obligations (ex. Art. 72.1(f) LOPDGDD).
It is worth highlighting that, in Spain, processing of administrative infringements and sanctions (fines imposed by public authorities) related-data is also regulated under Article 27 LOPDGDD (following the former pre-GDPR practice). The main difference between the processing of such data and criminal-related data is that with regard to the former, an individual may consent to waive the requirement of having a law authorising its processing. With regard to criminal data, consent is not enough to waive the prohibition under Article 10 GDPR and LOPDGDD.
Main takeaways from the AEPD’s sanctioning decision
To sump up the background of the case and go straight to the point, the AEPD imposed a EUR 2 million fine (and an order to discontinue the declared infringement and erase the concerned data) to a transport company for requesting its freelance-carriers to provide their certificate of absence of criminal records as a contractual requirement.
The first interesting thing analysed relates to the nature of a certificate of absence of criminal records (i.e. a negative criminal records certificate) and whether the information contained therein qualifies as personal data subject to Articles 10 GDPR and LOPDGDD. A criminal record certificate is a public document that certifies both the existence or non-existence of criminal records (i.e. criminal court decisions in force imposing a sanction or security measures).
Without entering into details on how these certificates are regulated, it is worth remarking how the AEPD clarified that not only positive certificates, but also negative ones (asserting that there are no criminal records), shall be deemed as data related to criminal convictions and offences foreseen under Articles 10 GDPR and LOPDGDD (and, therefore, subject to its rules). In fact, the AEPD goes further and clarifies that even a mere responsible statement of absence of criminal records would fall under the scope of Article 10 GDPR and LOPDGDD.
After clarifying that both the positive and negative certificates constitute personal data, the decision focuses on whether there is a law authorising the processing of criminal record data or not, as required for lawful processing. In this regard, please note that, in Spain, there are very few laws permitting the request of such certificates (e.g. in the context of certain jobs involving contact with minors, taxi drivers, certain employees of casinos, etc.). In the case at hand, the AEPD does not identify a law supporting the sanctioned entity directly requesting the pertinent certificates from freelance-carriers.
Taking the above into consideration, controllers should very carefully assess on a case-by-case basis whether they can lift the prohibition to process data related to criminal convictions and offences (and more specifically, criminal record certificates), and clearly identify a bulletproof law grounding such processing before taking any related-action. Taking further steps to ensure compliance with certain GDPR obligations (such as carrying out a DPIA) in relation to processing criminal record data without the existence of a law legitimizing the processing could be deemed pointless otherwise.
Authored by Santiago de Ampuero y Clara Lázaro
