GDPR-A10-01: Processing Criminal Conviction Data Under Official Authority
Processing personal data relating to criminal convictions and offences is one of GDPR's most heavily restricted activities. This control requires that such processing only occur under official authority or explicit Union/Member State authorization with documented safeguards. For SMBs handling sensitive records, understanding when and how you can legally process this data is critical to avoiding substantial penalties.
What this means
GDPR Article 10 prohibits the processing of personal data revealing criminal convictions or offences except under strict conditions. Your organization can only process this data if: (1) you operate under official authority (such as law enforcement, courts, or government agencies), or (2) you have explicit legal authorization from EU or national law that includes appropriate safeguards protecting data subject rights. Processing without proper authorization exposes your organization to regulatory action and reputational damage.
How to comply
- 1.Identify whether your organization qualifies as an official authority or has explicit legal basis for processing criminal conviction data
- 2.Document all legal authorizations (Union law, Member State law, or official capacity) that permit your processing activities
- 3.Implement technical and organizational safeguards specifically designed to protect the rights and freedoms of individuals whose conviction data you process
- 4.Establish data minimization practices—only process criminal conviction data when absolutely necessary for your authorized purpose
- 5.Create and maintain access logs showing who accesses criminal conviction records and when
- 6.Train relevant staff on the heightened sensitivity and legal restrictions surrounding criminal data
- 7.Conduct a Data Protection Impact Assessment (DPIA) before beginning any criminal conviction data processing
- 8.Establish a retention schedule that deletes criminal conviction records when no longer legally required
Evidence auditors look for
- Written legal opinion confirming your organization's official authority or statutory authorization to process criminal conviction data
- Data Processing Agreement (DPA) with any third-party processors explicitly addressing criminal conviction data handling
- DPIA documentation specific to criminal conviction data processing activities
- Staff training records demonstrating awareness of Article 10 restrictions and safeguard requirements
- Access control logs and audit trails for systems storing criminal conviction information
- Data retention policy showing scheduled deletion dates for criminal records
- Technical security measures (encryption, segregation, monitoring) applied specifically to criminal conviction datasets
- Documented safeguards aligned with your legal authorization (e.g., law enforcement protocols, court procedures)
Frequently asked questions
When will FAQs be available?
The FAQ for this control is currently being prepared.
GRCWatch automates the tracking of criminal conviction data processing activities, flagging unauthorized access attempts and maintaining audit trails that demonstrate your compliance safeguards to regulators.
See how GRCWatch handles this control automatically
Start free trial