Share This Article
The Italian data protection authority (the Garante) issued a GDPR fine for criminal checks without a privacy-related legal basis consolidating a position leading to significant issues for multinational companies in handling their employees’ data.
In a recent decision, the Italian privacy authority emphasized the narrow limits within which it is possible to process data relating to criminal checks under the GDPR.ย The absence of specific laws or regulations expressly authorizing such data processing prohibits the performance of criminal checks, regardless of whether they contain explicit references to crimes or ongoing legal proceedings. Even invoking the right of defense has limitations, as personal data associated with criminal convictions and offenses can only be processed on this legal basis when an actual proceeding is ongoing.
The limited legal basis to run criminal checks under Italian privacy law
Under Article 10 of the GDPR, any information related to events associated with committing crimes or criminal proceedings affecting an individual falls under the classification of “personal data relating to criminal convictions and offenses or related security measures.”ย The same article provides that processing such personal data relating to criminal convictions can occur “only under the control of official authority or when the processing is authorized by Union or Member State law providing for appropriate safeguards for the rights and freedoms of data subjects.”
The limited Italian privacy-related exceptions to the prohibition of performing criminal checks
The Italian privacy code specifies scenarios in which such a legal basis applies, adding – among others – the circumstances when there is the need for “establishment, exercise or defense of a right in a court proceeding.”ย But the exceptions to the prohibition of criminal checks remain limited.
According to this recent decision from the Garante, this specific exception applies only when an actual pending proceeding exists.ย ย The Garante, in numerous instances, has emphasized that the processing of personal data of criminal convictions must be linked to ongoing disputes or pre-contentious situations rather than speculative scenarios of potential defense or rights protection.
In the case at hand, there was an ongoing mediation.ย Consequently, – according to the Italian data protection authority –ย there was no immediate need for defense since the parties involved had been summoned to appear before an official for mediation.ย This stage offered the opportunity to reach an agreement between the parties without resorting to the exercise of defense, considering the suspect status of the individual concerned.ย As such, the exception mentioned above did not apply.
The impact of the decision on criminal checks run on employees and suppliers
The restrictive measure the Garante took is not new but has a considerable impact.ย Indeed, we frequently receive requests from clients willing to run criminal checks on their employees and suppliers according to their internal policies and, sometimes, based on foreign law provisions that, as such, are not applicable in Italy.
It is a tricky scenario, and we often need solutions to minimize risks.ย In this respect, it is worth mentioning that – according to the Garante – it does not matter that criminal record checks contain express references to the crimes committed or judicial proceedings in progress.ย Still, it is sufficient that it is “information relating to events connected with the commission of crimes or criminal proceedings, affecting a natural person” to qualify that data as “personal data relating to criminal convictions and offenses or related security measures” within the meaning and effect of Article 10 of the Regulations, which would also include self-declarations where an individual denies the existence of crimes or criminal proceedings against them.
Businesses must be cautious in these circumstances to avoid potential GDPR fines.ย On a similar topic, you may find the following article interesting “A privacy breach is not always a crime in Italy, according to the Supreme Court.”
Photo by Tingey Injury Law Firm on Unsplash
