The Italian data protection authority (the Garante) issued a GDPR fine for criminal checks without a privacy-related legal basis consolidating a position leading to significant issues for multinational companies in handling their employees' data.