Processing of personal data relating to criminal convictions and offences
Personal data relating to convictions and offences or related safeguards are all personal data of the offender relating to ongoing proceedings and judgments (including non-final judgments). This information may relate to:
The mere fact that proceedings are being conducted against the person concerned;
The factual circumstances of the prohibited act committed by the offender or suspected offender;
The content of the judgment, including any protective measures, penalties or sanctions imposed on the offender.
In the opinion of PUODO (Polish Office for the Protection of Personal Data), the declaration of no criminal record also constitutes personal data relating to convictions and criminal acts or related safeguards within the meaning of the GDPR.
In practice, controllers – who in Poland are private entities - may only process personal data concerning convictions and criminal acts or related safeguards if they are permitted to do so by the provisions of generally applicable Polish law.
If the controller processes personal data concerning convictions and criminal acts or related safeguards on the basis of the legislation, he or she should carry out such processing only and precisely in the manner, for the purposes and to the extent indicated in the legislation. If the legislation does not specify any particular processing issues, the controller should comply with the provisions of the GDPR, in particular taking into account the processing principles referred to in GDPR Article 5.
What is personal data concerning convictions and criminal offences or related safeguards?
The term “convictions and criminal offences or related safeguards” is not defined either in the GDPR or in Polish legislation (which uses different terms). Therefore, there may be doubts as to whether certain personal data processed in Poland relates to convictions and criminal offences or related safeguards within the meaning of the GDPR.
Without going into detailed considerations, it seems reasonable to assume that personal data relating to convictions and criminal deeds or related safeguards includes, at least, all personal data of the offender relating to any type of judgments (including non-final) and related proceedings in criminal matters, in particular felonies (including criminal-fiscal offences), misdemeanours (including those punishable by fines and legal-fiscal misdemeanours), as well as proceedings for the issuance of such judgments. This information may, at least in theory, relate to:
The mere fact that proceedings are being conducted against the person in question;
The factual circumstances of the prohibited act committed by the offender or alleged offender;
The content of the judgment, including the protective, penal or punitive measures applied to the offender. According to PUODO, information on the absence of a criminal record is also information containing data under GDPR Article 10 (Therefore, any certificate of not having a criminal record which will contain information about convictions or information about the fact that the person has not been convicted will be information concerning convictions and criminal acts within the meaning of GDPR – see: Protecting personal data at work. A guide for employers).
It should also be noted that Article 10 applies both to the processing of personal data in the form of, inter alia, certificates from registers, and to declarations by data subjects. In other words, obtaining a declaration that a person has no criminal record also constitutes the processing of personal data relating to criminal convictions and offences or related safeguards within the meaning of the GDPR and is subject to the specific legal regime referred to in GDPR Article 10.
What are the conditions for processing data relating to criminal convictions and offences or related safeguards?
In general, two conditions must be met for such processing:
The controller must be able to identify an adequate basis for processing such data, in accordance with GDPR Article 6(1), for the purpose for which he or she intends to process it;
The processing of such data by the controller must be carried out under the supervision of a public authority or be authorised by European Union or Member State law providing for adequate safeguards for the rights and freedoms of data subjects.
What are the bases referred to in GDPR Article 6(1) for processing personal data relating to criminal convictions and offences or related safeguards?
In theory, the controller can apply any of the bases for processing listed in GDPR Article 6(1) to the processing of the data in question. However, the basis for processing personal data must always be related to the purpose of processing, which itself must be in accordance with the law, as well as the other conditions indicated in GDPR Article 10 (processing under the supervision of a public authority or permitted by law).
Therefore, in practice, the most common bases for processing this type of data in Poland will be:
The basis allowing processing, if the processing is necessary to comply with a legal obligation incumbent on the controller;
The basis allowing processing if it is necessary for the performance of a task carried out in the public interest or in the exercise of official authority vested in the controller;
The basis allowing processing where such processing is necessary for the purposes of the legitimate interests pursued by the controller or by a third party, except where such interests are overridden by the interests or fundamental rights and freedoms of the data subject which require the protection of personal data, in particular where the data subject is a child.
Given the specific legal regime for the processing of personal data relating to criminal convictions and offences or related safeguards, it is advisable for the controller, when deciding to process such data, to analyse in advance (and document accordingly) whether he or she has a basis for processing such data and how he or she should organise the processing of such data to ensure compliance with the GDPR and other data processing rules (e.g. the principle of minimisation, purpose limitation, etc.).
What does “processing exclusively under the supervision of a public authority” mean?
The processing of personal data relating to criminal convictions and offences or related safeguards is permitted, inter alia, where the controller - having a basis for processing indicated in GDPR Article 6(1) - carries out this processing under the supervision of a public authority.
It seems that in order for this condition to be fulfilled – bearing in mind the Polish legal system - the framework for such processing should be explicitly described in the provisions of generally applicable law. This means that, from the point of view of private entities, the condition in question does not have any significant practical meaning, as such entities will be able to process the personal data in question, as a rule, only if this is allowed by law (see below). This approach is also safer from a legal point of view.
In what situations does the processing of personal data relating to criminal convictions and offences or related safeguards permitted by EU law or Member State law provide adequate safeguards for the rights and freedoms of data subjects?
Prior to claiming that a controller may process personal data relating to criminal convictions and offences or related safeguards, the controller should identify a generally applicable legislation that:
Is directly applicable thereto;
Explicitly allows the processing of this type of data;
Governs the manner and extent of processing.
If there is no such legislation, then, for example, the basis will not be the procedures put in place by the controller.
The GDPR further indicates that legal provisions authorising the processing of personal data relating to criminal convictions and offences or related safeguards should provide for adequate safeguards for the rights and freedoms of data subjects. However, it seems that a private entity basing the processing of the personal data in question on existing legal provisions is not obliged to assess whether these provisions meet the indicated requirements – he or she may assume that, if a provision is part of the Polish legal order, it complies with GDPR requirements.
Importantly, the processing of personal data relating to criminal convictions and offences or related safeguards should take place only and precisely in the manner, for the purposes and to the extent indicated in the legislation. Where the legislation does not specify any processing issues, the controller should comply with the provisions of the GDPR, in particular taking into account the principles of data processing referred to in GDPR Article 5.
Is it permissible for an employer in Poland to process the personal data of job applicants or employees concerning criminal records?
This is one of the more frequently asked questions by foreign corporations that start operations in Poland. The processing of such personal data will be permissible if there is an explicit provision permitting its processing. We have few such provisions in Poland – their selection is presented below.
What if there are no such explicit provisions? Would a job applicant's or employee's consent to the processing of such data legalise its processing?
In light of the wording of Article 221a of the Labour Code, the consent of a job applicant or employee cannot constitute the basis for the processing of personal data referred to in GDPR Article 10, and therefore the processing of such data by the employer will not be permitted.
Examples of Polish legislation allowing the processing of personal data relating to criminal convictions and offences or related safeguards
Examples of Polish legislation that regulates the processing of personal data relating to criminal convictions and offences or related safeguards are:
The Education Act of 14 December 2016;
The Act of 12 April 2018 on Rules for Obtaining Information on the Criminal Record of Applicants for Employment and Persons Employed in Financial Corporations and Institutions.
The provisions of the latter act will apply to financial corporations and institutions allowed to verify the criminal records of job applicants or employees. Nevertheless, the law provides for a number of limitations to be taken into account, in particular:
The Act can only be invoked by entities that are expressly referred to in the Act (so the entity in question should first analyse whether it meets the conditions allowing it to exercise its rights under the Act);
Verification applies to job applicants or employees (as well as persons employed on the basis of civil law contracts) who are recruited/employed in jobs defined in the Act;
Verification can only take place in respect of the offences indicated in the Act;
The Act specifies in detail the procedure to be followed when verifying a criminal record, e.g. the form in which the information is provided and documented.
Do the provisions referring to the requirement to be in good repute provide a basis for processing an employee's criminal record?
Regulations governing the practice of certain professions include the requirement that a person must be of good repute. According to PUODO, “good repute” is a vague term, which is an undefined phrase referring to discretionary premises of an evaluative nature, but it does not constitute a basis for the processing of data on an employee's criminal record by an employer, as it does not directly result from legal provisions.
Commentary to art. 10
Processing of personal data relating to criminal convictions and offences
What is personal data concerning convictions and criminal offences or related safeguards?
The term “convictions and criminal offences or related safeguards” is not defined either in the GDPR or in Polish legislation (which uses different terms). Therefore, there may be doubts as to whether certain personal data processed in Poland relates to convictions and criminal offences or related safeguards within the meaning of the GDPR.
Without going into detailed considerations, it seems reasonable to assume that personal data relating to convictions and criminal deeds or related safeguards includes, at least, all personal data of the offender relating to any type of judgments (including non-final) and related proceedings in criminal matters, in particular felonies (including criminal-fiscal offences), misdemeanours (including those punishable by fines and legal-fiscal misdemeanours), as well as proceedings for the issuance of such judgments. This information may, at least in theory, relate to:
It should also be noted that Article 10 applies both to the processing of personal data in the form of, inter alia, certificates from registers, and to declarations by data subjects. In other words, obtaining a declaration that a person has no criminal record also constitutes the processing of personal data relating to criminal convictions and offences or related safeguards within the meaning of the GDPR and is subject to the specific legal regime referred to in GDPR Article 10.
What are the conditions for processing data relating to criminal convictions and offences or related safeguards?
In general, two conditions must be met for such processing:
What are the bases referred to in GDPR Article 6(1) for processing personal data relating to criminal convictions and offences or related safeguards?
We write more about the bases for processing data in the commentary on Article 6.
In theory, the controller can apply any of the bases for processing listed in GDPR Article 6(1) to the processing of the data in question. However, the basis for processing personal data must always be related to the purpose of processing, which itself must be in accordance with the law, as well as the other conditions indicated in GDPR Article 10 (processing under the supervision of a public authority or permitted by law).
Therefore, in practice, the most common bases for processing this type of data in Poland will be:
Given the specific legal regime for the processing of personal data relating to criminal convictions and offences or related safeguards, it is advisable for the controller, when deciding to process such data, to analyse in advance (and document accordingly) whether he or she has a basis for processing such data and how he or she should organise the processing of such data to ensure compliance with the GDPR and other data processing rules (e.g. the principle of minimisation, purpose limitation, etc.).
What does “processing exclusively under the supervision of a public authority” mean?
The processing of personal data relating to criminal convictions and offences or related safeguards is permitted, inter alia, where the controller - having a basis for processing indicated in GDPR Article 6(1) - carries out this processing under the supervision of a public authority.
It seems that in order for this condition to be fulfilled – bearing in mind the Polish legal system - the framework for such processing should be explicitly described in the provisions of generally applicable law. This means that, from the point of view of private entities, the condition in question does not have any significant practical meaning, as such entities will be able to process the personal data in question, as a rule, only if this is allowed by law (see below). This approach is also safer from a legal point of view.
In what situations does the processing of personal data relating to criminal convictions and offences or related safeguards permitted by EU law or Member State law provide adequate safeguards for the rights and freedoms of data subjects?
Prior to claiming that a controller may process personal data relating to criminal convictions and offences or related safeguards, the controller should identify a generally applicable legislation that:
If there is no such legislation, then, for example, the basis will not be the procedures put in place by the controller.
The GDPR further indicates that legal provisions authorising the processing of personal data relating to criminal convictions and offences or related safeguards should provide for adequate safeguards for the rights and freedoms of data subjects. However, it seems that a private entity basing the processing of the personal data in question on existing legal provisions is not obliged to assess whether these provisions meet the indicated requirements – he or she may assume that, if a provision is part of the Polish legal order, it complies with GDPR requirements.
Importantly, the processing of personal data relating to criminal convictions and offences or related safeguards should take place only and precisely in the manner, for the purposes and to the extent indicated in the legislation. Where the legislation does not specify any processing issues, the controller should comply with the provisions of the GDPR, in particular taking into account the principles of data processing referred to in GDPR Article 5.
Is it permissible for an employer in Poland to process the personal data of job applicants or employees concerning criminal records?
This is one of the more frequently asked questions by foreign corporations that start operations in Poland. The processing of such personal data will be permissible if there is an explicit provision permitting its processing. We have few such provisions in Poland – their selection is presented below.
What if there are no such explicit provisions? Would a job applicant's or employee's consent to the processing of such data legalise its processing?
In light of the wording of Article 221a of the Labour Code, the consent of a job applicant or employee cannot constitute the basis for the processing of personal data referred to in GDPR Article 10, and therefore the processing of such data by the employer will not be permitted.
Examples of Polish legislation allowing the processing of personal data relating to criminal convictions and offences or related safeguards
Examples of Polish legislation that regulates the processing of personal data relating to criminal convictions and offences or related safeguards are:
The provisions of the latter act will apply to financial corporations and institutions allowed to verify the criminal records of job applicants or employees. Nevertheless, the law provides for a number of limitations to be taken into account, in particular:
Do the provisions referring to the requirement to be in good repute provide a basis for processing an employee's criminal record?
Regulations governing the practice of certain professions include the requirement that a person must be of good repute. According to PUODO, “good repute” is a vague term, which is an undefined phrase referring to discretionary premises of an evaluative nature, but it does not constitute a basis for the processing of data on an employee's criminal record by an employer, as it does not directly result from legal provisions.