A decision of the Italian privacy authority on the illegal collection of data on criminal convictions of employees raised the issue on a practice that is quite common.
We are running a number of privacy audit on companies that need to get compliant with the General Data Protection Regulation and we can verify that the practice of collecting a police clearance report (in Italian the “casellario giudiziale“) of employees is quite common, regardless of the role to be taken by such employees, just because this is a standard practice adopted with anyone hired by the company and in absence of a regulatory obligation.
Also, some companies even extend the collection of data on criminal convictions to their suppliers and the provision of a police clearance report is a condition to be enrolled in the registry of suppliers.
The position of the Italian privacy authority re data on criminal convictions
The practice outlined shall be more carefully evaluated after the recent decision of the Italian data protection authority (the “Italian DPA“). Under the current Italian Privacy Code, it is possible to process judicial data (which include the police clearance report and any data on criminal convictions) only if this is either provided by the law or with the prior authorisation of the Italian DPA which can be granted also by means of a “general authorisation” that does not require an ad hoc application by each entity. The mere consent of individuals is not sufficient per se to authorise the processing of judicial data.
For this purpose, a company questioned the Italian DPA on the possibility to be authorised to collect police clearance reports of its employees and to communicate their contents to a company to whose benefit the requesting entity provides cleaning and handling outsourcing services.
The request was rejected by the Italian DPA since the general authorisation on the processing of judicial data issued by the Italian privacy authority authorises the collection and the processing of data on criminal records of employees when it is
“essential to […] fulfil or require the fulfilment of specific obligations or perform specific tasks provided by laws, EU law, regulations and collective workers agreements, and just for the purpose of managing the employment relationship“.
If a company is found collecting police clearance reports of its employees (or any other judicial data relating to them), it could be deemed to be in breach of privacy laws. This is unless it is able to argue that the processing of judicial data either falls under the wording of the general authorisation above or of a law provisions or obtains a specific authorisation from the Italian DPA.
What changes with the EU General Data Protection Regulation?
The GDPR adopts a strict approach in relation to judicial data since it provides that
“Processing of personal data relating to criminal convictions and offences or related security measures based on Article 6(1) shall be carried out only under the control of official authority or when the processing is authorised by Union or Member State law providing for appropriate safeguards for the rights and freedoms of data subjects.“
It is not sufficient to either obtain the consent from the individual or argue that the collection of data relating to criminal convictions is necessary for the performance of an agreement, but the processing needs to be expressly authorised by EU or national law.
Also, in case of processing of data on criminal convictions or offenses, the GDPR provides that:
- The obligation to maintain a registry of processing activities is triggered for data controllers and data processors, even if they have less than 250 employees;
- A privacy impact assessment is necessary, if personal data relating to criminal convictions and offences is processed on a large scale; and
- The appointment of a data protection officer is necessary, should the core activities of the controller or the processor consist of processing on a large scale personal data relating to criminal convictions and offences.
The above requirements make the possibility to collect judicial data relating to criminal convictions and offence much more limited. Unless it is possible to argue that one of the exceptions above applies, companies that have been collecting such data during the past should delete it or anonymise it as soon as possible and in any case before the 25th of May 2018 in order to avoid the risk of the potential sanctions provided by the GDPR.