Article 10 of the GDPR : Processing of personal data relating to criminal convictions and offences.

L'Article 10 du RGPD encadre le traitement des données relatives aux infractions, condamnations pénales et mesures de sûreté. Ces données, considérées comme particulièrement sensibles, ne peuvent être traitées que sous des conditions très strictes.

Article 10 of the GDPR explained

The processing of such data is authorized only if :

It is carried out under the supervision of the public authorities;
Or if expressly authorized by the law of the Union or of a Member State, subject to appropriate safeguards for the rights and freedoms of the persons concerned.

Article 10 applies in particular to processing operations involving criminal records, serious administrative penalties or data from criminal records.

Why is this article important for your GDPR compliance?

This type of data poses a greater risk to the fundamental rights of individuals. Article 10 therefore imposes reinforced protection, and strictly limits the cases in which such data may be processed, notably in a professional context (recruitment, checks on good repute, etc.).

How to comply with Article 10 of the GDPR ?

Assess whether your processing operations involve data relating to criminal offenses or convictions.
Make sure that such processing is authorized by an explicit legal provision.
Check that processing is carried out under the control of a public authority, or with appropriate safeguards (e.g. restricted access, clear legal framework).
Keep this data only for as long as is strictly necessary, and plan for its secure deletion.

Examples of the application of Article 10 of the GDPR

A private security company may request an extract from a criminal record, but only if this is required by national law.
A public body that issues administrative sanctions must strictly control access to and use of this data.
A recruiter cannot demand criminal information without an explicit legal basis, justified by the nature of the position.