Data relating to criminal convictions and offenses receive heightened protection under the GDPR because of the sensitivity of the information they cover and the high impact they can have on the rights and freedoms of data subjects. According to the CJEU, this type of information “may constitute a particularly serious interference with the fundamental rights to respect for private life and protection of personal data, guaranteed by Articles 7 and 8 of the Charter [see, to that effect, judgment of 24 September 2019, GC and Others. (De-indexing of sensitive data), C-136/17, EU:C:2019:773, paragraph 44)” because the data of Article 10 “concern conducts that arouse the disapproval of society, the granting of access to such data may result in the stigmatization of the data subject and thus constitute a serious interference with his private or professional life” (C-439/19, p. 74-75).
The origins of Article 10 GDPR are reflected in Article 8(5) of Directive 95/46/EC. Paragraph 5, which dealt with this type of data, was included in Article 10 entitled “Processing of special categories of data” which contained the regulation of both so-called “sensitive” and “judicial” data: both are characterized by the delicate nature of such information, although each of these categories is the subject of a specific discipline. The GDPR intended to distinguish the regulation in two separate articles, Article 9 for what the regulation calls “special categories of data” and Article 10 for “data relating to criminal convictions and offences and related security measures”.
Scope of application of art. 10
Unlike the previous Italian privacy code, the GDPR does not specify what is meant by “criminal convictions and offences”. Therefore, a first question concerns the scope of application of the regulation, i.e. to establish which personal data are subject to the stricter discipline provided by Article 10.
Nature of the offence
The information regarding the offence that falls within the scope of application of Article 10 GDPR is clearly criminal in nature. Firstly, this can be inferred from the vocabulary used by the legislator “criminal convictions and offences”; although the reference to “offences” is not found in all language versions of the regulation (CJEU, C-439/19, p.77).
Article 8(5) of Directive 95/46/EC left it to each Member State to assess whether the special rules on data relating to criminal convictions and offences should extend to data relating to administrative sanctions and offences; in some national legislation implementing the Directive, this has indeed been the case[efn_note]For example, the legislation of the Republic of Latvia that originated Case C-439/19 at the CJEU.[/efn_note].
During the GDPR approval process, the EU Parliament had proposed to include “administrative sanctions” in the category of data under Article 10 without this proposal being accepted in the final version. Accordingly, the CJEU considers “that the Union legislature, by deliberately omitting to include the adjective ‘administrative’ in Article 10 of the GDPR, intended to reserve the enhanced protection provided by that provision to the criminal sphere only.” (C-439/19, p. 78).
Notion of offence
Regarding the notion of “offence”, Directive 2016/680 on the processing of personal data by competent authorities for the prevention of and the fight against crime and for public security (so-called “Police Directive”) comes to the rescue. Recital (13) of this directive states that “a criminal offence within the meaning of [that] directive should constitute an autonomous concept of Union law as interpreted by the Court of Justice of the European Union.” Nor does the GDPR “contain any reference to national laws as to the scope of the terms contained in Article 10 thereof, in particular the terms ‘offences’ and ‘criminal convictions’.” (CJEU, C-430/19, para. 82).
EU law as an interpretative source
Therefore, in order to establish what is meant by “criminal” and what is “offence”, it is necessary to refer to the law of the Union rather than to that of the Member States.
The identification of the interpretive source in Union law stems from the primacy of the same over the law of the Member States and the consequent need for the former to be interpreted autonomously and uniformly (judgments of 19 September 2000, Linster, C-287/98, EU:C:2000:468, paragraph 43, and of 1 October 2019, Planet49, C-673/17, EU:C:2019:801, paragraph 47 and, most recently, Latvia, C-439/19, paragraph 81). Moreover, as highlighted by the CJEU, “[d]ue to recital 10 of the GDPR, it emerges, then, that the latter seeks to contribute to the establishment of an area of freedom, security and justice by ensuring a consistent and high level of protection for natural persons with regard to the processing of personal data, which presupposes that that level of protection is equivalent and homogeneous in all Member States.” (C-439/19, para. 83).