GDPR: what should I keep in mind when I want to process personal data relating to criminal convictions and offences?
Personal data relating to criminal convictions and offences or related security measures (e.g. a driving prohibition and/or fine imposed by the judge due to speeding or alcohol intoxication, a sentence of imprisonment for theft with violence) may only be processed:
- under government supervision; of
- when the processing is permitted by law.
Data on criminal offences can therefore only be processed if the processing is either supervised by an official authority or authorised by European or national legislation.
Consequently, if you, as a researcher, wish to process data on criminal offences, you will need to check whether your processing is permitted by applicable national legislation. It is essential that there is legislation allowing the processing of personal data of a criminal nature; there must be a direct legal basis regulating the processing of personal data relating to criminal convictions and offences.
In addition, a legal basis under Article 6 GDPR is also still necessary.
Belgium
The Belgian legislation, Framework Law (Article 10), contains certain conditions for processing personal data relating to criminal convictions and offences. These conditions should be interpreted restrictively.
Personal data relating to criminal offences may therefore - as implemented by Article 10 Belgian Framework Law - only be processed in the following cases:
- by natural or legal persons to the extent necessary for the management of their own disputes;
- by lawyers or legal advisers to the extent required for the defence of their clients' interests;
- the processing is necessary for reasons of substantial public interest for a task of public interest prescribed by or pursuant to law (e.g. the regulation concerning the Central Criminal Register in the Belgian Code of Criminal Procedure);
- the processing is necessary for scientific, historical or statistical research or for archiving purposes;
- the data subject has explicitly consented in writing;
- for a purpose for which the data subject has disclosed the data himself/herself.
For scientific research only the data concerning criminal convictions and offences that are really necessary for that scientific research may be processed. To assess which data are necessary, you should ask yourself the following question: "can I achieve my research goal without processing personal data (e.g. with anonymous or source-anonymised data) or with less personal data?". If the answer is positive, then there is no need to process personal data.
If you process personal data concerning criminal convictions and offences for an investigation, you must in addition take appropriate safeguards, which are included in the Belgian Framework Law (Article 10, § 2). First, the categories of persons who have access to the personal data must be listed. In each case, the capacity in relation to the processing of the intended data must be described. You can do this in your GDPR Record via dmponline.be.
In addition, persons who have access to personal data of a criminal nature must be bound by a statutory or equivalent contractual provision to respect the confidential nature of the data concerned. For UGent employees, reference can be made here to the Generic Code of Conduct for the processing of personal data and confidential information at UGent.
Data minimisation
If you process data relating to criminal convictions and offences in the context of scientific research, you must also take into account Article 89(1) GDPR, namely: if the scientific research is possible using data that does not allow, or no longer allows, the identification of the data subject, you must organise it in this way.
As a researcher, you are therefore obliged to use anonymous data (i.e. data that does not allow or no longer allows the identification of the data subject), insofar as this allows the achievement of the intended research purpose. If anonymous data does not allow the achievement of the purpose, a research may use pseudonymised personal data (e.g. longitudinal studies where data subjects' data must be able to be linked over time).
Conclusion
When you wish to process personal data relating to criminal convictions and offences in a scientific study, you should ask yourself the following questions:
- Do I effectively need personal data, or can I also work with (by the source) anonymised data?
- If not: is the processing of personal data in my research permitted by an applicable national law (Article 10 GDPR)?
- For Belgium: is the processing of personal data necessary for my scientific research?
- Have I taken the necessary appropriate safeguards?
- Do I have an applicable legal basis (Article 6 GDPR)?
Can I organise the data processing so that identification of the data subject is not or no longer possible (pseudonymisation or anonymisation; Article 89 GDPR), during and/or after my research?
More tips
- GDPR: how can I ensure that the processing of personal data is lawful? (Research integrity & ethics)
Translated tip
Last modified Aug. 28, 2024, 8:53 a.m.