At some companies, it is not unusual to ask for a certificate of good conduct of suitable candidates regarding certain positions. These precautions might seem reasonable and appropriate but Section 10 of the GDPR clarifies in which cases the employers may request such verification of clean criminal record.

According to GDPR, personal data related to criminal convictions and offences could be processed only by an official authority or when the processing is authorised by an EU or national law providing for appropriate safeguards for the rights and freedoms of data subjects. Employers may legally request a certificate of good conduct only if the law requires it for the specific position. These provisions are quite narrow and typically apply for positions in the public service.

Regarding the positions where the law does not require clean criminal records, the employer’s legitimate interest, be it as significant as possible, is not sufficient to justify the lawfulness of data processing. Moreover, the purpose of data processing cannot be based only on the employee’s consent.

In view of the above, it is recommended for every company to review and sort stored personal data and to revise labour recruitment practices, because the unlawful processing of the above special data will be treated more rigorously by the authority.