It is important for any business to know its employees. For some, it is not only important but also valuable. Could we trust the management of money to irrevocably convicted for financial offenses employees? The care of children or the transfer of students to their school to employees involved in cases of child pornography? Involvement (or not) in criminal offenses is certified with the criminal record certificate. Does the employer (or prospective employer) have the right to require such a certificate to be handed to them? Could one argue that not only a right but also a relative obligation sometimes exists?
Employment contract and personal data
The parties undertake, in each contract, specific obligations. Main or secondary. The same happens in employment contracts. The obligation of the employer to protect the personality of their employees is included among them. In protecting the employees’ personalities, they must also protect their personal data.
We have repeatedly been concerned with the possibility of collecting and (further) processing personal data of employees. The focus of our interest was, each time, the individual categories of personal data. We were concerned, for example, with the issue of monitoring and visually recording in the workplace. With the right (or not) of the employer to monitor the e-mails of their employees. We were also concerned, throughout the pandemic, with whether the employer is (or not) allowed to process sensitive personal data. More specifically, the health data of their employees.
In this article we will try to investigate the employer’s right to request from an employee (or prospective employee) a certificate for their criminal record.
The criminal record – Distinctions
The Code of Criminal Procedure distinguishes between two types of copies of criminal records. That for general and that for judicial use (271 par. 1 CCP).
The copy for judicial use
The contents of all criminal records, except those that have ceased to be valid, shall be recorded in the copy intended for judicial use. Despite its detailed content, it is administered to a limited, explicitly listed number of persons. Mainly intended for public services and public officials.
Among the cases explicitly mentioned in the Code of Criminal Procedure is the appointment of judicial officers, teachers of all levels, officers of Law Enforcement and candidates for admission to the academies of the Armed Forces and the Law Enforcement (57 CCP).
The copy for general use
The copy for general use shall contain the contents of all criminal records, with the exception of those:
(a) showing a fine or community service or imprisonment for up to six months after the expiration of three years;
(b) stating a sentence of imprisonment of more than six months or a sentence of confinement in a psychiatric ward after the lapse of eight years;
(c) which indicate imprisonment, after the lapse of twenty years (571 par. 3 CCP).
The respective employer can (theoretically) be given a copy for general use only. After all, “… where the law provides for the issuance and providing of a copy of any type or extract of a criminal record, a copy for general use shall be provided.” (570 CCP).
The conflict of interests of both sides
The employer seeks to develop a relationship of trust with their employees. For this reason, they may want / treat as necessary the receipt of the employee criminal record. Even as a condition for their hiring.
The relevant claim of the employer seems reasonable and, above all, legal. Sometimes, as mentioned above, imperative.
An unhindered requirement of criminal records of employees would affect two protected legal goods. Protected, in fact, by the Constitution itself.
The first is the presumption of innocence. However, since in the general criminal record (to which, in theory, the employer is entitled to have access) the irrevocable, only convictions are recorded, the specific good does not look, in the end, affected.
The second is the protection of human value. It covers, of course, the irrevocably convicted, imposing care for their social reintegration. A strict and comprehensive requirement for the absence of (any) criminal conviction would minimize the possibility of social reintegration. Even on the basis of the professional activity of the convicted person as a self-employed person.
But there is also the dimension of personal data protection. An indiscriminate requirement of criminal records of employees would run counter to the principle of proportionality. It would be an overstepping of the processing purpose. In this case, exceeding the protection of the legal interests of the employer. At the same time, it would conflict with the right to oblivion. But when would personal data protection law justify such processing?
They pre-existing law
The legislative framework
Based on the pre-existing law (Law 2472/1997) the criminal record was explicitly included in the category of sensitive personal data. According to article 2 b’ of Law 2471/1997, sensitive data were defined as the “… data concerning racial or ethnic origin, political views, religious or philosophical beliefs, participation in trade unions, health, social welfare and love life, criminal prosecution or conviction, as well as participation in associations of persons related to the above “.
The collection and further processing of the criminal record as sensitive personal data was, consequently, prohibited (Article 7 §1). It was allowed, exceptionally, under the conditions explicitly provided by law (Article 7 §2).
The position of the Personal Data Protection Authority
This issue has always been important. The Authority had to comment several times on the possibility of processing sensitive personal data. Among them, the criminal record.
The subject of some of its opinions was, precisely, the possibility of collecting and further processing the criminal records of the employees by the employer. Its position was gueded by the legal framework in force at any given time. Also, the effort to harmonize the conflicting interests of both sides.
The Authority, in a series of its opinions (including: nos. 101/2016, 4/2013, 115/2001), came to the following conclusions:
The collection and processing of personal data related to the absence of criminal convictions of the candidate for a job was possible when (explicitly and specifically) provided by law. In other words: The law may provide for the mandatory submission by the employee of a criminal record certificate, which will result in the absence of a conviction for specific crimes. Indicative: for the recruitment and occupation of positions in the banking sector, in the companies providing security services (security companies), in the stock broking companies, in the debtor information companies for outstanding debts, and so on.
Would it be possible for this collection and processing to take place without a specific legal provision that would make it permissible?
Such a legislative provision would be, according to the Authority, the provision of article 7 §2 g’ of Law 2472/1997. Provided, however, that the fundamental principle of proportionality is respected in view of the alleged purpose of processing. The protection, for example, of the conceptual interests of the employer.
In particular, the Authority required that the following conditions be met:
(a) The collection of information on the absence of a criminal conviction directly and only from the employee or candidate concerned.
(b) The exclusion of the collection and further processing of copies of criminal records of general use, as they exceeded the alleged purpose of processing. And this, in particular, because such processing could reveal the existence of criminal convictions, which had nothing to do with the main economic and productive activity of the employer company – as the controller.
(c) The qualification of the collection and processing of Official Declarations for the absence of irrevocable conviction (instead of a criminal record) by the candidates for a position. In fact, the absence of a conviction referred to in the Official Declaration should, according to the Authority, relate to acts recorded in the general criminal record.
(d) The collection and further processing of the above Official Declarations not for all categories of staff but for those, only, related to the main economic and productive activity of the employer, as a controller. This relationship arose from the duties of the employees of these categories based on their employment contracts and the document announcing the terms of their work (p.d. 156/1994).
(e) The observance of the above data for a specific time. That is, for a period of 5 years from the termination of the contract for those employed. Whereas, for the candidates who, in the end, were not recruited, for a period of 6 months from the completion of the recruitment process (announcement of recruits).
The applicable law
The legislative framework
Law 2472/1997, which was taken into account by the Authority for its above Opinions, has been repealed.
As of May 25, 2018, the General Data Protection Regulation (EU) 2016/679 (“GDPR”) has entered into force.
GDPR does not place the criminal record in the special category of sensitive personal data (Article 9). However, it reserves a more specific regulation.
To be precise, article 10 of GDPR mentions that “Processing of personal data relating to criminal convictions and offences or related security measures based on Article 6(1) shall be carried out only under the control of official authority or when the processing is authorised by Union or Member State law providing for appropriate safeguards for the rights and freedoms of data subjects. 2Any comprehensive register of criminal convictions shall be kept only under the control of official authority.”
It is therefore doubtful whether the Authority ‘s Opinions now have any legislative basis.
Based on the Authority’s Opinions, the collection and processing of the employee’s criminal record by the employer, as well as any information of personal data relating to the absence of criminal convictions (eg Official Declarations), was, in principle, prohibited. It could, exceptionally, be carried out under the conditions set out by the relevant law.
However, under the current legal framework, the processing of personal data relating to criminal convictions and offenses or related security measures is carried out exclusively “under the control of an official authority”.
In order for such processing to take place by an informal authority (in this case by the employer) there is an important condition. It must be provided for and allowed by Union law or the law of a Member State which provides for adequate guarantees of the rights and freedoms of data subjects.
However, the Greek law implementing the GDPR, ie Law 4624/2019, does not provide for a corresponding regulation.
The position of the Personal Data Protection Authority
The Authority, in its Opinion No 1/2020, makes the following assumptions:
“While the provision of Article 10 of the GDPR shows that the national legislature is empowered (the ‘opening-specialization clause’) to take the necessary measures to provide adequate guarantees for the processing of personal data relating to criminal convictions and offenses, nevertheless No relevant measures are taken by law, nor does the explanatory memorandum indicate the reason for this omission.
In any case, even if the national legislature intended to take measures to implement Article 10 of the GDPR into specific sectoral legislation, contrary to its choice in relation to Article 9 of the GDPR, such measures have not yet been taken, thus making it largely impossible to apply the provision of Article 10 of the GDPR. ”
Therefore, based on the assumptions of the Authority, the receipt of an employee’s criminal record by the employer can still take place under those cases that are explicitly provided by a specific provision of law. However, unless there is an explicit provision in an applicable law, obtaining such a criminal record is not allowed.
As a result, in cases where there is no explicit legal provision, the collection and processing of personal data concerning criminal convictions and offenses of the employee by the employer, cannot be carried out.
In some cases, the employer’s knowledge of the criminal record of their employees (or prospective employees) proves to be important. Sometimes we would even say that the relevant claim is crucial. Shouldn’t an employer know if their (candidate) treasurer has been involved in financial crimes? A caring son if the lady he hired to take care of his elderly father has been involved in crimes against life? A father for the girl who takes care of his daughter or a mother for the teacher who tutors her son in the lessons if they have been involved in crimes against sexual dignity?
The issue turns out to be even more serious and complicated when third parties are (among) the ones who make strong (albeit tacit – as self-evident) relevant claims. Would we criticize the claim of a parent to know that the driver and the attendant of the school bus with which his children travel, have not been involved in crimes of child pornography?
What should we say to all of them? “You know the legislator has not made any relevant provision, so we are not entitled to request a criminal record for these employees.” How logical, moral and fair, after all, does it seem?
Let us not have reservations that the failure of the legislator to include in the (implementing of the GDPR-Law 4624/2019) provisions “for the processing of personal data concerning criminal convictions and offenses” proves to be problematic.
It is a given (obviously and self-evident) that the relevant omission must be remedied quickly.
Until then: I personally would have a hard time fault (more precisely: I could not fault) the caring son who demands a criminal record from the lady who he wants to hire to take care of his elderly father, the mother from the teacher who tutors her son, the father from the girl who babysits his daughter and the headmaster from the drivers and attendant of the school buses …
P.S. A brief version of this article has been published in MAKEDONIA Newspaper (August 16, 2020).
Disclaimer: the information provided in this article is not (and is not intended to) constitute legal advice. Legal advice can only be offered by a competent attorney and after the latter takes into consideration all the relevant to your case data that you will provide them with. See here for more details.