We will briefly address below a couple of provisions contained by Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (“Regulation”) that seem to generate a potential conflict, while, to our knowledge, there is yet no official guidance as to the approach recommended by the relevant authorities.
We specifically refer, on one hand, to Article 28 para. 1 of the Regulation, under which:
“Where processing is to be carried out on behalf of a controller, the controller shall use only processors providing sufficient guarantees to implement appropriate technical and organizational measures in such a manner that processing will meet the requirements of this Regulation and ensure the protection of the rights of the data subject”
and, on the other hand, to Article 10, which stipulates that:
“Processing of personal data relating to criminal convictions and offences or related security measures based on Article 6(1) shall be carried out only under the control of official authority or when the processing is authorized by Union or Member State law providing for appropriate safeguards for the rights and freedoms of data subjects. Any comprehensive register of criminal convictions shall be kept only under the control of official authority.”
1. A due diligence obligation incumbent upon data controllers in relation to their data processors
Article 28 referred to above provides for a due diligence obligation, under which data controllers must ensure that the processors they choose are able to meet the security standard expected under the Regulation. In light of the principle of accountability, which is a paramount feature of the data privacy regime created under the Regulation, the extent to which a data controller meets this obligation should be properly documented before actually entering into a contract and a related data processing agreement.
One way to ensure that such obligation is met and documented is to include in the data processing agreement proper representations and warranties given by the data processor in relation to its ability to implement appropriate technical and organizational measures; the more comprehensive the representations and warranties, the better. However, this may not be (considered) enough (and, in practice, may result in breached representations and warranties by data processors that do not have resources to compensate for the damages they cause) and, in our view, a more extensive verification may be needed, at least in some cases.
Further prior checks may be needed, including by verifying available information in public sources, including the internet. Such verifications may reveal that the intended data processor and/or a key individual within the data processor’s organization is either suspect of or has perpetrated relevant criminal offence(s) (e.g. unauthorized transfer of computer data, illegal access to computer system, altering integrity of computer data, these offences being criminalized by the Romanian Criminal Code). Moreover, in a due diligence exercise of this type, not only criminal offences strictly related to data may be relevant, but economic offences and integrity-related (such as forgery) offences may be relevant too.
In fact, prior due diligence checks on intended contractual partners, whether they are related to data processing agreements or not, have become the standard in many industries and ethics concerns are more and more valued by companies.
2. Severe limitations in the processing of personal data relating to criminal convictions and offences
Article 10 of the Regulation sets forth severe limitations to the processing of personal data relating to criminal convictions and offences, which can only be processed “under the control of official authority” or if “authorised by Union or Member State law”. While it is not clear whether such official authority can only be an authority with competencies in the criminal law field or other authorities can also fit the role designed under Article 10 (such as the data protection authority itself), the very instances in which the European Union or Member State law provides for a basis for the processing of criminal convictions and offences are quite limited in number, and do not cover most of the situations when companies are interested or even compelled by global procedures and industry standards to perform prior checks on intended contractual partners.
Moreover, it is not clear whether the scope of Article 10 covers only personal data related to criminal convictions and offences for which courts have set a sanction, or mere information in relation to a person being under a criminal investigation is also covered.
In addition, Article 10 does not seem to exclude from its scope data already public either because the data subject has made the data public him/herself or because the data is available in public registries (for example, a criminal file registered with the land book where the ownership title of the data subject is registered) or has otherwise entered the public domain.
3. The conflict
Whatever the scope of Article 10 is, it raises a serious conflict with the aforementioned Article 28 in terms of the due diligence obligation of the data controller. In other words, if while performing prior checks, data controllers identify information regarding criminal convictions and offences presumably perpetrated by key individuals within the intended data processor organization, what is the data controller supposed to do in such a scenario in light of the limitations in Article 10?
In a potential interpretation that aims at safeguarding the application of each of the provisions at issue, Article 28 and the obligation of the data controller set forth therein should be seen as one of the instances when the processing of personal data “is authorized by the Union or Member State law” (as Article 10 requires); in such an interpretation, processing of criminal offences related data under Article 28 and for the purpose provided therein could be seen possible.
However, this interpretation does not help the many other instances when such processing is needed in light of the legitimate interest of a company to make prior checks on its intended contractual partners. In that respect, in most of the cases, the European Union or Romanian law is silent, and companies face the risk of being (unjustly) found in breach of Article 10 of the Regulation. A further potential interpretation is that information that is public (either because was made public by the data subject or because the data subject because the data is available in public registries) does escape to the scope of Article 10 of the Regulation.