Menu
crime

Lithuanian DPA publishes Recommendation on the processing of criminal record data by the employer

, , , , , , , ,

State Data Protection Inspectorate of Lithuania recently has published recommendations regarding employers’ processing of criminal record data of employees and job candidates (in Lithuanian). The document provides detailed guidance to employers in Lithuania on the legal requirements and best practices for processing criminal record data of employees and job candidates. It emphasizes the need for a strong legal basis, careful assessment of necessity and proportionality, transparency, data minimization, and respect for employee rights. The overall goal appears to be ensuring that criminal record checks are conducted only when truly necessary and justified, while protecting individuals’ privacy and data protection rights in the employment context.

Criminal record data includes information about convictions and criminal offenses committed by individuals. Importantly, information that a person has no criminal record is also considered criminal record data. While criminal record data is not considered a special category of personal data under GDPR, its processing is subject to special rules under Article 10 of GDPR. In Lithuania, the processing of employees’ criminal record data is further regulated by the Law on Legal Protection of Personal Data (LLPPD).

    According to LLPPD Article 5(1), employers can process criminal record data of employees or candidates in two cases:
    a) When required by applicable laws
    b) When necessary for the legitimate interests of the employer, unless the interests or fundamental rights and freedoms of the employee/candidate override those interests

    Processing based on legal obligation

    When processing is based on a legal obligation, the following requirements must be met:

      • There must be a clear legal obligation to process criminal record data
      • The law must specify which criminal offenses are relevant and who is subject to the requirement of not having a criminal record
      • The law must be applicable to the specific employer

      The employer must be able to demonstrate that the processing complies with the scope and procedures set out in the legislation. They cannot make additional decisions to process data based on legitimate interest if the law already specifies what data must be processed.

      Processing based on legitimate interest:

      When processing is based on legitimate interest, the employer must:
      a) Conduct a written legitimate interest assessment
      b) Establish and approve a list of positions for which a clean criminal record is required, specifying the relevant offenses
      c) Only process criminal record data for employees/candidates in those listed positions
      d) Have the employee/candidate provide the criminal record data themselves (employer cannot collect it independently)

        The legitimate interest assessment must consider:

        • The specific nature of the job duties/functions
        • Potential risks posed by a person with a criminal record in that position
        • Justification and proportionality of the clean record requirement
        • Fundamental rights and freedoms of the employee/candidate
        • Other relevant circumstances

        Key points on the legitimate interest assessment:

        • It’s unlikely an employer could justify processing criminal records for all employees. They should evaluate which specific positions pose risks warranting such processing.
        • The employer must carefully assess what risks they are trying to mitigate through the processing.
        • The requirement to have no criminal record must be justified, proportionate, and related to the legitimate interest and potential risks.
        • The employer must justify why processing this data is essential to mitigate the risks.
        • The employee’s rights to privacy, data protection, choice of employment, and reasonable expectations regarding use of their data must be carefully weighed against the employer’s interests.
        • For minor employees, their interests as vulnerable persons would override the employer’s interest in processing criminal record data.

        Transparency requirements:

          • The list of positions requiring a clean criminal record must be published on the employer’s website, if they have one.
          • Candidates must be informed in advance about clean record requirements.
          • When requesting criminal record data, employees/candidates must be provided all relevant information about the data processing as required by GDPR Article 13.

          Minimization and timing of data collection:

            • To avoid excessive data processing, criminal record data should only be requested from candidates who have been selected for specific positions, not from all applicants.

            Restrictions on data collection:

              • The employer can only process data on criminal offenses for which the conviction has not expired or been annulled.
              • Criminal record data must be provided by the employee/candidate themselves. The employer cannot independently collect it from state registries or other sources.

              Examples of potentially justified processing:

                • A bank may need to process criminal record data for employees involved in anti-money laundering and counter-terrorist financing functions, as required by banking laws.
                • An employer may have a legitimate interest in knowing if an employee authorized to trade securities with company funds has convictions for embezzlement, fraud, forgery, etc.
                • For an employee responsible for information system security, processing criminal record data could potentially be justified.

                Examples of likely unjustified processing:

                  • Processing criminal record data for all employees without assessing specific job functions.
                  • Processing data on traffic offenses for employees whose roles don’t involve driving.
                  • Processing criminal record data for a document administrator position likely could not be justified.

                  Special considerations:

                  • When specifying relevant offenses, employers can list them by category (e.g. financial crimes, cybercrime) if objectively justified, but should explain this choice in their assessment.
                  • If there’s a need to process data on specific offenses, only those should be included in the approved list.
                  • Employers should consult with employee representatives when establishing the list of positions requiring clean records.

                  Key principles to follow:

                  • Necessity: Criminal record checks should only be conducted when strictly necessary for specific high-risk positions.
                  • Proportionality: The types of offenses checked should be directly relevant to the identified risks of the position.
                  • Transparency: Employees and candidates must be clearly informed about criminal record requirements and data processing.
                  • Minimization: Data should only be collected for selected candidates, not all applicants.
                  • Legitimate basis: Processing must be based on legal obligation or carefully justified legitimate interest.
                  • Data subject rights: The interests and fundamental rights of employees/candidates must be thoroughly considered and balanced against employer interests.

                  • Save

                  Related Posts

                  Leave a Reply

                  Your email address will not be published. Required fields are marked *

                  This site uses Akismet to reduce spam. Learn how your comment data is processed.

                  Share via
                  Facebook
                  Twitter
                  LinkedIn
                  Mix
                  Pinterest
                  Tumblr
                  Skype
                  Buffer
                  Pocket
                  VKontakte
                  Parler
                  Xing
                  Reddit
                  Line
                  Flipboard
                  MySpace
                  Delicious
                  Amazon
                  Digg
                  Evernote
                  Blogger
                  LiveJournal
                  Baidu
                  MeWe
                  NewsVine
                  Yummly
                  Yahoo
                  WhatsApp
                  Viber
                  SMS
                  Telegram
                  Facebook Messenger
                  Like
                  Email
                  Print
                  Copy Link
                  Powered by Social Snap
                  Copy link
                  CopyCopied
                  Powered by Social Snap