Log in Contact
July 14, 2026 · PESCHECK Team · screening

What Article 10 GDPR really means for HR screening

Article 10 GDPR adds strict rules to HR screening involving criminal convictions and offence data. Learn what employers can process, when, and with which safeguards.

Professional man presenting ideas in a modern office meeting space

Contents

5 min read

HR screening often involves more than basic identity checks. When a role requires review of criminal conviction or offence data, Article 10 GDPR adds a strict extra layer on top of the usual lawful basis of analysis. In practice, this means employers cannot treat criminal record data like ordinary CV or reference data (Art. 10 GDPR, 2018).

Article 10 does not ban background checks, but it does narrow how they can be done. For HR teams, the real question is not just “Can we check?” but “Under what legal authority, for what purpose, and with what safeguards?”.

What Article 10 says

Article 10 GDPR covers “personal data relating to criminal convictions and offences or related security measures” and says that processing based on Article 6(1) must be done only under the control of official authority or when authorized by Union or Member State law with appropriate safeguards. It also says any comprehensive register of criminal convictions may be kept only under the control of official authority.

That wording matters because it creates a higher threshold than ordinary HR processing. Even if an employer has a lawful basis under Article 6, that alone is not enough for criminal offence data.

Stop Treating Offence Data Like Regular HR Data

Article 10 means your current process could be non-compliant—no matter how strong your Article 6 basis is. Get background checks built for EU law, so you can onboard deep tech and fintech talent safely.

See compliant background checks

Why HR screening is different

In recruitment, employers often want to verify trustworthiness, protect customers, or meet sector-specific obligations. Those goals may be legitimate, but Article 10 requires more than a business reason. The ICO states that criminal offence data can only be processed if there is official authority or a domestic-law condition that authorizes it.

The EDPB also explains that legitimate interests under Article 6(1)(f) are not automatic and must be assessed carefully, including necessity and balancing against the applicant’s rights. In other words, “we want to know” is not a legal basis, and “it helps hiring” is not enough by itself.

“We Want to Know” Is Not a Legal Basis

Legitimate interests under Article 6(1)(f) do not automatically cover background screening. Ensure your HR processes meet Article 10 requirements and protect both your organization and candidates.

See HR-compliant background screening

When screening may be allowed

Article 10 does not make screening illegal across the board, but the employer must identify the correct legal route first, which in many European countries is tied to national law, regulated sectors, or specific role requirements. The ICO notes that for criminal offence data, employers must still have an Article 6 lawful basis and, separately, an Article 10 condition such as official authority or domestic law authorization.

Examples of roles where checks are more likely to be justified include positions involving children, regulated finance functions, security-sensitive jobs, or roles where local law expressly permits or requires vetting. The exact answer depends on the country, the role, and the data involved.

Common HR mistakes

One common mistake is relying on consent as a catch-all solution. In employment, consent is often weak because of the power imbalance between employer and candidate, and it is usually not a reliable substitute for a real legal basis.

Another mistake is asking for criminal record certificates “just in case”. The ICO warns that you should not collect more criminal offence data than necessary, and that processing on a large scale or access decisions can trigger DPIA requirements. 

A third mistake is treating a third-party screening vendor as the legal owner of the process. The employer remains responsible for the lawful basis, transparency, minimization, and retention of decisions.

Compliance checklist

Use this checklist before launching or updating HR screening involving criminal offence data:

  • Identify whether the data is actually criminal conviction or offence data under Article 10.
  • Confirm the Article 6 lawful basis for the broader screening activity.
  • Verify the Article 10 condition under local law or official authority.
  • Document necessity and proportionality, especially if relying on legitimate interests for related processing.
  • Carry out a DPIA where the screening is high risk or used to determine access to an opportunity or benefit.
  • Update privacy notices with clear, role-specific transparency.
  • Minimize the data collected and keep it only as long as needed.
  • Put robust safeguards in place, including access controls and human review where decisions affect candidates.

Turn Your Checklist Into Compliant Screening

Every step in this checklist is easier when baked into your hiring workflow. Reduce manual effort and GDPR risk with pre‑employment screening software built for EU compliance.

Get compliant pre‑employment screening

Practical example

A fintech company wants to vet a candidate for a customer-facing finance role. If the role is regulated and local law permits a criminal record check, the company may be able to process relevant data, but it still needs a lawful basis, a valid Article 10 condition, a clear purpose, and a documented DPIA if the risk is high. If the company instead asks for a full certificate “to be safe,” that is likely excessive and harder to justify under data minimization and Article 10.

What HR leaders should remember

Article 10 is not an obstacle to responsible screening but more like a guardrail. It forces HR teams to be precise about purpose, lawful authority, necessity, and proportionality before touching criminal conviction or offence data.

For compliance-driven hiring, that is a good thing. It helps organizations avoid over-collection, reduce legal risk, and build more defensible screening processes for regulated hiring.

Use Article 10 as a Guardrail, Not a Barrier

Precise purpose, lawful authority, necessity, and proportionality make your screening more defensible and less risky. Get a proposal tailored to your regulated hiring needs.

Get a proposal for compliant screening

Sources

  • GDPR Article 10 text.
  • EDPB Guidelines 1/2024 on Article 6(1)(f) legitimate interests.
  • ICO guidance on criminal offence data.