Artikel 10 📖 GDPR. Verarbeitung von personenbezogenen Daten über strafrechtliche Verurteilungen und Straftaten

Artikel 10 DSGVO. Verarbeitung von personenbezogenen Daten über strafrechtliche Verurteilungen und Straftaten

Article 10 GDPR. Processing of personal data relating to criminal convictions and offences

Die Verarbeitung personenbezogener Daten über strafrechtliche Verurteilungen und Straftaten oder damit zusammenhängende Sicherungsmaßregeln aufgrund von Artikel 6 Absatz 1 darf nur unter behördlicher Aufsicht vorgenommen werden oder wenn dies nach dem Unionsrecht oder dem Recht der Mitgliedstaaten, das geeignete Garantien für die Rechte und Freiheiten der betroffenen Personen vorsieht, zulässig ist. Ein umfassendes Register der strafrechtlichen Verurteilungen darf nur unter behördlicher Aufsicht geführt werden.

Processing of personal data relating to criminal convictions and offences or related security measures based on Article 6(1) shall be carried out only under the control of official authority or when the processing is authorised by Union or Member State law providing for appropriate safeguards for the rights and freedoms of data subjects. Any comprehensive register of criminal convictions shall be kept only under the control of official authority.

Verbindungen

Artikel 6 DSGVO. Rechtmäßigkeit der Verarbeitung

Article 6 GDPR. Lawfulness of processing

(1) Die Verarbeitung ist nur rechtmäßig, wenn mindestens eine der nachstehenden Bedingungen erfüllt ist:

1. Processing shall be lawful only if and to the extent that at least one of the following applies:

[…]

Datenschutz-Grundverordnung (DSGVO)

Letzte konsolidierte Fassung (inkl. Berichtigung, ABl. L 314 vom 22.11.2016, S. (2016/679), Berichtigung, ABl. L 127 vom 23.5.2018, S. (2016/679)). EUR-lex

General Data Protection Regulation (EU GDPR)

The latest consolidated version of the Regulation with corrections by Corrigendum, OJ L 127, 23.5.2018, p. 2 ((EU) 2016/679). Source: EUR-lex.

Erläuterung ISO 27701 Leitlinien und Gerichtsurteile Leave a comment

Erläuterung

(RU) Данные об уголовных преступлениях рассматриваются особенным образом в соответствии с GDPR. Они представляют собой чувствительные данные, с которыми необходимо обращаться с надлежащей осторожностью, аналогично специальным категориям персональных данных [статья 9(2)]. Они подчиняются определенным правилам, но в то же время не подпадают под…

[…]

Autor

Louis-Philippe Gratton PhD, LLM

Datenschutzexperte

Frage stellen

ISO 27701

(EN) ISO/IEC 27701, adopted in 2019, added additional ISO/IEC 27002 guidance for PII controllers.

Here is the relevant paragraph to article 10 GDPR:

7.2.2 Identify lawful basis

Control

The organization should determine, document and comply with the relevant lawful basis for the processing of PII for the identified purposes.

Implementation guidance

Some jurisdictions require the organization to be able to demonstrate that the lawfulness of processing was duly established before the processing.

The legal basis for the processing of PII can include:

— consent from PII principals;

— performance of a contract;

— compliance with a legal obligation;

— protection of the vital interests of PII principals;

— performance of a task carried out in the public interest;

— legitimate interests of the PII controller.

The organization should document this basis for each PII processing activity (see 7.2.8).

The legitimate interests of the organization can include, for instance, information security objectives, which should be balanced against the obligations to PII principals with regards to privacy protection.

Whenever special categories of PII are defined, either by the nature of the PII (e.g. health information) or by the PII principals concerned (e.g. PII relating to children) the organization should include those categories of PII in its classification schemes.

The classification of PII that falls into these categories can vary from one jurisdiction to another and can vary between different regulatory regimes that apply to different kinds of business, so the organization needs to be aware of the classification(s) that apply to the PII processing being performed.

The use of special categories of PII can also be subject to more stringent controls.
Changing or extending the purposes for the processing of PII can require updating and/or revision of the legal basis. It can also require additional consent to be obtained from the PII principal.

Leitlinien und Gerichtsurteile

(EN)

Legislation

Directive (EU) 2016/680 on the protection of natural persons with regard to the processing of personal data by competent authorities for the purposes of the prevention, investigation, detection or prosecution of criminal offences or the execution of criminal penalties, and on the free movement of such data, OJEU L 119, 4 May 2016, p. 89.