依第 6 條第 1 項處理涉及前科及犯罪之個人資料或相關安全措施，僅 有下列情形之一者，始得為之：於公務機關控制下所為之處理，或歐 盟或會員國法已為資料主體之權利與自由規範適當保護措施而授權 之處理。任何全面性的前科紀錄僅限由公務機關控管保存。
Processing of personal data relating to criminal convictions and offences or related security measures based on Article 6(1) shall be carried out only under the control of official authority or when the processing is authorised by Union or Member State law providing for appropriate safeguards for the rights and freedoms of data subjects. Any comprehensive register of criminal convictions shall be kept only under the control of official authority.
The latest consolidated version of the Regulation with corrections by Corrigendum, OJ L 127, 23.5.2018, p. 2 ((EU) 2016/679). Source: EUR-lex.
(EN) ISO/IEC 27701, adopted in 2019, added additional ISO/IEC 27002 guidance for PII controllers.
Here is the relevant paragraph to article 10 GDPR:
7.2.2 Identify lawful basis
The organization should determine, document and comply with the relevant lawful basis for the processing of PII for the identified purposes.
Some jurisdictions require the organization to be able to demonstrate that the lawfulness of processing was duly established before the processing.
The legal basis for the processing of PII can include:
Directive (EU) 2016/680 on the protection of natural persons with regard to the processing of personal data by competent authorities for the purposes of the prevention, investigation, detection or prosecution of criminal offences or the execution of criminal penalties, and on the free movement of such data, OJEU L 119, 4 May 2016, p. 89.
(EN) Criminal offence data are treated specifically by the General Data Protection Regulation. They represent sensitive data that must be dealt with appropriate care, similarly to special categories of personal data (article 9). They obey particular rules, but they do not expressly fall under the “special categories of personal data”. They have their own legal regime and they do not benefit from similar exceptions as the aforementioned data [article 9 (2)].