Criminal background checks are an important but sensitive aspect of employment processes. Article 10 of the EU 2016/679 General Data Protection Regulation (GDPR) sets out a special regime for processing personal data related to criminal convictions and offences, ensuring that such information is handled responsibly and lawfully. Under Article 10 of the GDPR, each EU member state can decide on their own particular set of rules for processing the criminal data of candidates and employees. Employers must navigate these regulations, balancing their operational needs with the fundamental rights of individuals.
This article explores the regulatory frameworks in Estonia, Latvia and Lithuania, providing insights into the permissible circumstances for criminal background checks under the GDPR, the legal bases available for such processing, and the steps employers must take to ensure compliance. From legal obligations to legitimate interests, Sorainen experts explain the nuances of these rules, guiding employers on how to manage criminal record data responsibly.
Estonia
In Estonia, any one of the GDPR’s valid legal bases may, in principle, enable the employer to access the criminal record of a candidate or employee. However, in practice, such requests to the Criminal Records Database can usually only be lawfully made if the employer has either a legal obligation to obtain a candidate’s or an employee’s criminal record or a legitimate interest to do so. Other legal bases in Article 6(1) of the GDPR, including the consent of the candidate or employee, are unlikely to apply to criminal background checks.
A legal obligation for the employer to access a candidate’s or employee’s criminal record exists in a very limited number of situations. One such case arises if the candidate or employee would be working with children. Thus, when the employer is fulfilling a position that requires working with minors, the employer is obliged to make a query about the applicant to the Criminal Records Database.
If there is no legal obligation for the employer to carry out a criminal background check, the employer may nevertheless be able to rely on its legitimate interest to obtain the criminal record of a candidate or employee. Carrying out criminal background checks for all and any positions is usually not justifiable, but a valid legitimate interest may exist, particularly when filling fulfilling some specific positions that involve a heightened risk for the employer. For example, an employer may have a legitimate interest in verifying that a candidate who would be responsible for conducting or overseeing financial transactions has not been convicted of any offences against property. However, it is important to note that claiming legitimate interest requires certain steps to be taken by the employer:
- Firstly, the employer must conduct and document a legitimate interest assessment so as to be able to demonstrate that its legitimate interests outweigh the interests or fundamental rights and freedoms of the candidates and employees. For example, the legitimate interest assessment should justify the objective necessity of the criminal background information, the specific risks that the employer may be exposed to if the criminal background check is not conducted, and the particular roles and duties that require a criminal background check to be carried out. The legitimate interest assessment should also describe the protective measures (such as access restrictions) applied to the processing of such personal data, and the duration of the period that the data will be stored for.
- Secondly, the employer may not demand a candidate or employee to present their criminal record themselves. The employer must itself make a query to the Criminal Records Database. When making a query to the Criminal Records Database, the legal basis and objective for such a request must be described in the query. Making queries to the database about another person is currently subject to a fee of EUR 4 per query. On the grounds of legitimate interest, the employer can only request valid outstanding criminal records of a candidate or employee – archived data about criminal convictions cannot be accessed based on legitimate interest. More information about queries to the national Criminal Records Database is available here.
- Thirdly, all data processing about criminal convictions and offences must comply with the general requirements of the GDPR. This means, for instance, that the employer must follow the general principles of personal data protection (such as principles of data minimisation, storage limitation and purpose limitation), must inform the candidates and data subjects of any criminal background checks (for example, in a privacy notice), must document the criminal background checks in its record of processing activities, and must enable the data subjects to exercise their rights under the GDPR.
Latvia
In Latvia, the processing of personal data relating to criminal convictions and offences from Criminal Records Database must be carried out on an appropriate legal basis, set out in Article 6(1) of the GDPR. Typically, such requests and processing of data from the Criminal Records Database can be lawfully made only if the employer has a legal obligation to obtain records of this kind.
There are number of positions in Latvia that are prohibited by the law from being filled by persons who have been convicted of criminal offences, so the processing of such information can be carried out by the employer on the basis of a legal obligation. For example, if the person’s job requires a permit to acquire, possess or carry weapons or access to state secrets; or if a person applies for a certain position which is incompatible with a previous criminal record, e.g. chairman of the board of a credit institution, member of a board of directors, head of the internal audit service etc. In such cases, the employer can receive directly from the Criminal Records Database the information necessary to verify if the natural person complies with the restrictions set out in regulatory enactments when recruiting them for employment. Upon request, the employer must indicate the regulatory enactment providing for the relevant restrictions.
However, if there is no legal obligation for the employer to carry out a criminal background check, the employer may nevertheless be able to rely on its legitimate interest to obtain the criminal record of a candidate or employee. In this case the employer must find out if there are objective grounds to receive information regarding criminal offences, i.e. if the person with a criminal record would not be suitable because of the nature of the job. For example, if a position requires direct handling of money or drugs (medicines), or is related to provision of security services (such as ensuring physical security in malls, institutions, etc.). In these situations:
- Firstly, a legitimate interest assessment must be prepared in order to demonstrate that the legitimate interests outweigh the interests or fundamental rights and freedoms of the candidates and employees. For example, the legitimate interest assessment should justify the objective necessity of the information regarding the existence of a criminal background, the specific risks that the employer may be exposed to if a criminal background check is not conducted, and the particular roles and duties that require a criminal background check to be carried out. The legitimate interest assessment should also describe the protective measures (such as access restrictions) applied to the processing of such personal data, and the duration of the period that the data will be stored for.
- Secondly, the right to request and receive information from the Criminal Records Register is possible for the state or governmental authorities according to the applicable law, for the natural person themselves, or for the employer. If carrying out background checks for certain positions is required by the law, the employer can request information from the Criminal Records Database itself. Information about the applicable requirement for making a background check must be included in the request. When making a query to the Criminal Records Database, the legal basis and objective for such a request must be described in the query. If the data processing is based on legitimate interest, the employer may request a candidate or employee to present an extract from the Criminal Records Database to confirm that they have not previously committed a criminal offence.
- Thirdly, all data processing about criminal convictions and offences must comply with the general requirements of the GDPR. This means, for instance, that the employer must follow the general principles of personal data protection (such as principles of data minimisation, storage limitation and purpose limitation), must inform the candidates and data subjects of any criminal background checks (for example, in a privacy notice), must document the criminal background checks in its record of processing activities, and must enable the data subjects to exercise their rights under the GDPR.
Lithuania
Until 1 July 2024, the law in force provided that the processing of personal data relating to candidates or employees with a criminal record was only possible if the employer had a legal obligation under the law to check the existence of a criminal record. This could, for example, be the case for employees in certain positions in the financial, education or aviation sectors. This regulation limited the ability of employers to ask candidates or employees to provide criminal record certificates if the legislation did not require a criminal record check for that position, although employers often had a legitimate interest in obtaining such data.
On 1 July 2024, amendments to the law entered into force, allowing the processing of candidates’ or employees’ personal data relating to criminal convictions also in cases where such data is necessary for the employer’s legitimate interests. This means that the requirement that the employer may only obtain the criminal record data of a candidate or employee in cases provided for in law no longer applies. The employer will now have the right to request such data from the candidate or employee on the grounds of legitimate interest.
What are the steps to be taken?
The law provides that to process data on convictions and criminal offences as part of the employment relationship based on legitimate interest, the employer will have to do the following:
- prepare and carry out an assessment of the legitimate interest in processing such personal data and prepare a written report on this assessment. Although such assessment reports are nothing new for employers – they are also provided for in the General Data Protection Regulation (EU) 2016/679 (GDPR), in Article 6(1)(f) – the law specifies what exactly should be assessed when processing criminal record data. For example, the specificities of particular duties or job functions and the risks that the employer may be exposed to if the functions in question are performed by a person who has been convicted of certain criminal offences, etc., must be taken into account
- adopt and publish on its website a list of the positions (if any) for which a person is required to have no criminal record. This list shall include the offences of which the person must be free of convictions. That is, the employer must draw up: (1) a list of the positions for which it is a requirement that the employee has no criminal record; and (2) a list of the offences for which the employee must not have been convicted.
The employer will only be entitled to process the criminal record data of a candidate or employee whose intended position or job function is included in the abovementioned list.
Where such a right or obligation is provided for in the law, it does not mean that all employers acquire such a right in all cases. It is therefore necessary to take into account the important aspects listed below:
Firstly, the employer must be able to justify the objective necessity of processing such data and carrying out the abovementioned actions.
Secondly, the amendment to the law provides that data on convictions and criminal offences may only be processed if the requirements of the GDPR are met. This means that all the rules and principles set out in the GDPR must be complied with, including the obligation to properly inform data subjects about the processing of their data, to ensure the exercise of their rights, etc.
Thirdly, it will be up to the candidate or employee to provide the employer with information on criminal records. That is, the Law does not give employers the right to themselves contact the authorised authorities and request the provision of data on the existence of a person’s criminal record.
Fourthly, the State Data Protection Inspectorate has published the document “Recommendation on employer processing of criminal record data”. Employers are therefore advised to carefully read the information provided by the inspectorate, which should help them both in deciding on the positions to be subject to the non-conviction requirement and in drafting the abovementioned documents.
Our international Competition & Regulatory team is at your disposal, should you need advice on any legal issues you are facing.
Subscribe here if you would like to receive newsletters and invitations to webinars and offline events.
Contact our experts:
Senior associate with Sorainen Estonia
Associate with Sorainen Lithuania
Associate with Sorainen Latvia