The classic trap
Article 10 is one of the most underestimated GDPR provisions: it outright forbids processing of criminal convictions or offences data without an explicit legal basis in Member State or Union law. The CNPD and CNIL regularly sanction employers, recruiters and platforms that request a criminal record extract by default, without specific legal authorisation. In Luxembourg, only sector-specific labour law (private security, CSSF-regulated finance, education, healthcare) authorises such collection, and only within a strictly defined scope. Any collection outside this framework is qualified as unlawful processing under Article 6 + Article 10 combined.
Concrete pitfalls the CNPD sanctions
- Requesting a B3 criminal record at hiring without legal authorisation: forbidden except for regulated jobs (CSSF finance, security, education, healthcare, transport).
- Candidate screening via Google or social media that surfaces press articles about a conviction: Article 10 processing without legal basis, even if the source is public.
- KYC/AML databases (World-Check, Dow Jones, LexisNexis) that aggregate convictions: usable only by entities subject to AML law, and only for that purpose.
- Internal investigations conducted by law firms or auditors documenting alleged offences: require a strict contractual framework and a finality limited to the proceedings.
- Internal fraud registers kept by insurers or banks: authorised only under official authority control or via specific legal authorisation.
- Integrity questionnaires for company directors: simply asking 'have you ever been convicted?' constitutes Article 10 processing and requires a legal basis.
The 'official authority' test the CNPD applies
To escape sanction, the organisation must demonstrate three elements: an explicit legal provision (not just a collective agreement), documented appropriate safeguards (limited retention, restricted access, strict purpose), and effective control (DPO, dedicated register, logging). Without one of the three, processing becomes unlawful and exposes to the Article 83(5) fine, up to 20 million euros or 4% of global turnover.
How Luxgap automates this risk
Our Luxgap Criminal Data Gatekeeper makes it technically impossible to collect or store Article 10 data without a pre-validated legal authorisation. The tool sits as an intelligent filter between your forms (Workday, SAP SuccessFactors, Talentsoft, Odoo HR, Sage BOB 50 Payroll) and your database: a specialised LLM agent reads every free-text field, every uploaded PDF, every recruiter comment, and detects in real time any mention of convictions, offences, security measures or criminal proceedings before they are persisted.
- Continuously scans HR, CRM and ticketing fields to detect explicit mentions ('convicted', 'criminal record', 'B3', 'custody', 'indicted') and implicit ones (hints, pasted press articles).
- Blocks persistence of any document or field qualified as Article 10 until a legal authorisation is selected from a dropdown linked to applicable Luxembourg and European law.
- Automatically verifies that the declared purpose is indeed authorised by the invoked legal basis (e.g. CSSF circular 22/811 for financial agents, law of 12 November 2002 for private security).
- Generates a dedicated time-stamped Article 10 register, separate from the main Article 30 register, with cryptographic logging of every access and auto-purged retention.
- Alerts the DPO on Teams or Slack the moment a recruiter pastes a Google excerpt containing a conviction, with screenshot and identified author.
- Produces a sealed PDF report opposable to the CNPD demonstrating that your organisation has never collected Article 10 data outside the legal framework, over a rolling 24-month window.
Available as a complement to a Luxgap DPO mandate or as a dedicated SaaS module depending on your scope. Request a tailored quote and our teams will prepare a demonstration on your real HR forms, with a free 48-hour white audit to identify currently non-compliant Article 10 collections in your systems.
