Article 10

Processing of personal data relating to criminal convictions and offences

General Data Protection Regulation · UE 2016/679

Processing of personal data relating to criminal convictions and offences

Processing of personal data relating to criminal convictions and offences or related security measures based on Article 6(1) shall be carried out only under the control of official authority or when the processing is authorised by Union or Member State law providing for appropriate safeguards for the rights and freedoms of data subjects. Any comprehensive register of criminal convictions shall be kept only under the control of official authority.

Luxembourg specificity
loi luxembourgeoise du 1er aout 2018 portant organisation de la Commission nationale pour la protection des donnees

In Luxembourg, the law of 1 August 2018 organising the CNPD and the Criminal Code strictly frame access to criminal record extracts. An employer may require an N3 bulletin only for roles where the law expressly provides for it (financial sector under CSSF supervision, security, regulated professions), and the CNPD (never the APDL) checks this basis during HR audits. Systematic collection of extracts at hiring, outside legally provided cases, breaches Article 10.

Luxgap practice: we map your recruitment and KYC processes to isolate each extract request, verify the Luxembourg law authorising it, and purge bulletins kept beyond the hiring decision.