The classic trap
Article 10 is wrongly treated as a variant of Article 9, but its regime is stricter: criminal offence data are NOT in the special category list of Article 9, so none of the Article 9(2) exceptions (explicit consent, vital interest...) apply. Such processing is lawful ONLY under the control of official authority OR when a specific national legal basis authorises it with appropriate safeguards. The CNPD and the CNIL regularly sanction employers who collect criminal record extracts without legal authorisation, as well as platforms that build antecedent or fraud files with no explicit legal basis.
Where organisations cross into unlawful territory
- Criminal records at hiring: requesting a record extract without a sector specific law authorising it (security, finance, childcare) is unlawful Article 10 processing, even with the candidate's consent.
- Internal anti-fraud files: listing clients or partners suspected of offences without a specific legal basis falls under Article 10, not under mere legitimate interest in Article 6(1)(f).
- Due diligence and KYC processes: cross-checking criminal antecedent databases (PEP, sanctions, convictions) without precise legal framing.
- Excessive retention: keeping an offence record beyond its purpose (closed litigation, limitation period) without purge.
- Comprehensive registers: de facto recreating a private criminal record is forbidden and reserved to official authority.
- HR processors: passing this data to a vendor without verifying its own legal authorisation.
The test to pass: official authority or national legal basis
For each offence data processing, the question is binary. Are you an official authority acting within its missions? If not, is there an Union or national law that expressly authorises you and provides appropriate safeguards? If the answer is no to both, the processing is unlawful, period. Legitimate interest alone never suffices to ground Article 10 processing.
How Luxgap automates this risk
Our Luxgap Criminal Data Gatekeeper makes wild collection of offence data impossible by intercepting it BEFORE it enters your systems. A specialised AI agent continuously scans your HR fields (Workday LU, Sopra Steria HR Suite, Sage BOB 50), your M365 attachments and your Odoo forms to detect any record extract, conviction mention or antecedent file, then blocks or flags the data until a legal basis is documented.
- Automatically detects criminal record extracts, penal mentions and antecedent files across your M365, Odoo and HR systems through semantic recognition, with no form to fill.
- Checks for each processing the existence of a valid Article 10 legal basis (sector law, authorisation, official authority control) and blocks otherwise.
- Classifies each field using the EDPB grid and separates Article 9 from Article 10 data, too often confused.
- Alerts in real time on Teams the moment a new document containing offence data lands in an HR folder or a CRM.
- Applies automatic purge rules at the end of the purpose (closed litigation, limitation period) to avoid excessive retention.
- Produces a time stamped PDF report, enforceable before the CNPD during an audit, proving that each offence processing rests on a documented legal basis.
Available alongside a Luxgap DPO mandate or as a dedicated SaaS module depending on your scope. Request a tailored quote and our teams will prepare a demonstration on your real data, with a free scan within 48h to measure your exposure before any commitment.