AD 2026 No. 27 – Simply receiving and reading a criminal record extract does not fall within the scope of the General Data Protection Regulation

In this case, the Labour Court considered whether an employer’s receipt and reading of a criminal record extract constituted processing of personal data under the General Data Protection Regulation (GDPR). At the employer’s request, an employee submitted an extract from the criminal records register, which the employer subsequently reviewed. The Labour Court ruled that the mere act of receiving and reading the extract did not constitute processing of personal data as covered by GDPR; consequently, the employer could not be regarded as having processed personal data in breach of GDPR.

Background

During the course of an employment, an employer requested that an employee obtain and produce an extract from the criminal records register.

The employee handed the extract in a sealed envelope to their manager, who opened the envelope and read through the contents. The extract showed that the employee had been convicted of a criminal offence. The employer made no note of the extract’s contents, did not copy or scan it, did not record it in any system and did not store the data in any other way. The document was subsequently destroyed.

The dispute centered on whether the employer, by receiving and reading the extract from the criminal record, had processed the employee’s personal data in breach of Article 10 of GDPR and was therefore liable to pay compensation for non-pecuniary damage to the employee under Article 82 of GDPR.

The Labour Court’s assessment

Legal basis

Under Article 2(1) of GDPR, the Regulation applies to the processing of personal data carried out wholly or partly by automated means, as well as to any other processing of personal data which forms part of, or is intended to form part of, a filing system. It follows from Article 10 of the same Regulation that the processing of personal data relating to criminal convictions and offences involving criminal acts may only be carried out under the control of a public authority or where the processing is authorised by Union or national law.

It follows from the judgment of the Court of Justice of the European Union in the case of Endemol Shine Finland Oy (C-740/22) states that the oral disclosure of information concerning any convictions in ongoing or concluded criminal proceedings against a natural person falls within the material scope of the General Data Protection Regulation only if the information is included in, or is intended to be included in, a register.

Assessment

The Labour Court noted at the outset that the processing that had taken place consisted of the employee’s manager receiving and reading a criminal record extract from a sealed envelope. This therefore constituted manual, non-automated processing of personal data which, under Article 2(1) of GDPR, falls within the scope of the Regulation only if the data is contained in or intended to be contained in a filing system. The court further noted that the employee’s representatives had not argued that the employer had intended to include the personal data in the extract from the criminal record in any register.

In the Court’s view, the employer’s handling of the extract did not constitute the kind of non-automated processing of a register referred to in Article 2(1) of GDPR, even though the data originally derived from a register for which the Police Authority was the data controller. The court also held that this was not a case of partially automated processing, as the purposes and means of processing in the criminal records register had been laid down in legislation and not determined by the employer. The fact that the data originated from the criminal records register was therefore irrelevant to the assessment of the employer’s own handling of the data.

Finally, the Labour Court emphasised that, whilst reading the data in itself certainly constitutes processing of personal data according to the Regulation’s definition, the decisive question was whether the processing fell within the substantive scope of the Regulation. As the employer’s handling of the data did not fall within that scope, the employee’s claim was dismissed.

Setterwalls’ comment

Setterwalls welcomes the ruling. Employers often have a legitimate interest in accessing extracts from criminal records and need guidance on how this can be done without contravening the applicable regulations. The court case clarifies that an employer who merely receives, reads and then destroys a physical extract from a criminal records register – without entering the data into any register – is not processing personal data in a manner that falls within the scope of GDPR. This is a procedure that is common in practice.

However, it must be emphasised that the ruling relates specifically to this particular situation: an employer manually reviews a physical document without the data being stored, recorded or processed digitally. If the data had instead been entered into, for example, a staff register or a digital system, the assessment would likely have been different.

Overall, the ruling highlights that the distinction between, on the one hand, reading and destroying a physical document, and, on the other hand, recording or saving the data, is crucial to the question of the applicability of GDPR. Employers wishing to access extracts from criminal records must therefore carefully consider how the data will be handled after receipt.