Criminal-offence data under GDPR Article 10

Criminal-offence data under GDPR Article 10

GDPR Article 10 creates a distinct rule for personal data relating to criminal convictions and offences. It is separate from the special-category regime in Article 9. Swedish private actors need specific legal support for processing covered data; an ordinary legitimate-interest analysis is not the whole test.1

The category can reach beyond a final conviction. Depending on the record and context, allegations, suspected offences, criminal proceedings, coercive measures, acquittals, and related case material can engage the rule. The practical question is what the data says about an identifiable person, not whether a document is formally titled criminal record.

Why it recurs in this venture

Several proposed services can encounter the category incidentally:

  • exposure and data-removal work involving published allegations
  • account or device recovery after a seizure
  • support for lawyers, reintegration organizations, or people navigating institutional processes
  • AI document workflows over police, court, detention, or case-management material

This does not make those markets categorically unavailable. It changes the operating model: purpose, legal support, controller and processor roles, access, retention, security, and customer expectations need to be designed for the exact activity.

Operating choices

Activity Main exposure Lower-data starting point
General coaching or recovery Sensitive narrative enters support records Record the action plan rather than the case history
Document review The venture receives police or court material Keep documents customer-controlled and use scoped access
Rights or removal requests Identity evidence is joined to allegations Separate verification from the case record and set short retention
Managed AI workflow Prompts, logs, and connectors multiply copies Map each processing operation before enabling cloud features
Scoring or decisions about people Article 10 and AI Act roles may combine Treat as a separately governed product, not a feature toggle

The first low-data service can avoid holding a reusable case archive without pretending that every mention must be refused. A later product can accept a larger role when a documented legal basis, specialist counsel, security controls, insurance, and viable economics justify it.

Privacy legal and regulatory posture owns the venture-wide counsel gates. Post-seizure digital recovery applies the boundary to recovery work, and Private AI legal roles applies it to AI products and deployments.

Sources

  1. eur-lex.europa.eu
  2. imy.se
  3. imy.se