On 11 February 2022, the Spanish Data Protection Authority (Agencia Española de Protección de Datos) fined Amazon Road Transport Spain, S.L. (“Amazon RT“) EUR 2,000,000, for including criminal record certificates within the documentation that it requests during the hiring process of freelance truck drivers.
The following are the aspects of the decision which we have considered the most interesting:
- Certificates showing “clean” criminal records (i.e. that no crimes have been committed) do amount to personal data relating to criminal convictions and offences, regulated by Art. 10 of the General Data Protection Regulation (EU) 2016/679 (“GDPR“). The contrary would be problematic because it would make possible for entities to, for example, create registers of persons with clean criminal records without having to observe any special safeguards.
Private entities may process this type of data when Union or Member State law authorizes the processing and provides for appropriate safeguards for the rights and freedoms of data subjects (art. 10 of GDPR).
- In Spain there is no applicable law which would allow for a company like Amazon RT to process criminal-related data in the procedure of contracting freelance drivers. When it comes to transportation of persons and goods, there are certain authorizations that the drivers might need to have. For example, for vehicles with maximum authorized mass higher than 3.5 tons the applicable law requires that the driver meets a threshold of trustworthiness, for which it is necessary that the individual has not committed some specific types of infringement or crime. The public authorities make the assessment of this threshold within the procedure of granting the relevant authorization. However, not even those public authorities are entitled to request from the individual his or her criminal records, for that purpose. The authorities can only rely on the information available in certain registers: the Register of Transport Undertakings and Activities and the European Register of Road Transport Undertakings.
- Without a law authorizing the processing at issue, there is no legal basis which Amazon RT can use to legalize the intended use of the personal data on criminal convictions and offences. Nevertheless, the Spanish DPA used some paragraphs of its decision to explain why execution of a contract, legitimate interest, and consent – the legal basis claimed by Amazon RT – would not be applicable in this case:
- Criminal records are not necessary for the execution of the contract with the freelance drivers, where such contract would guarantee the security and trust of the clients, apply a minimum standard of diligence and prevent that Amazon DT’s position as a transport operator is compromised. The public authorities are the ones who assess, in the context of the authorization procedures, whether drivers fulfill the necessary requirements to perform their activity. Amazon DT’s role should be limited to checking whether the relevant driver has the appropriate authorization.
- Basing the processing on a legitimate interest requires a careful assessment (see Recital 47 of GDPR) and a notification of the legitimate interest to the data subject (art. 13.1(d) of GDPR), none of which has been done by Amazon DT. The failure to notify data subjects of the legitimate interest deprives data subjects of their right to be informed as well as of their right to object to the processing of their data which is based on a legitimate interest of the controller (art. 21.1 of GDPR).
Moreover, the involved processing of personal data should be necessary for the fulfilment of the relevant legitimate interest. Necessity is a less flexible term than words like “useful”, “advisable” or “reasonable”. In the present case, the Spanish Data Protection Authority considered the use of criminal records not necessary because there are less intrusive means to protect the trust of the clients in Amazon RT and to guarantee that its position as transportation operator is not compromised. Less intrusive means would, for example, be the verification by Amazon RT that the driver has the required authorization.
- Acceptance by the candidates of the procedure to verify their criminal records does not amount to valid consent (as defined in Art. 11 of the GDPR). The given consent is not informed, because the candidates received no detailed information about the processing, its purpose, its legal basis, or the right to withdraw consent. Moreover, consent is not specific, because it is not requested separately for each particular purpose and the related data processing activities carried out by Amazon RT. Lastly, the granted consent is not free, because Amazon RT conditioned the hiring process on the driver’s provision of consent.
[Note: Serbian Data Protection Act and the current draft of Montenegrin Data Protection Act mirror the provisions of GDPR. The decisions of supervisory authorities and courts in EU and EFTA member states may therefore serve as an instructive guidance for compliance with local regulations.]