In a commentary for FCPA Blog, Illya Antonenko, Privacy Counsel and Legal Research for TRACE International, provides good news for companies who must meet their anti-bribery due diligence obligations without violating the GDPR.
Article 10 of the GDPR prohibits the processing of personal criminal background information, among other things, unless such processing is carried out under the control of a European official authority, or specifically authorized by law at the EU level or at the EU member state level. “In other words, unless one of the two conditions listed above is met, running criminal background checks, asking questions, or even researching publicly available information about a history of criminal convictions or offenses for individuals associated with a third-party entity (such as owners, officers or key employees) as part of anti-bribery due diligence or similar vetting efforts could be a violation of the GDPR punishable by a fine of up to €20 million or 4 percent of the total worldwide turnover, whichever is higher,” Antonenko explains.
While an EU-wide solution remains elusive, the newly adopted Irish Data Protection Bill contains a specific authorization of the “necessary and proportionate” processing of Article 10 data to assess the risk of bribery or corruption, or to prevent it. Antonenko calls on the Irish Minister for Justice and Equality to issue implementing regulations at the soonest opportunity.
“This would not only allow the processing of criminal background information of Irish data subjects as part of anti-bribery due diligence, but would also arguably permit the processing of such information for individuals residing in other EU member states by controllers whose ‘main establishments’ are located in Ireland,” he says.
