Three months into GDPR enforcement, Illya Antonenko revisits the earlier prediction of a “collision of galactic proportions” between the GDPR and the FCPA. He focuses first on the apparent conflict between conducting robust anti-bribery due diligence and the authorizations needed to handle personal criminal background information.
Article 10 of the GDPR allows access to such information only if such processing is either: (1) carried out under the control of a European official authority or (2) specifically authorized by EU or EU member state law.
Some EU states have addressed this, but Antonenko warns that “inquiring into a history of criminal convictions or offenses for individuals associated with a third-party entity as part of anti-bribery due diligence may run afoul of the GDPR and may lead to significant fines and in some EU countries even to prison sentences.”
