When Can Information On Criminal Records Be Requested By Employers


A recent Opinion of the Bulgarian data protection authority and certain legislative changes lead to the conclusion that in Bulgaria information on criminal convictions and offences of present or future employees can be requested by employers in very limited number of cases.

All around Europe backgrounds checks on job applicants and employees and even of vendors’ employees is widely performed. This is especially frequent practice of international groups of companies. Employers tend to seek information on aspects of the life of job candidates such as past employment, online presence and quite frequently, on criminal records. In Bulgaria it was a common practice of employers to require a so-called “conviction clearance certificate” which is issued by the competent authorities and provides information on past criminal convictions.

After the General Data Protection Regulation (GDPR) became applicable, processing of personal data relating to criminal convictions and offences carried out by entities that are not official authorities was greatly restricted to cases where this is “authorised by Union or Member State law providing for appropriate safeguards for the rights and freedoms of data subjects” (GDPR, Art. 10). Bulgarian legislation states that a conviction clearance certificate could be requested by the employer from a future employee only where a law or a regulation requires the verification of the clean criminal record of the candidate. This means that a legal provision shall explicitly state that for a particular job position (for example, teacher in a school) the employee shall have clean criminal record. In all other cases, requiring a conviction clearance certificate before hiring the employee is an infringement of GDPR.

This is also confirmed by a recent Opinion  of the Bulgarian data protection authority – the Commission for Personal Data Protection (CPDP). The CPDP states that for the purposes of concluding an employment contract, an employer may process personal data contained in a conviction status certificate only on the grounds of Art. 6, Para 1, letter “c” of GDPR - for compliance with a legal obligation to which the controller is subject. This means that the legal obligations of a mother company under a third-country legislation cannot be used as a legal basis for the processing of data on criminal convictions and offences by an employer established in Bulgaria and such processing could be considered unlawful.   

It is note mentioning that until July 2020 a Decree for restricting convicted persons from taking up positions related to financial accountability and responsibility was in force. According to the Decree, persons who collect, retain, spend, manage, dispose of, account for, or carry out financial control of public monetary or material values shall have clean criminal record. The provisions of the Decree were widely used by employers as grounds to require a conviction clearance certificate for almost every job position, since most jobs comprise some sort of management of and accountability for financial resources. However, this practice was debatable even before the Decree was repealed since its provisions refer to “public monetary or material values”. If interpreted verbatim, the text does not refer to monetary or material values of private entities and therefore excludes the application of the Decree to job positions requiring management of or accountability for monetary or material values of an employer - private company.  

In addition, it should be mentioned that a number of companies offer the performance of backgrounds checks on behalf of employers. Such companies cannot legally access and process information on criminal convictions and offences where they fall within Bulgaria’s jurisdiction since such processing is not authorised by any provision of Bulgarian law and therefore they would infringe Art. 10 of GDPR. If an employer company receives information on criminal convictions and offences without the job position requiring the person to have clear criminal record, by retaining it and/or processing it in any other way, the employer company would also infringe data protection legislation.  

It is a common practice for some companies to require their vendors and partners to perform backgrounds checks regarding criminal records of their employees or contractors. For the reasons explained above, in most cases such requirements cannot be legally fulfilled by Bulgarian companies as well. Since Bulgarian vendors in most cases cannot lawfully access, request or process such type of data regarding their employer, it is arguable whether contractual provisions which require a vendor (service provider) to perform criminal background checks of its employees could be valid if it establish unlawful obligation to the vendor.

It is possible in the future new legislation to introduce requirements for clean criminal record (or lack of convictions for certain types of crimes) for more job positions, but currently there are quite few such statutory provisions.


Article provided by: George Dimitrov and Desislava Krusteva (Dimitrov, Petrov & Co., Bulgaria)



Discover more about INPLP, the INPLP-Members and the GDPR-FINE database

Dr. Tobias Höllwarth (Managing Director INPLP)

What is the INPLP?

INPLP is a not-for-profit international network of qualified professionals providing expert counsel on legal and compliance issues relating to data privacy and associated matters. INPLP provides targeted and concise guidance, multi-jurisdictional views and practical information to address the ever-increasing and intensifying field of data protection challenges. INPLP fulfils its mission by sharing know-how, conducting joint research into data processing practices and engaging proactively in international cooperation in both the private and public sectors.