Ch 7.4–7.5 - Articles 10 & 11

Criminal convictions data (Article 10) & processing without identification (Article 11)

Article 10 data - criminal convictions, offences and related security measures - needs greater protection but is NOT a special category under Article 9. It may be processed only under the control of official authority or where authorised by EU/member-state law with appropriate safeguards; a comprehensive register can only be kept under official authority. All other GDPR rules (including Article 6) still apply. Article 11 says if a controller does not require identification of a subject, it need not acquire extra data just to comply - and certain data-subject-rights obligations fall away unless the subject supplies identifying information.

Article 10 vs Article 9 data
Point	Criminal convictions (Art 10)	Special-category data (Art 9)
Is it 'sensitive' under Art 9?	No - separate regime	Yes
Permitted route	Official authority control OR authorised by EU/member-state law with safeguards	One of the ten Article 9 conditions
Comprehensive register	Only under official authority	n/a
Article 6 basis still needed?	Yes	Yes

Article 11 - identification not required

If purposes do not (or no longer) require identifying the subject, the controller need not acquire or keep extra data just to comply, and certain data-subject-rights obligations don't apply - unless the subject provides additional information enabling identification, which reverses the assumption.

Key terms - quick answers

What is “Article 10”?

Governs criminal convictions/offences data - processed only under official authority control or as authorised by law; not an Article 9 special category.

What is “Article 11”?

Where identification is not required, the controller need not maintain extra data solely to comply with the GDPR.

← Article 9 exceptions - the ten conditions Transparency principle →