Sites that repoupose criminal conviction information and GDPR

By Zack - 21 Mar 20 9:36 AM

I’m wondering if sites like the UK database one (I won’t put the actual url, as linking out gives sites more publicity and more power), could actually be stopped with GDPR. Where it may violate GDPR, is the fact that it calls itself a database of criminal reports for a particular subset of crimes. It also encourages people to browse and search by area, and lists results by the name of the offender. It is one thing for a newspaper to have archived articles online generally, but when someone repurposes (most likely plagiarises) the content to make a “database” of a type of criminal convictions, prioritising listing names and locations that is another matter.
GDPR states:
“Processing of personal data relating to criminal convictions and offences or related security measures based on Article 6(1) shall be carried out only under the control of official authority or when the processing is authorised by Union or Member State law providing for appropriate safeguards for the rights and freedoms of data subjects. Any comprehensive register of criminal convictions shall be kept only under the control of official authority.”

They are quite clearly not working under an official capacity, and although much of the content is or at least was in the public domain, as they just repurpose content. I’m not sure that is a defence. They are certainly trying to put together a comprehensive register, and even encourage people to report cases.
I think there could be scope under GDPR to challenge this, but it takes time and money, and most likely will just give them more publicity. So I’d query if it is worth pursuing? Another angle could be copyright infringement. They seem to just copy word for word newspaper articles. But it would have to be the copyright owner that requested action, and I’m not sure newspapers really care. So many people are negatively affected by these sites, not only ex-offenders but their families including children. I do wonder if some coordinated action could take place. Interested in thoughts about this.
By khafka - 10 Jul 20 4:18 PM

jcdmcr - 10 Jul 20 4:10 PM
khafka - 21 Mar 20 10:26 AM
I was actually thinking about this the other day.

In my last job I had to do quite a bit of GDPR stuff as we held databases of customer's information etc.

The angle I was thinking about was when your order comes to an end. I will be off the register in 3 years (my PPU said if all goes well and given how low level risk I am it could be next year but I'm not holding my breath on that). You'd have to manually get in touch with them to get them to remove your details as it is not longer pertinent.

The problem that lies here is there is no way for them to fact-check this unless the person(s) that run it are privy to police documents in which case they could look it up however that'd be a huge breach of data protection and open them up to a whole world of issues.

So, my point being - If you get in touch and say "hey, I'm off the register. Remove me from your site within xx days" they'd have to abide by that under the "Right to Erasure". They have no way to fact-check it so I'm tempted to just email them and ask them to remove me now saying I'm no longer subject to the notification requirements.

The parts of the GDPR that are relevant:

Individuals have the right to have their personal data erased if:

  • the personal data is no longer necessary for the purpose which you originally collected or processed it for;
  • you are relying on consent as your lawful basis for holding the data, and the individual withdraws their consent;
  • you are relying on legitimate interests as your basis for processing, the individual objects to the processing of their data, and there is no overriding legitimate interest to continue this processing;
  • you are processing the personal data for direct marketing purposes and the individual objects to that processing;
  • you have processed the personal data unlawfully (ie in breach of the lawfulness requirement of the 1st principle);
  • you have to do it to comply with a legal obligation; or
  • you have processed the personal data to offer information society services to a child.
The two I've highlighted are the main ones, although the 3rd one could be used to make sure it stays up.

It is an interesting one and given they're essentially a link aggregate site I'm not sure where they'd fall in the GDPR ruling for the requirements of needing a GDPR officer within their "organisation" who deals with these requests.

One of the issues of asking them to be removed though, given the general nature of the "clientele" that frequent these sort of sites is I can't help but feel they'd end up badmouthing you publicly for daring to ask to be removed; posting on Facebook and/or their website/social media etc.


I have zero doubt in my mind the UK Database and their affiliates would be all over it like that.

Then all the dust that may have settled gets swirled up again and you're back to where you started.

What about feeding them false reports etc? Use false names, false sightings, false images. This might reduce the quality / reliability of the information...

Sorry, I don't quite follow.

Can you give me an example? I'd be adverse to using a random image off the internet though as that would then essentially label that person as an offender in their eyes.