A transport affiliate of online retail giant Amazon was fined 2 million euros (U.S. $2.2 million) by the Spanish Data Protection Agency (AEPD) for trying to carry out criminal record checks on freelance truck drivers it wanted to hire.

The regulator, in a decision published last month, also ordered the company to cease demanding prospective drivers provide certificates proving clean criminal records, delete the information it already had, and adapt its processing in accordance with the General Data Protection Regulation (GDPR).

Amazon Road Transport thought it could legitimately make such requests of drivers without them being subject to the GDPR as criminal records checks are permissible under national law in other European countries, including the United Kingdom.

However, in Spain there is no applicable law.

Amazon’s procedures prompted a Spanish trade union to raise a complaint on behalf of its members over fears the data could be transferred to Amazon group companies and suppliers located outside the European Economic Area and create registers of workers with “clean” records.

In its decision, the AEPD said Amazon had no legal basis for the data under Spanish law and that the checks breached Article 10 of the GDPR, which says personal data relating to criminal convictions and offenses can only be carried out if EU or national law permits it.

The AEPD also explained why execution of a contract, legitimate interest, and even consent would not be applicable in this case.

  • First, it said, criminal records were not necessary for the execution of the drivers’ work.
  • Second, there was no legitimate reason or necessary purpose to process the data as there are less intrusive means to protect clients’ trust (such as checking official national and EU-wide registers that list whether drivers have the relevant authorization).
  • Third, even if candidates did grant their consent for the checks, their acceptance did not count as “valid, informed consent” because the individuals did not receive detailed information about processing, purpose, and legal basis and were not given the right to withdraw consent. Nor did granting consent guarantee them a job—it was merely a prerequisite for the hiring process.

In a statement, Amazon said it disagrees with the decision and is “studying the resolution.”

Legal experts said the size of the fine reflects the sensitivity of the type of personal data being illegally requested.

Emily Carter, a partner at law firm Kingsley Napley, said the case “clarifies several important elements of the GDPR for employers requiring any form of criminal record checks for their staff.”

She advised companies to first check whether domestic legislation authorizes the proposed processing. They should then identify the appropriate lawful basis under Article 6(1) of the GDPR and prepare appropriate records explaining this reliance, particularly in terms of checking whether such processing is strictly necessary to perform the contract.

Where necessary, she added, companies should obtain explicit consent from individuals that is specific, informed, and unambiguous and ensure written records are maintained. They should also consider using a “legitimate interests assessment” to ensure data requests/processing is relevant and does not infringe the data subjects’ interests, rights, and freedoms.

Individuals should also be provided with a “transparent” explanation about how such data will be processed, including the relevant lawful basis, the purpose, and whom it may be shared with, said Carter.