GDPR compliance consultancy: is publishing criminal judgments compatible with GDPR?

Is the publication of criminal court judgments compatible with GDPR? The Data Protection Agency has opened supervision of two search services – Lexbase and Krimfup – which publish criminal judgments in searchable databases, following a high volume of public complaints.

Our GDPR compliance consultancy delivers ongoing interpretation and implementation of GDPR requirements—through continuous advisory mandates, targeted interventions or longer-term partnerships—serving clients across Europe. As part of our GDPR advisory services, we align governance, controls and documentation with regulatory expectations.

Many now question the balance between transparency and privacy. Publishing criminal judgments can have far-reaching consequences for named individuals, with impacts on private life and future opportunities. It is therefore unsurprising that the Data Protection Agency is acting against services suspected of non-compliance, with the stated aim of assessing whether the publication of data on criminal offences complies with the GDPR.

In 2024 the authority confirmed it may supervise even services holding publication certificates, and a recent Supreme Court decision means companies that collect and publish criminal judgments now face legal obstacles. Our legal analysis of Supreme Court decision trends guides clients on risk, scope and defensible mitigations.

For businesses that request large volumes of judgments from the courts, this marks a shift in how operations must be conducted. Freedom of information is now weighed more strictly against the individual right to privacy, creating tighter limits on how criminal judgments may be repurposed for publication in services such as Lexbase and Krimfup.

Regulatory attention currently centres on the processing of data about criminal offences; however, the Data Protection Agency also signals that it may review other categories in future, such as financial details and family circumstances. Across Europe, regulators – including counterparts often referred to as the Swedish authority for privacy protection – are intensifying their scrutiny.

GDPR compliance consultancy: practical questions to address

• Identify which data types are subject to special protection, including data relating to criminal convictions and offences.
• Confirm a lawful basis for collection, publication and further disclosure, and ensure necessity and proportionality are evidenced.
• Document internal procedures for erasure and rectification when complaints are raised, with clear timelines and ownership.

Legal analysis of Supreme Court decision and operational implications

We support companies with a legal analysis of Supreme Court decision implications for data processing, publication models and onward dissemination. Our GDPR advisory services include assessing legal bases, legitimate interest tests, safeguards and retention aligned to enforcement by the Data Protection Agency and peer regulators such as the Swedish authority for privacy protection.

Morling Consulting tracks developments and advises businesses on GDPR and the processing of personal data. A correct approach to publishing personal data online reduces the risk of complaints and administrative fines. We offer support from analysis through to the implementation of GDPR requirements—serving clients across Europe.

Contact us to discuss your specific situation.