Article 87 GDPR: Difference between revisions
(merge category "GDPR" into "GDPR Articles") |
|||
Line 203: | Line 203: | ||
<references /> | <references /> | ||
[[Category:Article 87 GDPR]] [[Category:GDPR]] | [[Category:Article 87 GDPR]] [[Category:GDPR Articles]] |
Revision as of 14:31, 15 February 2022
Legal Text
Member States may further determine the specific conditions for the processing of a national identification number or any other identifier of general application. In that case the national identification number or any other identifier of general application shall be used only under appropriate safeguards for the rights and freedoms of the data subject pursuant to this Regulation.
Commentary
National identification numbers (NIN) or identifiers of general application as understood in Article 87 GDPR are numbers used as a unique and trustworthy method by state authorities for identifying a particular person, so that public services might be provided to that person while also respecting their right to privacy.[1] Member States have either adopted a system organised around a unique identifier, or around multiple identifiers for each citizen. Among the various identifiers of general application which may exist, one may refer, for example, to national registration numbers, national tax identifiers, ID or passport numbers, as well as social security numbers.
NIN and other identifiers of general application provide many advantages. For example, they may facilitate the processing of personal data for public administration purposes. Although they are most commonly used by public actors, such as social security institutions or tax authorities, they can also in some instances be used by private actors, such as insurance companies, banks, or private employers, either to provide services or to prevent fraud (for example, to prevent money laundering). The risks pertaining to the use of these identifiers can however be significant. If processed in an unsecured manner, they can for example lead to identity thefts.[2]
The complexity and sensitivity of the issue, which is linked to that of state sovereignty, has led the EU legislator not to fully harmonize these rules under the GDPR. Since there are no specific rules in this respect at the EU level, it is up to each Member State to determine the conditions under which these identifiers can be processed, beyond the general rules and principles set in the GDPR.
NIN or other identifiers of general application are for example not ibso facto characterized as a special category of data in the sense of Article 9 GDPR. Yet, each Member State has the possibility at the national level to characterize such identifiers as sensitive personal data, and also to impose additional conditions on controllers or processors that process those identifiers. This was already the case under Article 8(7) of the DPD, i.e. the precursor of Article 87 GDPR. In many Member States, the processing of NIN and other identifiers of general application is therefore more strictly regulated, and usually limited to specific categories of actors for specific purposes.[3]
Article 87 GDPR further provides that if a Member State decides to adopt specific measures regarding the processing of identifiers, it also has to implement appropriate safeguards to ensure the protection of the rights and freedoms of citizens.[4] Article 87 GDPR however does not specify which additional safeguards should be implemented, leaving once again Member States with a broad margin of discretion in this respect.
In line with this provision, Member States around the EU have adopted different approaches in relation to the processing of NIN and other identifiers of general application. Belgium, for example, has since long adopted a specific law in this respect (Loi du 8 aout 1983 organisant un registre national des personnes physiques), which has been amended and completed over time by several royal decrees. These provisions establish which actors can process national registration numbers, as well as the conditions for such processing to take place. Similar laws have been adopted in Austria, Finland, France, the Netherlands, or Portugal (to name a few).
References
- ↑ Van Eecke/Simkus, in Kuner et al., The EU General Data Protection Regulation (GDPR), Article 87 GDPR, p. 1226 (Oxford University Press 2020).
- ↑ EU Commission, Survey on Scams and Fraud Experienced by Consumers, January 2020, available at https://ec.europa.eu/info/sites/default/files/aid_development_cooperation_fundamental_rights/ensuring_aid_effectiveness/documents/survey_on_scams_and_fraud_experienced_by_consumers_-_final_report.pdf
- ↑ Van Eecke/Simkus, in Kuner et al., The EU General Data Protection Regulation (GDPR), Article 87 GDPR, p. 1225 (Oxford University Press 2020).
- ↑ Van Eecke/Simkus, in Kuner et al., The EU General Data Protection Regulation (GDPR), Article 87 GDPR, p. 1224 (Oxford University Press 2020).