APD/GBA (Belgium) - 12/2025
From GDPRhub
| APD/GBA - 12/2025 | |
|---|---|
 | |
| Authority: | APD/GBA (Belgium) |
| Jurisdiction: | Belgium |
| Relevant Law: | Article 5(1)(b) GDPR Article 5(1)(c) GDPR Article 6(1)(c) GDPR Article 12 GDPR Article 13 GDPR Article 6(2) Belgian Law 19 July 1991 |
| Type: | Complaint |
| Outcome: | Rejected |
| Started: | |
| Decided: | |
| Published: | 22.01.2025 |
| Fine: | n/a |
| Parties: | n/a |
| National Case Number/Name: | 12/2025 |
| European Case Law Identifier: | n/a |
| Appeal: | Unknown |
| Original Language(s): | Dutch |
| Original Source: | Gegevensbeschermingsautoriteit (in NL) |
| Initial Contributor: | elu |
The DPA held that a municipality lawfully collected a data subject’s fingerprints in order to issue an ID. The processing was necessary to comply with a legal obligation and complied with the data processing principles.
English Summary
Facts
The data subject's father advanced a complaint before the DPA, even if the data subject was not underage. The complaint was against a municipality, the controller and related to the request of the controller to collect a total of eight fingerprints of the data subject when issuing a new ID card, even if Article 6(2) of Belgian Law of 19 July 1991, only requires one fingerprint.
The data subject alleges that, when inquiring about the amount of fingerprints taken, the controller did not disclose the legal basis for the mandatory processing of personal data of the data subject. At the moment of collection of the ID card, eight fingerprints were again scanned.
The controller puts forward that their legal basis is, as per Article 6(1)(c) GDPR, a legal obligation stemming from the Royal decree of 25 March 2003 on identity cards, which itself builds on the Article 6(2) of Belgian Law of 19 July 1991.
Holding
The DPA held the following:
Lawfulness of the processing and transparency under Article 5(1)(a) GDPR in conjunction with Article 6, 12 and 13 GDPR
The DPA considers that the controller had a lawful legal basis for processing fingerprints in the context of creating ID cards under Article 6(1)(c) GDPR. The DPA goes as far as stating that there is an “unmistakably” legal obligation on the controller to process fingerprints for ID cards creation.
Violation of Articles 5(1)(a), 12 and 13 GDPR
The DPA starts its analysis by stating that no document can confirm that whether the data subject obtained the information when the fingerprints were provided, i.e. when the processing started.
Nevertheless, the DPA reiterated that the controller is under the obligation of provide a data subject with all information required when the fingerprints are first taken, as per Article 13 GDPR. The controller is under the further obligation to provide the information requested when the personal data are obtained from the data subject as per Article 13 GDPR and to ensure transparency in information and communication under Article 12 GDPR.
The DPA found that no violation of Articles 5(1)(a), 12 and 13 GDPR.
Violation of Article 5(1)(b) GDPR and Article 5(1)(c) GDPR
In relation to a possible violation of Article 5(1)(b) GDPR, the DPA considered first the fact that fingerprints are digitalized by ad hoc sensors at the initiative of the municipal authority. The digital image of these prints is then securely transmitted through the services for the National Registry to issue ID cards. This means that after fingerprints are registered and kept for up to three months to produce electronic ID cards. This is necessary so that the card producer can put the correct data on the chip, avoiding the need to re-register fingerprints in case of any technical malfunction. No later than three months from registration, the fingerprints are removed from the system and only one fingerprint per hand remains on the chip of the electronic ID.
Thus, the DPA concluded that there is no indication that the principle of purpose limitation, under Article 5(1)(b) GDPR, is violated.
In relation to a possible violation of Article 5(1)(c) GDPR, the fact that multiple fingerprints are processed per hand is motivated by the fact that it is prescribed by law that the best quality fingerprint should be integrated into the chip. This justifies the fact that several fingerprints per hand should be taken to select the best one.
Moreover, the storing of fingerprints for maximum three months indicates that the digital image of the fingerprints is only kept for the time necessary for the creation and issuance of the ID card. This ensures that fingerprints are not kept longer than necessary.
Thus, the DPA concluded that no violation of the principle of data minimization, as per Article 5(1)(c) GDPR.
To conclude, the DPA did not find any violation of Article 5(1)(b), 5(1)(c), 6(1)(a), 12 and 13 GDPR.
Comment
Share your comments here!
Further Resources
Share blogs or news articles here!
English Machine Translation of the Decision
The decision below is a machine translation of the Dutch original. Please refer to the Dutch original for more details.
1/10 Litigation Chamber Decisions on the merits 12/2025 of 22 January 2025 File number: DOS-2020-05957 Subject: Fingerprints for electronic identity card The Litigation Chamber of the Data Protection Authority, composed of Mr Hielke HIJMANS, chair, sitting alone; Having regard to Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (General Data Protection Regulation), hereinafter "GDPR"; Having regard to the Act of 3 December 2017 establishing the Data Protection Authority, hereinafter "WOG"; Having regard to the internal rules of procedure, as approved by the Chamber of Representatives on 20 December 2018 and published in the Belgian Official Gazette on 15 January 2019; Having regard to the documents in the file; Has taken the following decision regarding: Complainant: Mrs X, hereinafter “the complainant” Defendant: Y, hereinafter “the defendant” Decision on the merits 12/2025 — 2/10 I. Facts and procedure 1. On 12 January 2021, the complainant lodged a complaint with the Data Protection Authority against the defendant, a municipality. 2. The subject of the complaint concerns the issue of a new identity card for which the defendant would take four fingerprints from each hand. However, Article 6, §2, 8° of the law of 19 July 1991 stipulates that one fingerprint may be taken from each hand. The complainant argues that no transparent information was provided by the city (...) after this was requested after the fingerprints were taken, and no legal basis could be given for the mandatory submission of four fingerprints per hand. The complainant refers to correspondence with the defendant by e-mail dated 17 December 2020 and 22 December 2020, as added to the complaint. The complainant states that not only were more fingerprints taken than legally permitted for the identity card, but that it is also possible that the defendant will use the remaining fingerprints for other purposes. 3. On 19 January 2021, the complainant reports to the First Line Service that when collecting the electronic identity card, eight fingers were scanned again to activate the identity card. According to the complainant, this leads to the defendant's claim that the other fingerprints, except for the only print per hand prescribed by law, are not destroyed. 4. On 29 January 2021, the complaint is declared admissible by the First Line Service on the grounds of Articles 58 and 60 WOG and the complaint is transferred to the Dispute Chamber on the grounds of Article 62, § 1 WOG. 5. On 16 June 2023, the Dispute Chamber decided, on the basis of Article 95, § 1, 1° and Article 98WOG, that the file is ready for consideration on the merits and the parties involved are notified by registered mail of the provisions as stated in Article 95, § 2, as well as of those in Article 98WOG. They are also informed, on the basis of Article 99WOG, of the deadlines for submitting their defences. The deadline for receipt of the defendant's conclusion of reply was thereby set at 11 August 2023, this for the complainant's conclusion of reply on 1 Art. 6, §2. In addition to the signature of the holder, the identity card and the alien card also contain personal data that are visible to the naked eye and electronically legible. The electronically readable data of a personal nature concern: […] 8° the digital image of the fingerprints of the index finger of the left and right hand of the holder or, in the event of disability or incapacity, of another finger of each hand; the King determines, by a decree adopted after consultation in the Council of Ministers after advice from the Data Protection Authority, the conditions and further rules for taking the digital image of the fingerprints. Decision on the merits 12/2025 — 3/10 1 September 2023 and this for the conclusion of reply of the defendant on 22 September 2023. 6. On 19 June 2023, the defendant requests a copy of the file (Article 95, § 2, 3° WOG), which was sent to him on 21 June 2023. 7. On 10 August 2023, the Dispute Chamber receives the conclusion of response from the defendant. 8. Due to the lack of a conclusion of response from the complainant, the defendant does not submit a conclusion of reply. 9. On 26 November 2024, the Dispute Chamber receives the request from the defendant to inform him of the state of affairs in this file. 10. Before giving reasons, the Dispute Resolution Chamber points out that the turnaround time of this procedure has been (too) long, partly as a result of the large number of files being processed by the Dispute Resolution Chamber. II. Reasons a) Lawfulness of processing and transparency (Article 5.1a) GDPR in conjunction with Article 6 GDPR, 12 and 13 GDPR) 11. As regards the applicable regulations, the defendant refers to the Royal 2 Decree of 25 March 2003 on identity cards, more specifically Article 3, §5, in order to justify the processing of fingerprints with a view to issuing the electronic identity card. 12. The Dispute Chamber notes that the Royal Decree in question was taken in implementation of the law of 19 July 1991 on population registers, identity cards, alien cards and residence documents, in particular article 6, §2, paragraph 3, which states that the conditions and additional rules for taking the digital image of the fingerprint must be determined by Royal Decree. 3 2 Article 3, §5 Royal Decree of 25 March 2003: […] The fingerprints are digitised on the initiative of the municipal authority by means of ad hoc sensors. The digital image of these prints is sent securely to the producer of the identity card via the services of the National Register in order to be integrated electronically. […] When fingerprints cannot be taken from the index fingers or one of them, because they are not good enough or because of a disability or illness, fingerprints will be taken from another finger in the following order: 1) index finger, 2) middle finger, 3) ring finger, 4) little finger, 5) thumb. When, in the event, the fingerprints of only one finger among the aforementioned fingers can be taken, an identity card or an alien card with only those fingerprints will be issued. In any case, at most one fingerprint will be registered per hand. 3Article 6, §2 Act of 19 July 1991: Decision on the substance 12/2025 — 4/10 The processing of fingerprints in the chip of the identity card is in line with the 4 European Regulation 2019/1157 of 20 June 2019, which obliges Member States, pursuant to Article 3.5 of this Regulation, to integrate fingerprints in the identity card. 5 13. It follows that the Litigation Chamber is of the opinion that the defendant processes fingerprints lawfully when creating identity cards within the meaning of Article 6.1 c) GDPR, since there is undeniably a legal obligation on the defendant to include fingerprints in the identity cards. Consequently, there is no infringement of Article 5.1 a) GDPR in conjunction with Article 6 GDPR. 14. However, the existence of a valid legal basis does not preclude compliance with the other provisions of the GDPR, including the principle of transparency as set out in Article 5. 1. a) GDPR in conjunction with Articles 12 and 13 GDPR, since in the present case the defendant obtained the personal data directly from the complainant. In order to ensure transparent data processing, the controller, i.e. the defendant, must inform the complainant concerned of the elements set out in Article 13 6 GDPR at the time of data collection. § 2. In addition to the signature of the holder, the identity card and the alien card also contain personal data that are visible to the naked eye and electronically legible. […] The electronically readable personal data concern: […] 8° the digital image of the fingerprints of the index finger of the holder's left and right hand or, in the event of disability or incapacity, of another finger of each hand; the King determines, by a decree adopted after consultation in the Council of Ministers after advice from the Data Protection Authority, the conditions and detailed rules for taking the digital image of the fingerprints; 4Regulation (EU) 2019/1157 of the European Parliament and of the Council of 20 June 2019 on strengthening the security of identity cards of Union citizens and of residence documents issued to Union citizens and their family members exercising their right of free movement; See: https://eur-lex.europa.eu/legal- content/NL/TXT/PDF/?uri=CELEX:32019R1157 5Article 3. […] 5. The identity card shall contain a storage medium meeting the highest security standards and containing a facial image and two fingerprint images of the cardholder in a digital format. For the collection of biometric data, Member States shall apply the technical specifications laid down in Commission Implementing Decision C (2018) 7767 6Article 13.1. GDPR. Where personal data relating to a data subject are collected from that person, the controller shall provide the data subject with all of the following information when obtaining the personal data: a) the identity and contact details of the controller and, where applicable, of the controller's representative; b) the contact details of the data protection officer, where applicable; c) the purposes of the processing for which the personal data are intended and the legal basis for the processing; 4.5.2016 L 119/40 Official Journal of the European Union EN (d) the legitimate interests pursued by the controller or by a third party, where the processing is based on point (f) of Article 6(1); (d) where applicable, the recipients or categories of recipients of the personal data; (e) where applicable, that the controller intends to transfer the personal data to a third country or an international organisation; whether or not there is an adequacy decision by the Commission; or, in Substantive Decision 12/2025 — 5/10 15. There is no evidence in the file indicating whether or not the complainant obtained the required information at the time the fingerprints were provided that would allow the procedure for creating the eID to start. The complainant only submits e-mail correspondence between her father and the defendant in which her father requests the defendant after the facts for an explanation regarding the purposes and legal basis with regard to the processing of fingerprints by the defendant. The complainant also does not submit any documents showing that she herself requested the information in her capacity as a data subject within the meaning of Article 4.1 GDPR in conjunction with Article 15.1 GDPR. After all, the complainant has reached the age of 18 at the time of the facts and then, as an adult, has the right to request the information in question on the basis of Article 15.1 GDPR. However, the file does not show that the complainant herself requested the defendant for information about the personal data relating to her. in the case of transfers referred to in Article 46, Article 47 or the second subparagraph of Article 49(1), what are the appropriate or suitable safeguards, how to obtain a copy of them or where they can be accessed. 2. In addition to the information referred to in paragraph 1, the controller shall, at the time when the personal data are obtained, provide the data subject with the following additional information necessary to ensure fair and transparent processing: a) the period for which the personal data will be stored, or, if that is not possible, the criteria used to determine that period; b) the existence of the right to request from the controller access to and rectification or erasure of the personal data or restriction of processing concerning him or her, as well as the right to object to the processing and the right to data portability; c) where the processing is based on Article 6(1)(a) or Article 9(2)(a), the right to withdraw consent at any time, without affecting the lawfulness of processing based on consent before its withdrawal; d) the right to lodge a complaint with a supervisory authority; e) whether the provision of personal data is a statutory or contractual requirement or a necessary condition for entering into a contract, and whether the data subject is obliged to provide the personal data and the possible consequences of failure to provide such data; f) the existence of automated decision-making, including profiling, referred to in Article 22(1) and (4) and, at least in those cases, meaningful information about the logic involved, as well as the interests and envisaged consequences of such processing for the data subject. 3. Where the controller intends to further process the personal data for a purpose other than that for which the personal data were collected, the controller shall provide the data subject prior to that further processing with information on that other purpose and with any relevant further information as referred to in paragraph 2. 4. Paragraphs 1, 2 and 3 shall not apply where and to the extent that the data subject already has the information. 7Article 15.1. GDPR The data subject shall have the right to obtain from the controller confirmation as to whether or not personal data concerning him or her are being processed and, where that is the case, access to the personal data and to the following information [own emphasis]: a) the purposes of the processing; b) the categories of personal data concerned; c) the recipients or categories of recipients to whom the personal data have been or will be disclosed, in particular recipients in third countries or international organisations; d) where possible, the envisaged period for which the personal data will be stored, or, if that is not possible, the criteria used to determine that period; e) the data subject has the right to request the controller to rectify or erase personal data or to restrict processing of personal data concerning him or her, as well as the right to object to such processing; f) the data subject has the right to lodge a complaint with a supervisory authority; g) where the personal data are not collected from the data subject, any available information on the source of those data; Decision on the substance 12/2025 — 6/10 16. Although the complainant does not specify what information she did or did not obtain when taking the fingerprints, the Litigation Chamber nevertheless recalls that the defendant must provide the data subject with all information in accordance with Article 13 GDPR when the fingerprints are first taken. This means that the controller must take active steps to provide the information in question 8 to the data subject. According to Article 12.1 GDPR, written information or communication with data subjects is the standard form. If written electronic means are used, a layered privacy statement/notice may also be used. In any case, it is important to point out that the information addressed to a data subject must be available in its entirety in a single place or in a single (paper or digital) document, to which the data subject has easy access if he or she wishes to consult the information intended for him or her in its entirety. 17. The Dispute Chamber emphasises that the defendant is not only obliged to provide the information requested by the data subject when exercising his or her right of access (Article 15 GDPR), which relates to personal data already processed by the controller. The controller is also obliged to provide information in accordance with Article 13 GDPR when obtaining the personal data from the data subject - i.e. from the outset - in the event of collection of the personal data from the data subject himself. Proper provision of information within the meaning of Article 13 GDPR prevents ambiguity on the part of the data subject and anticipates requests for clarification from the data subject. b) Principle of purpose limitation (Article 5.1 b) GDPR) and data minimisation (Article 5.1 c) GDPR) 18. The complainant claims to fear that if a print of multiple fingers from each hand is taken, the prints will be used for other purposes by the defendant. 19. The defendant denies that the fingerprints taken are used in any way for any purpose other than the integration of a single fingerprint per hand on the RFID chip of the identity card. The defendant explains that in the case of h) the existence of automated decision-making, including profiling referred to in Article 22(1) and (4), and, at least in those cases, useful information about the logic involved, as well as the interest and envisaged consequences of such processing for the data subject. 8Article 12.1 GDPR. The controller shall take appropriate measures to provide the data subject with the information referred to in Articles 13 and 14 and the communication referred to in Articles 15 to 22 and 34 relating to the processing in a concise, transparent, intelligible and easily accessible form, using clear and plain language, in particular when the information is addressed specifically to a child. The information shall be provided in writing or by other means, including, where appropriate, electronic means. If the data subject so requests, the information may be provided orally, provided that the identity of the data subject is proven by other means. 9See also in this regard the Guidelines on transparency pursuant to Regulation (EU) 2016/679, in particular paragraphs 17, 35 -38, available at https://ec.europa.eu/newsroom/article29/items/622227 Decision on the merits 12/2025 — 7/10 the application procedure for an eID follows the standard procedure recommended by the Federal Public Service Home Affairs. Eight fingers are scanned as standard in order to determine which finger per hand has the best quality of fingerprint. Of these fingerprints, a maximum of one fingerprint, the one with the best quality, is stored per hand at a time. The fingerprint with the best quality is automatically detected by the computer program. When completing the application for an eID, only two prints are stored each time - one per hand. The other prints are no longer stored. The two stored fingerprints are, as legally determined, used to be placed on the chip of the eID. Once these two fingerprints have been placed on the chip, these prints are also destroyed in the temporary and secure storage system that is necessary to be able to place both fingerprints on the chip. 20. With regard to temporary storage, the defendant refers to Article 3, §5, paragraph 2 of the 11 aforementioned Royal Decree of 25 March 2003, which stipulates that the fingerprints are digitalised at the initiative of the municipal authority by means of ad hoc sensors. The digital image of these prints is sent securely to the producer of the identity card via the services of the National Register in order to be integrated electronically. The defendant emphasises that the procedure as described on the website of the FPS Home Affairs is followed. This means that after registration of the fingerprints, they are kept for a maximum of three months for the production of the card. This period is necessary to ensure that the card manufacturer can place the correct data on the chip. This also prevents the fingerprints from having to be registered again in the event of a technical defect. No later than three months after the registration of the fingerprints, they will be removed from the system and only one fingerprint per hand will be on the chip of the eID. 21. As soon as the card is activated, you will be asked to provide fingerprints again. These prints will then be compared with the prints on the chip of the new eID to prevent someone else from collecting the eID instead of the person to whom the card belongs. Since the municipality where the eID is collected, in this case the defendant, does not know which fingerprint has the best quality and is stored on the chip, eight fingerprints will be taken again when the eID is collected. The application selects from the recently taken fingerprints the prints of the fingers that are in the RFID chip so that the newly taken print can be compared with the one recorded in the chip. 10https://www.vernieuwde-eid.be/ 11 Article 3, §5, paragraph 2 of the Royal Decree on identity cards: The fingerprints are digitised on the initiative of the municipal authority by means of ad hoc sensors. The digital image of these prints is sent securely to the producer of the identity card via the services of the National Register in order to be electronically integrated into it. Decision on the merits 12/2025 — 8/10 22. The Dispute Chamber concludes that there is no valid reason, nor any indication to assume on the basis of the elements of the file that the fingerprints taken are used for a purpose other than the creation of an eID, such that no infringement of Article 5.1 b) GDPR can be established. 23. Furthermore, it appears that although multiple fingerprints are processed per hand, this method is based on the consideration that it is legally prescribed that the fingerprint of the best quality must be integrated into the chip (Article 3, §5, paragraph 5 12 of the Royal Decree of 25 March 2003), which justifies that a print of multiple fingers per hand must be taken with a view to selecting the best and only one single fingerprint per hand, albeit with respect for the ranking as determined in Article 3, §5, paragraph 5 of the aforementioned Royal Decree of 25 March 2003. 24. Essential here is the temporary storage of the fingerprints in the file of the card producer for a maximum period of three months. This is in accordance with Article 6, §2, paragraph 5 of the Act of 19 July 1991 on population registers, identity cards, alien cards and residence documents, which stipulates that the digital image of the fingerprints may only be stored for the time required to create and issue the identity card and in any case no longer than three months, after which it must be destroyed in any case. This strictly imposed, short term ensures that the fingerprints are not stored longer than necessary. The limited storage period contributes to minimal data processing because after the best fingerprint per hand has been selected, the other fingerprints are deleted and then, after the person concerned has collected the eID, the fingerprints that were recorded in the RFID chip of the EID are also deleted from the file of the card manufacturer. 25. The defendant demonstrates that the taking of multiple fingerprints is a purely technical modality that enables the defendant to efficiently have the eID created by the card manufacturer within a reasonably short period of time with the necessary security guarantees with destruction of all fingerprints after the legally specified period of three months. 1Article 3, §5, para. 5 Royal Decree of 25 March 2003 on identity cards: If fingerprints cannot be taken from the index fingers or one of them, because they are not good enough or due to a disability or illness, fingerprints are taken from another finger in the following order: 1) index finger, 2) middle finger, 3) ring finger, 4) little finger, 5) thumb. If, in the event, the fingerprints of only one of the aforementioned fingers can be taken, an identity card or an alien card with only those fingerprints will be issued. In any event, a maximum of one fingerprint will be registered per hand. 13Article 6, §2, paragraph 5 of the Act of 19 July 1991: The information referred to in the third paragraph, 8°, may only be kept for the time necessary to create and issue the identity card and in any event no longer than three months, with the understanding that after that period of three months the data must in any event be destroyed and deleted. Decision on the substance 12/2025 — 9/10 26. The fingerprints stored in the RFID chip are protected by the same security mechanism as that used for passports and residence permits of third-country nationals. This security mechanism is imposed by the EU standard on travel documents and consists of granting access to the fingerprints only to authorised readers via electronic certificates. The Litigation Chamber also notes that the defendant refers to the agreement concluded in this regard between the defendant and the Belgian State. Furthermore, 16 Article 6, §2, paragraph 6 of the Law of 19 July 1991 expressly and restrictively determines who has access to the fingerprints on the RFID chip. 17 27. The guarantee offered, namely that this storage of the fingerprints is temporary with a view to selecting the best print per hand, and this for a short period of a maximum of three months, whereby this temporary storage is done in a secure manner only with a view to the production of the eID, leads the Dispute Chamber to conclude that the principle of minimum data processing is respected in light of the objective pursued, consisting of creating the eID in accordance with the legal 18 provisions of the law of, in particular article 6, §2 of the law of 19 July 1991, which determines the information that must be included in the eID, including the fingerprints as electronically readable personal data. This leads to the Dispute Chamber being of the opinion that there has been no infringement of article 5.1 c) GDPR. 14https://www.ibz.rrn.fgov.be/nl/identiteitsdocumenten/eid/eid-en-gdpr/ 15Council Regulation (EC) No. 2252/2004 of 13 December 2004 on standards for security features and biometrics in passports and travel documents issued by Member States 16 Document 4 in the defendant's conclusion: “Agreement between the Belgian State and the Y on the issue of biometric residence permits to third-country nationals and of biometric passports to Belgian citizens” 17 Article 6, §2, para. 5 of the Law of 19 July 1991: Are authorised to read the information referred to in the third paragraph, 8°: - the municipal staff responsible for issuing identity cards; - the police services, to the extent necessary to fulfil their legal tasks of administrative and judicial police in the context of combating fraud, in particular combating human trafficking and smuggling, fraud and breach of trust, money laundering, terrorism, forgery and use of forged documents, assumption of name and use of a false name, violations of the law of 15 December 1980 on access to the territory, residence, establishment and removal of foreigners, as well as obstruction of tasks of administrative police; - the staff responsible for border control, both in Belgium and abroad; - staff members of the Immigration Office, to the extent that this is necessary in the context of the detection and establishment of infringements of the Act of 15 December 1980 on access to the territory, residence, establishment and removal of foreigners and the Act of 30 April 1999 on the employment of foreign workers; - staff members of the Federal Public Service Foreign Affairs and the diplomatic and consular staff personally authorised to do so by the ambassador or consul, to the extent that this is necessary in the context of the fight against fraud; - the company responsible for the production of identity cards, as well as the persons within that company who have a strictly defined authorisation for this purpose, exclusively for the purpose of producing and issuing the identity cards. 18 Act of 19 July 1991 on population registers, identity cards, alien cards and residence documents
