Article 87 GDPR

From GDPRhub
Article 87 - Processing of the national identification number
Gdpricon.png
Chapter 10: Delegated and implementing acts

Legal Text


Article 87 - Processing of the national identification number

Member States may further determine the specific conditions for the processing of a national identification number or any other identifier of general application. In that case the national identification number or any other identifier of general application shall be used only under appropriate safeguards for the rights and freedoms of the data subject pursuant to this Regulation.

Commentary

National identification numbers (NIN) or identifiers of general application as understood in Article 87 GDPR are numbers used by public authorities for identifying a particular person, so that public services might be provided to that person while also respecting their right to privacy.[1] Member States have either adopted a system organised around a unique identifier, or around multiple identifiers for each citizen. Among the various identifiers of general application which may exist, one may for example refer to national registration numbers, national tax identifiers, ID or passport numbers, as well as social security numbers.

NIN and other identifiers of general application provide many advantages. For example, they may facilitate the processing of personal data for the public administration. Although they are most commonly used by public actors, such as social security institutions or tax authorities, they can also in some instances be used by private actors, such as insurance companies, banks, or private employers, either to provide services or to prevent fraud (e.g. money laundering). The risks pertaining to the use of these identifiers can nevertheless be significant. If processed in an unsecured manner, they can notably lead to identity theft.[2]

The complexity and sensitivity of the issue, which is linked to that of state sovereignty, has led the EU legislator not to fully harmonise these rules under the GDPR. Since there are no specific rules in this respect at the EU level, it is up to each Member State to determine the conditions under which these identifiers can be processed, beyond the general rules and principles set out in the GDPR.

NIN or other identifiers of general application are not ipso facto characterised as a special category of data in the sense of Article 9 GDPR. However, each Member State has the possibility at the national level to characterise such identifiers as sensitive personal data, and to impose additional conditions on controllers or processors that process them. This was already the case under Article 8(7) of the DPD, the precursor of Article 87 GDPR. In many Member States, the processing of NIN and other identifiers of general application is therefore more strictly regulated, as well as usually limited to specific categories of actors for specific purposes.[3]

Article 87 GDPR further provides that if a Member State decides to adopt specific measures regarding the processing of identifiers, it also has to implement appropriate safeguards to ensure the protection of the rights and freedoms of citizens. Article 87 GDPR nonetheless does not specify which additional safeguards should be implemented, once again leaving Member States with a broad margin of discretion in this respect.

In line with this provision, Member States around the EU have adopted different approaches regarding the processing of NIN and other identifiers of general application. For instance, Belgium adopted a specific law in this respect decades ago,[4] and it has been amended and completed over time by several royal decrees. Similar laws have been adopted in Austria, Finland, France, the Netherlands, or Portugal (to name a few). Such provisions establish which actors can process national registration numbers, as well as the conditions for such processing to take place.

References

  1. van Eecke, Simkus, in Kuner et al., The EU General Data Protection Regulation (GDPR), Article 87 GDPR, p. 1226 (Oxford University Press 2020).
  2. EU Commission, Survey on Scams and Fraud Experienced by Consumers, January 2020 (available here).
  3. Van Eecke and Simkus, in Kuner et al., The EU General Data Protection Regulation (GDPR), Article 87 GDPR, p. 1225 (Oxford University Press 2020).
  4. Loi du 8 aout 1983 organisant un registre national des personnes physiques