Article 87 GDPR: Difference between revisions

From GDPRhub
No edit summary
No edit summary
 
(12 intermediate revisions by 4 users not shown)
Line 185: Line 185:


== Legal Text ==
== Legal Text ==
<br /><center>'''Article 87 - Processing of the national identification number'''</center><br />
<br />'''Article 87 - Processing of the national identification number'''


Member States may further determine the specific conditions for the processing of a national identification number or any other identifier of general application. In that case the national identification number or any other identifier of general application shall be used only under appropriate safeguards for the rights and freedoms of the data subject pursuant to this Regulation.
Member States may further determine the specific conditions for the processing of a national identification number or any other identifier of general application. In that case the national identification number or any other identifier of general application shall be used only under appropriate safeguards for the rights and freedoms of the data subject pursuant to this Regulation.


== Relevant Recital==
== Commentary ==
<div class="toccolours mw-collapsible mw-collapsed" style="border-width: 0px" overflow:auto;"><div>'''Recital 155</div>
<div class="mw-collapsible-content">
Member State law or collective agreements, including ‘works agreements’, may provide for specific rules on the processing of employees’ personal data in the employment context, in particular for the conditions under which personal data in the employment context may be processed on the basis of the consent of the employee, the purposes of the recruitment, the performance of the contract of employment, including discharge of obligations laid down by law or by collective agreements, management, planning and organisation of work, equality and diversity in the workplace, health and safety at work, and for the purposes of the exercise and enjoyment, on an individual or collective basis, of rights and benefits related to employment, and for the purpose of the termination of the employment relationship.
</div></div>


== Commentary ==
National identification numbers (NIN) or identifiers of general application as understood in Article 87 GDPR are numbers used by public authorities for identifying a particular person, so that public services might be provided to that person while also respecting their right to privacy.<ref>''van Eecke, Simkus'', in Kuner et al., The EU General Data Protection Regulation (GDPR), Article 87 GDPR, p. 1226 (Oxford University Press 2020).</ref> Member States have either adopted a system organised around a unique identifier, or around multiple identifiers for each citizen. Among the various identifiers of general application which may exist, one may for example refer to national registration numbers, national tax identifiers, ID or passport numbers, as well as social security numbers. 
 
NIN and other identifiers of general application provide many advantages. For example, they may facilitate the processing of personal data for the public administration. Although they are most commonly used by public actors, such as social security institutions or tax authorities, they can also in some instances be used by private actors, such as insurance companies, banks, or private employers, either to provide services or to prevent fraud (e.g. money laundering). The risks pertaining to the use of these identifiers can nevertheless be significant. If processed in an unsecured manner, they can notably lead to identity theft.<ref>EU Commission, Survey on Scams and Fraud Experienced by Consumers, January 2020 (available [https://ec.europa.eu/info/sites/default/files/aid_development_cooperation_fundamental_rights/ensuring_aid_effectiveness/documents/survey_on_scams_and_fraud_experienced_by_consumers_-_final_report.pdf here]).</ref>


National identification numbers as understood in Article 87 are used as a unique and trustworthy method of identifying a particular person by state authorities so that public services might be provided while also respecting that person’s confidentiality.<ref>Van Eecke/Simkus, in Kuner et al., The EU General Data Protection Regulation (GDPR), Article 87 GDPR, p. 1226 (Oxford University Press 2020).</ref> States can choose whether they want to adopt a system of multiple numbers which could be used either by all state authorities for any public administration purpose, or could be used only for a specific sector or purpose.  
The complexity and sensitivity of the issue, which is linked to that of state sovereignty, has led the EU legislator not to fully harmonise these rules under the GDPR. Since there are no specific rules in this respect at the EU level, it is up to each Member State to determine the conditions under which these identifiers can be processed, beyond the general rules and principles set out in the GDPR.


Since there are no specific rules for National identification numbers it is up to each state to determine the conditions under which the national ID numbers can be processed. The sensitivity of the issue, which is linked to the sensitive issue of state sovereignty as well as the complexity of the topic, lead the legislators to decide to not unify and harmonize the issue among member states. Based on that the national identification number is not ''ibso facto'' characterized as sensitive data. As the state has the possibility to self-define the processes for data processing in this case, it has also the possibility to decide upon the characterization of these data as sensitive. This was also the rationale behind the precursor to Article 87 GDPR, Article 8(7) of the DPD.  
NIN or other identifiers of general application are not ''ipso facto'' characterised as a special category of data in the sense of [[Article 9 GDPR]]. However, each Member State has the possibility at the national level to characterise such identifiers as sensitive personal data, and to impose additional conditions on controllers or processors that process them. This was already the case under Article 8(7) of the DPD, the precursor of Article 87 GDPR. In many Member States, the processing of NIN and other identifiers of general application is therefore more strictly regulated, as well as usually limited to specific categories of actors for specific purposes.<ref>''Van Eecke and Simkus'', in Kuner et al., The EU General Data Protection Regulation (GDPR), Article 87 GDPR, p. 1225 (Oxford University Press 2020).</ref>


The Article provides that member states may choose to adopt measures on processing the national ID numbers. If the member state decides to adopt measures, then it also has to implement the appropriate safeguards to secure the protection of the citizens’ data.<ref>Van Eecke/Simkus, in Kuner et al., The EU General Data Protection Regulation (GDPR), Article 87 GDPR, p. 1224 (Oxford University Press 2020).</ref> 
Article 87 GDPR further provides that if a Member State decides to adopt specific measures regarding the processing of identifiers, it also has to implement appropriate safeguards to ensure the protection of the rights and freedoms of citizens. Article 87 GDPR nonetheless does not specify which additional safeguards should be implemented, once again leaving Member States with a broad margin of discretion in this respect.  


According to these the member states around Europe have adopted a different strategy to face this issue. They are mentioned indicatively, Belgium or Sweden which follow a system of general application as it was indicated by article 8(7) DPD and Austria or Portugal which haven’t opted for a general application but they are limiting the use within one public sector.<ref>Van Eecke/Simkus, in Kuner et al., The EU General Data Protection Regulation (GDPR), Article 87 GDPR, p. 1225 (Oxford University Press 2020).</ref> 
In line with this provision, Member States around the EU have adopted different approaches regarding the processing of NIN and other identifiers of general application. For instance, Belgium adopted a specific law in this respect decades ago,<ref>''[https://www.ejustice.just.fgov.be/cgi_loi/change_lg.pl?language=fr&la=F&cn=1983080836&table_name=loi Loi du 8 aout 1983 organisant un registre national des personnes physiques]''</ref> and it has been amended and completed over time by several royal decrees. Similar laws have been adopted in Austria, Finland, France, the Netherlands, or Portugal (to name a few). Such provisions establish which actors can process national registration numbers, as well as the conditions for such processing to take place.


== References ==
== References ==
<references />
<references />


[[Category:Article 87 GDPR]] [[Category:GDPR]]
[[Category:Article 87 GDPR]] [[Category:GDPR Articles]]

Latest revision as of 09:37, 1 December 2023

Article 87 - Processing of the national identification number
Gdpricon.png
Chapter 10: Delegated and implementing acts

Legal Text


Article 87 - Processing of the national identification number

Member States may further determine the specific conditions for the processing of a national identification number or any other identifier of general application. In that case the national identification number or any other identifier of general application shall be used only under appropriate safeguards for the rights and freedoms of the data subject pursuant to this Regulation.

Commentary

National identification numbers (NIN) or identifiers of general application as understood in Article 87 GDPR are numbers used by public authorities for identifying a particular person, so that public services might be provided to that person while also respecting their right to privacy.[1] Member States have either adopted a system organised around a unique identifier, or around multiple identifiers for each citizen. Among the various identifiers of general application which may exist, one may for example refer to national registration numbers, national tax identifiers, ID or passport numbers, as well as social security numbers.

NIN and other identifiers of general application provide many advantages. For example, they may facilitate the processing of personal data for the public administration. Although they are most commonly used by public actors, such as social security institutions or tax authorities, they can also in some instances be used by private actors, such as insurance companies, banks, or private employers, either to provide services or to prevent fraud (e.g. money laundering). The risks pertaining to the use of these identifiers can nevertheless be significant. If processed in an unsecured manner, they can notably lead to identity theft.[2]

The complexity and sensitivity of the issue, which is linked to that of state sovereignty, has led the EU legislator not to fully harmonise these rules under the GDPR. Since there are no specific rules in this respect at the EU level, it is up to each Member State to determine the conditions under which these identifiers can be processed, beyond the general rules and principles set out in the GDPR.

NIN or other identifiers of general application are not ipso facto characterised as a special category of data in the sense of Article 9 GDPR. However, each Member State has the possibility at the national level to characterise such identifiers as sensitive personal data, and to impose additional conditions on controllers or processors that process them. This was already the case under Article 8(7) of the DPD, the precursor of Article 87 GDPR. In many Member States, the processing of NIN and other identifiers of general application is therefore more strictly regulated, as well as usually limited to specific categories of actors for specific purposes.[3]

Article 87 GDPR further provides that if a Member State decides to adopt specific measures regarding the processing of identifiers, it also has to implement appropriate safeguards to ensure the protection of the rights and freedoms of citizens. Article 87 GDPR nonetheless does not specify which additional safeguards should be implemented, once again leaving Member States with a broad margin of discretion in this respect.

In line with this provision, Member States around the EU have adopted different approaches regarding the processing of NIN and other identifiers of general application. For instance, Belgium adopted a specific law in this respect decades ago,[4] and it has been amended and completed over time by several royal decrees. Similar laws have been adopted in Austria, Finland, France, the Netherlands, or Portugal (to name a few). Such provisions establish which actors can process national registration numbers, as well as the conditions for such processing to take place.

References

  1. van Eecke, Simkus, in Kuner et al., The EU General Data Protection Regulation (GDPR), Article 87 GDPR, p. 1226 (Oxford University Press 2020).
  2. EU Commission, Survey on Scams and Fraud Experienced by Consumers, January 2020 (available here).
  3. Van Eecke and Simkus, in Kuner et al., The EU General Data Protection Regulation (GDPR), Article 87 GDPR, p. 1225 (Oxford University Press 2020).
  4. Loi du 8 aout 1983 organisant un registre national des personnes physiques