Tietosuojavaltuutetun toimisto - 8205/154/18

From GDPRhub
Tietosuojavaltuutetun toimisto - 8205/154/18
LogoFI.png
Authority: Tietosuojavaltuutetun toimisto (Finland)
Jurisdiction: Finland
Relevant Law: Article 5 GDPR
Article 32 GDPR
Article 58(2)(d) GDPR
Article 87 GDPR
Type: Complaint
Outcome: Upheld
Decided: n/a
Published: 14.05.2020 [[Category:]]
Fine: None
Parties: n/a
National Case Number/Name: 8205/154/18
European Case Law Identifier: n/a
Appeal: Unknown
Original Language(s): Finnish
Original Source: Tietosuojavaltuutettu (in FI)
Initial Contributor: n/a

The Finnish DPA (Tietosuojavaltuutettu) found that the national identification number is not intended to be used as a means of identification and identification alone cannot be the reason for its processing.

English Summary[edit | edit source]

Facts[edit | edit source]

The complainant claimed that each customer of the data controller gets a unique customer number in their billing systems which is backed by a social security number and all the relevant information, such as the total amount of invoices paid. They also claimed that this practice may lead to financial exploitation of the elderly or identity theft.

The data controller claimed that they needed this number to identify the customers, while the customers' name only is not sufficient.

Dispute[edit | edit source]

Holding[edit | edit source]

Article 87 GDPR regulates the processing of a national identity number. This is also regulated with Section 29.4 of the National Data Protection Act, according to which a personal identification number shall not be unnecessarily entered in documents printed or prepared on the basis of the personal register. The DPA also invoked the principle of data minimisation of Article 5 GDPR.

Finally, the DPA found that the national identification number is not a personal identification number intended to be used as a means of identification, and identification alone cannot be the basis for processing. It ordered the data controller to bring the processing operations in line with the provisions of the GDPR in accordance with Article 58 (2) (d).

Comment[edit | edit source]

Further Resources[edit | edit source]

Share blogs or news articles here!

English Machine Translation of the Decision[edit | edit source]

The decision below is a machine translation of the Finnish original. Please refer to the Finnish original for more details.

Marking the personal identity number on invoices
Keywords: processing of personal data
personal identification number
social security number
Legal basis: Decision in accordance with the EU General Data Protection Regulation
Registration: 8205/154/18

THING

Clarification received from the notifier

The advertiser has said that the city will add the entire social security number to the security phone bill, contrary to the customer's request. According to the notifier, each customer has a unique customer number in their billing systems, and this is backed by a social security number and all the necessary information, such as the total amount of invoices paid. According to the notifier, the current practice may lead to, among other things, financial exploitation of the elderly or identity theft.

Statement received from the controller

According to the registrar, the personal identification number is used in invoices to identify the customer. The registrar considers that an invoice is a decision addressed to a person, in which case the name is not sufficient to identify the person. Healthcare customer payments are also directly enforceable under the law, and insurance companies do not accept invoices that do not identify the customer with a personal identity number.

According to the registrar, the information printed on the patient bill in the hospital district is determined by the system according to the same criteria for everyone, and no exceptions are made for them. The patient can also choose to have the invoices sent to him or her as e-invoices to OmaPost, which eliminates the data protection risk associated with paper invoices. The registrar states that the system cannot select an ID for one invoice and not for another, and invoices are not generated manually.
Applicable law

The General Data Protection Regulation (EU) 2016/679 of the European Parliament and of the Council (the Data Protection Regulation) has been applicable since 25 May 2018. The act is a regulation of the law directly applicable in the Member States. The Data Protection Regulation contains a national margin of maneuver, on the basis of which national law can supplement and clarify matters specifically defined in the Regulation. The General Data Protection Regulation is specified in the National Data Protection Act (1050/2018), which has been applied since 1 January 2019. The Data Protection Act repealed the previously valid Personal Data Act (523/1999).

Legal question

The Data Protection Officer assesses and resolves the applicant's case on the basis of the above-mentioned General Data Protection Regulation (EU) 2016/679 and the Data Protection Act (1050/2018). This is a matter of processing the identity number.

The EDPS shall decide whether the controller should be instructed in accordance with Article 58 (2) (d) of the General Data Protection Regulation to bring the processing operations in line with the Regulation.

DECISION

The controller is instructed to bring the processing operations in line with the general data protection regulation.

Reasoning

Article 87 of the General Data Protection Regulation provides for the processing of a national identity number. According to this article, a national personal identification number or other public identifier must be used only in accordance with the appropriate safeguards for the data subject's rights and freedoms under the Data Protection Regulation, and Member States may further specify specific conditions for processing a national personal identification number or other public identifier. Section 29.4 of the Data Protection Act, which supplements the Decree, states that a personal identification number shall not be unnecessarily entered in documents printed or prepared on the basis of the personal register. The Government's proposal clarifies the paragraph by stating that the registrar should ensure, for example, that personal identification numbers are not prominently marked on postal items (HE 9/2018 vp).
In order for the processing of personal data to be considered compliant with the Regulation, the controller must also comply with the data protection principles set out in Article 5 of the Data Protection Regulation at all stages of the processing. Of these, the principle of data minimization requires, inter alia, that personal data be limited to what is necessary in relation to the purposes for which the personal data are processed. Recital 39 related to the Article states that personal data should only be processed if the purpose of the processing cannot reasonably be achieved by other means. In addition, personal data must be processed in such a way as to ensure appropriate security and confidentiality of personal data, including the prevention of unauthorized access to personal data.

As stated above, the processing of a personal identity number is subject to a requirement of necessity, and the controller has, in its reply to the request for clarification, put forward three arguments on the basis of which it considers it necessary to enter the personal identity number on the printed invoice document.

According to the registrar, the invoice is, first, a decision and the name is not sufficient to identify the subject of the decision. In that regard, the grant of a security telephone number was a solution for the provision of an aid to a city patient, which has not been regarded in the case-law as an appealable decision equivalent to an administrative decision. Even in the case of an administrative decision pursuant to the Administrative Procedure Act, the information to be included in the written decision does not include a personal identity number (Section 44.1 of the Administrative Procedure Act). Most importantly, however, the decision to grant a security telephone and the invoice relating to the use of the security telephone are not the same thing, and the invoice is not a decision.
According to the registrar's second argument, healthcare customer payments are directly enforceable under the law, which is why the invoice must have a personal identity number. In this respect, it can be stated, first of all, that healthcare customer payments can be enforced without a judgment or decision on the basis of section 17 of the Customer Payment Act. The use of a personal identity number in collecting a receivable, on the other hand, is permitted on the basis of section 29.2 of the Data Protection Act, and this is also subject to the requirement of necessity in subsection 4 in situations of marking a personal identity number. However, an invoice issued to a customer is not a collection of a receivable, but by payment by the due date of the invoice, the person makes a timely payment to fulfill his obligation, and the invoice is not considered a recovery action even if the payment is directly enforceable. Also, the withdrawal does not take place on the basis of a paper invoice, but the necessary information is obtained from the data controller. Therefore, the entry of an identity number on an invoice cannot be justified by the fact that the payment is directly enforceable.

According to the registrar's third argument, insurance companies do not accept invoices that do not have a personal identity number. Today, an application for compensation is usually made to the insurance company electronically. In this case, the insurance company will only exceptionally ask the claimant to provide separate documents, such as receipts for payments. In the case of the elderly, in the absence of digital information, the operating model may be, for example, for the insured to call the insurance company and a written application will be sent to him or her by post. Typically, even in this case, not even receipts are required, but the insurance company receives the information it needs directly from the place of care by proxy. There is no need for insurance invoices for insurance companies, and access to information is handled through other means. In addition, the invoice and the payment made on the basis thereof can be linked to the insured without a personal identity number, for example by means of a reference number.

In his reply, the controller also mentions the challenges posed by technical systems. In that regard, it must be stated that the processing of a personal identity number (including its entry in the documents) cannot be justified on the ground that it makes the operation easier. With regard to the readiness of the systems, Article 32 of the Data Protection Regulation should also be taken into account, which in practice requires that the controller has brought its technical capacity to a level where the regulation of the Regulation can be concretely implemented. Nor is a personal identification number intended to be used as a means of identification, and identification alone cannot be the basis for processing a personal identification number.
In addition to the above, the State Treasury has stated in its regulation on the content requirement for sales invoices (dnro: VK / 1275 / 00.00.01.06.00 / 2019) that the personal identity number should not be printed on the consumer's invoice.

The Data Protection Officer resolves matters concerning the processing of personal identity numbers on the basis of the provisions of the General Data Protection Regulation and the Data Protection Act mentioned above.

On the basis of the above, the EDPS instructs the controller, in accordance with Article 58 (2) (d) of the General Data Protection Regulation, to bring the processing operations in line with the provisions of the Regulation.

Applicable law

Mentioned in the explanatory memorandum.

The decision is not yet final.