A personal identity number is considered to be personal data, thus it shall be dealt with in accordance to GDPR and other complementary national legislation. You might deal with personal identity numbers in various situations; for example in email, salary slips, employment contracts or disease-related documents. Something you might not know is that the personal identity number is classified as integrity sensitive personal data, also known as personal data deserving extra protection. In this blog post we will go through when a personal identity number can be processed and how it shall be processed according to present law.
Why are personal identity numbers in need of special handling?
Personal identity numbers are not regulated specifically in the GDPR, however they fall under one of the special areas where it is open for the Member States to regulate on their own. In Sweden, we have chosen to make personal identity numbers into personal data deserving extra protection. This constitutes that personal identity numbers have to be processed in a special way, since there are higher demands for it to be classified as a legitimate processing of personal data. These demands are beyond the ones that are posed for “ordinary” personal data.
When are you allowed to process personal identity numbers?
The main rule is that personal identity numbers should only be processed if the data subject have given their consent to the processing, meaning explicitly said ”yes” to it. However, there are exceptions to when your organization can process the personal identity number even though you have not been given any explicit consent from the data subject. These exceptions are:
- When it is clearly motivated considering the importance of a secure identification;
- When it is clearly motivated considering the purpose of the processing;
- When it is clearly motivated considering any other noteworthy reason.
The other demands following the GDPR are also at stake here. Hence, you are in need of a legal basis on which you base your processing of personal data (consent, contract, legal obligation, protect vital interests, exercise of official authority, public interest or legitimate interest) as well as making sure to follow the other principles of GDPR for a lawful processing of the data.
How to handle personal identity numbers?
Since personal identity numbers are regarded as personal data in need of extra protection, they shall be exposed as little as possible. They are e.g. not to be exposed on a letter. You must also assess if the personal identity number is actually needed. Maybe it is enough to have just the date of birth? Examine in what situations you process the personal identity number and check if you actually need it for that type of processing. As a guidance, you might look at the purpose of processing to figure out if the personal identity number is necessary to process or not. If you do not have consent for processing the data, you need to make sure that the usage is clearly motivated based on any of the exceptions mentioned above.
Personal identity numbers in associations and member organizations
Lists of members as well as their personal identity numbers are normally occurring in associations and member organizations. They are in many cases published on the association’s website, or e.g. in connection with a sports event. Often your organization have a purpose of processing personal identity numbers, for example you might get grants of the municipal for members of a certain age. However, it might be good to look into how you process personal identity numbers and if the processing can be motivated.
Other personal data that needs special handling according to the GDPR
Not only personal identity numbers are in need of special handling or deserves extra protection. This concerns also so called “sensitive data”. To learn more about how it should be handled, you can take a look at our Swedish blog post on the subject here.
Do you handle personal identity numbers?
We can help you handle personal identity numbers in a correct way. Do not hesitate to contact us at firstname.lastname@example.org or 046 – 273 17 17. Do you want to know how we can make your GDPR-work easier? Book a demo of GDPR Hero here.