GDPR
Personal identity numbers are subject to special protection
Personal identity numbers are subject to special protection, but they are not classified as sensitive personal data under Article 9 of the GDPR. Please note, however, that the rules on this may differ from one Member State to another.
Consent is usually necessary to process personal identity numbers
In most cases, a company needs to obtain valid consent from the data subject in order to process his or her personal identity number. However, there are exceptions. For example, if it is necessary to carry out the processing for a secure identification.
For example, when an individual calls its bank and has to identify himself or herself through a so-called Mobile Bank ID, and the call is recorded, where the caller orally enters its personal identity number to the banker.
Special rules and laws
There may be special rules and laws that allow an actor to process personal identification numbers, even when personal identity numbers are subject to special protection. In such cases, the processing of the personal data number takes place on the basis of a legal obligation as the legal basis pursuant to Article 6(1)(c) GDPR.
The rules regarding the processing of personal identity numbers may differ depending on the Member State
The countries where GDPR applies may have different rules regarding the processing of personal identity numbers. In Sweden, personal identity numbers are public data. Personal identification numbers appear in public documents such as population registration information, declarations, etc. In short, this means that anyone can request a personal identification number from an authority in Sweden, provided that there is no special secrecy in the individual case. This applies to both personal identity numbers and coordination numbers. However, this is one of the rare things in the EU Member States.
In Finland, the rules are quite different, where a person who wants to have access to its own personal identification number must even be identified ba specific authority (probably with an ID from another country, since the personal identification number appears on the Finnish ID document). In other words, others in the society cannot get the personal identity number of another person.
Avoid exposing personal identity numbers or coordination numbers
If personal identity numbers are subject to special protection in an EU country where it is processed, the personal identification number in question must be exposed as little as possible. In other words, a company should not include the personal identity number on, for example, an envelope window that is visible, in the subject line of an email, etc.
Good to do an impact assessment before the processing of personal identity numbers or coordination numbers
As identity numbers are subject to special protection as well as considered to be privacy-sensitive personal data, it may be appropriate to conduct an impact assessment before the processing is carried out.
Can employers process the personal identity numbers of their employees?
The short answer to the question is that it depends on the circumstances. If the processing is justified in relation to the purpose, it is permissible for employers to process the personal identity numbers of their employees. However, it is important to keep in mind not to expose personal identification numbers unnecessarily, as identity numbers are subject to special protection and particularly worthy of protection.
Examples of when it may be appropriate to process employees' personal identity numbers are in connection with payroll management.
Examples of when it is not appropriate to process employees' personal identity numbers are if the employer prints the personal identity numbers of the employees on duty lists.
It is also good to avoid using the personal identity number as a username on various systems that employees use in their work, as it is difficult to justify the processing in accordance with the GDPR.
More info about GDPR
Subjective privacy-sensitive data
The GDPR clearly regulates sensitive personal data and personal data relating to criminal convictions and offences. However, the same does not apply to subjectively privacy-sensitive data, which may be more difficult to define in some cases. Examples of subjective privacy-sensitive data are location data and bank account information. In short, subjectively privacy-sensitive data refers to data that may feel privacy-sensitive to the data subject. In other words, it is about the experience of the data subject. Such data shall be processed with a higher level of security than, for example, names or other ‘ordinary personal data’.