08/11/19

The use of (electronic) identity cards.

What you need to know.

(Electronic) identity cards are an easy means to identify people. However, their use is not without risk.

In Belgium, the use of a unique national registry number that appears on electronic identity cards is prohibited by law. Companies can obtain authorisation to use national registration numbers, but only if they are entrusted with a task in the public interest. Employers are also legally authorised to use the national register number of their employees, but only in their dealings with the social security institutions. For any use outside of these (narrowly interpretable) exceptions, companies risk criminal sanctions.

In a recent decision, the Belgian data protection authority fined a trader who required the use of the customer's electronic identity card for the creation of a loyalty card. An electronic identity card contains more information (e.g. a photo) than is strictly necessary for the set-up of a loyalty card. According to the authority, this practice therefore does not comply with the principle of data minimisation (see GDPR toolkit 04). Moreover, as no alternative was offered to customers, the consent to use their electronic identity card could not be considered freely given. If the customer refuses, he or she cannot benefit from the advantages of the loyalty card. According to the authority, there was therefore no valid legal basis for such a request (see GDPR toolkit 03).


What you need to do.

It is best for companies to keep the use of (electronic) identity cards to a minimum.

In your relationship with employees, you can, of course, always ask for a copy of the electronic identity card. However, you should only use this card within the context of your social security obligations.

In your relationship with customers, it is better not to use (electronic) identity cards, in particular not for the creation of a loyalty card.

If a data subject requests access to his or her personal data or makes another request to your company (see GDPR toolkit 08), it is recommended to use other means of identification (e.g. customer number, login details). If you request a copy of the electronic identity card, ask the data subject to copy only the front of the card or to score out his/her national registration number.


Authors: 

Anouk Focquet
anouk.focquet@contrast-law.be

Eline Declerck
eline.declerck@contrast-law.be

contrast
From Open Banking to Open Finance: FIDA -Exploring the EU Financial Data Access Framework
From Open Banking to Open Finance: FIDA -Exploring the EU Financial Data Access Framework
Lydian Webinar Marketing and GDPR in the New Decade
Lydian Webinar Marketing and GDPR in the New Decade
Key Trends in UK Competition Law Enforcement
Key Trends in UK Competition Law Enforcement
dotted_texture