Under article 87 regulation (EU) 2016/679 General Data Protection Regulation GDPR, member declares may define the precise conditions for the digesting of a nationwide identification number or even any identifier of general program. As talked about below, France has produced an interesting application of the rule regarding, specifically, the social security quantity.
French Method Toward Social Security Amounts
Within France, the number known as “NIR” (which means “numéro d’indentificaiton nationale” or “interpersonal security number”) offers always required particular treatment and protection since it is the only special identifier for every individual and is linked with personal data including sex and time of birth. The NIR can be utilized for identification theft while at exactly the same time, end up being used being an error-totally free ID reference, for the intended purpose of combining data from different sources at an extremely large scale.
Therefore, France provides provided for specific guidelines with regards to its use.
Decree of April 2019
Article 30 of the French Data Protection Act requires that digesting activities involving the usage of the social security number will be established by decree of the Council of Condition, including the types of controllers and the permitted reasons.
On April 19, 2019, the French government adopted Decree number 2019-3014, which identifies controllers and the permitted purposes of processing. Such make use of is definitely permitted in the areas of:
- Social security
- Employment within the private and community sectors
- Finance, including taxes and customs
- Public stats and census
- The care of sufferers of nuclear tests
For many of these classes, the relevant controllers are usually general public bodies, agencies, associations, money, authorities, ministries, judges, etc. The decree describes at length the permitted used in each of these areas with a mention of one or several laws and regulations that impose the usage of the social protection number such context.
HR Digesting in the Private Industry Under the Decree
Processing activities which may be performed simply by companies in the private field are limited to:
- Execution of the new program of withholding of revenue tax
- HR management caused by legal or even regulatory provisions and collective agreements within so far as they relate with filings, contribution calculations and transaction to organizations
- Execution of the “individual activity account” (in French “compte employees d’activité”) (CPA), which includes various uses defined for legal reasons and is private to each worker
Within each case, use is fixed to the utilizes of the social security amount when so when imposed by applicable regulation.
- Authorized agents of personal companies and occupational and preventive physicians might process the interpersonal security number regarding the work-related incidents and for recording mishaps at the job and occupational illness, when so when imposed by relevant law
- French lawyers might use the social security quantity for the administration of certain courtroom proceedings to the level strictly necessary
The implementation of the processing routines as set out for legal reasons can be without prejudice to another obligations on the controllers or their processors pursuant to Section 3 of Chapter IV of the GDPR.
Other Processing Routines INCLUDED IN the French Information Protection Act
The French Data Protection Act offers specific rules for various types of processing activities that could involve the usage of the social security number, namely:
- Digesting of personal data within the “health industry,” that is governed by way of a specific portion of the French Data Safety Act
- Make use of of the social safety number since identifier to gain access to electronic providers provided to customers by French management
- Processing relating to the social security amount used as a wellness identifier for people under Content L. 1111-8-1 of the general public Health Code, because of their care for health insurance and medico-social purposes
- Scientific or traditional research purposes
- In reaction to a health crisis
- Public statistics which are implemented by the general public statistical service , nor include any sensitive information (content 9 GDPR) or information associated with criminal convictions, offenses or associated security measures (article 10 GDPR)
There is really a legitimate concern to safeguard individuals contrary to the misuse of the national identification number. Because of this, in some countries, which includes France, the regulation imposes serious restrictions. This is among the locations where the demand harmonization by GDPR can’t be achieved and the business may need to review their procedures.