The Romanian personal identification number (“cod numeric personal” in the Romanian language) is a unique and general identifier that is assigned to each individual at birth and appears on most personal documents, including birth certificates and identity cards. The number remains unchanged throughout an individual’s life.
Romania’s law implementing the General Data Protection Regulation imposes additional conditions and safeguards for processing personal identification numbers when the processing is based on the legitimate interests of the data controller. Under these circumstances, when processing personal identification numbers for a legitimate interest, controllers need to comply with the following requirements: (i) appropriate technical and organisational measures must be implemented in order to comply with the data minimization principle and to ensure the confidentiality and security of the personal data; (ii) a data protection officer must be appointed (this obligation exceeds the similar obligation imposed by the GDPR, so that data controllers processing personal identification numbers based on a legitimate interest must appoint data protection officers even when the GDPR does not required them to do so); (iii) specific storage periods must be established in accordance with the kind of personal data to be processed and the purpose of the data processing, and specific timelines for data deletion must be implemented; and (iv) periodic trainings for the personnel responsible for data processing must be organized in order to raise awareness regarding the obligations laid down by the GDPR.
These requirements will apply not only to the processing of personal identification numbers but also to the series and numbers of identity cards, passport numbers, driver’s license numbers, social security numbers, and any other identification numbers of general application. Nevertheless, our focus is on the personal identification numbers, as they are processed on a large scale by Romanian data controllers.
In practice, almost every Romanian entity, including public authorities and institutions, uses his/her/its personal identification number to verify the identity of natural persons. In addition, the vast majority of Romanian controllers from the private sector process the personal identification numbers of their employees and clients in different contexts, including by publishing or distributing documents containing them.
Romanian data controllers process the personal identification numbers of clients with tremendous ease, most commonly in order to: (i) identify and distinguish between clients who have similar or identical names, addresses, and services; and (ii) verify client payment histories. These types of processing will in most circumstances be based on the data controller’s legitimate interest.
Still, in this context as in all others, almost all Romanian data controllers will need to carry out a legitimate interest assessment and to implement the aforementioned conditions and safeguards when processing personal identification numbers.
After carrying out the legitimate interest assessment, if the interest of the controller is overridden by the interests and fundamental rights and freedoms of the data subject or if the appropriate measures and safeguards cannot be implemented, the data processing will be considered unlawful and the data controller will need to find a different legal ground in order to be GDPR-compliant.
From our point of view, the personal identification number – like as any other national identification number – should be processed only when it is strictly necessary (for example, in order to enter into a contract or to bring a legal claim against the data subject) and not just as a matter of business opportunity.
Taking into account the large-scale processing of personal identification numbers in Romania and the habit of controllers of using the numbers to simplify their commercial operations, compliance with the GDPR’s requirements should be carefully ensured by assessing the legal ground used for data processing.
To sum up, it is highly likely that Romania’s legal provisions implementing the GDPR will force Romanian data controllers to rethink the common practice of processing personal identification numbers and to find alternatives for processing data in a manner that does not disrupt their businesses while remaining GDPR-compliant.
By Daniel Alexie, Co-Head of IP & Data Protection, and Diana Borcean, Associate, MPR Partners | Maravela, Popescu & Roman
This Article was originally published in Issue 6.5 of the CEE Legal Matters Magazine. If you would like to receive a hard copy of the magazine, you can subscribe here.