Article 87 of the GDPR: Processing of the national identification number

Article 87 of the GDPR allows Member States to define specific conditions in which one national identification number can be used, while respecting the principles of the regulations.

Article 87 of the GDPR explained

According to this article:

The processing of a national identification number (e.g. social security number, identity card) is authorized if governed by national law;
Member States may set additional guarantees (retention period, purpose, limited access);
This data must always be processed fairly, lawfully, proportionately and securely.

Why is this article important for your GDPR compliance?

It concerns the processing of particularly sensitive data, often used for formal identification of people. Poor management of these identifiers can lead to serious privacy breaches and significant penalties.

How to comply with Article 87 of the GDPR?

Check the national provisions governing the use of identification numbers (e.g. labor code, social security);
Use these numbers only when they are strictly necessary for the intended purpose;
Limit access to this data to authorized persons only;
Encrypt and technically secure the databases containing this information.

Examples of application of Article 87 of the GDPR

A French company uses the NIR (social security number) only for URSSAF social declarations;
An administration encrypts files containing identity card numbers;
A bank collects a tax identifier to fulfill its regulatory obligations, with restricted access.