In several recent decisions, the Data Protection Authority has recalled that the National Register number is a data type which is subject to strict rules, both for the consultation of the National Register database, and even for the “mere” use of the National Register number as such.
In Belgium, the national register number is accorded special protection. Indeed, the processing of the national register number is, in principle, prohibited. The Act of 8 August 1983 organising a National Register of Natural Persons determines the conditions under which the national register number may be used.
Pursuant to Article 8 of this Act, authorisation must be obtained from the Sector Committee of the National Register (part of the Data Protection Authority) or from the National Register Service of the FPS Internal Affairs.
However, such authorisation is not necessary when the National Register number is used exclusively for the purpose of identifying and authenticating a natural person in the context of an IT application offered by certain bodies or institutions specifically referred to in the law, such as the NSSO (e.g., in the context of DIMONA obligations). However, it is then prohibited to use the National Register number for other purposes at a later date.
Such use would be contrary to both the obligations arising from the aforementioned law and the obligations arising from the GDPR, and in particular the principles of lawfulness and data minimisation.
According to these two principles, the data controller should have a legal basis for each processing of personal data and should limit the amount of personal data collected to what is strictly necessary in relation to the purpose pursued.
In two cases recently submitted to the Data Protection Authority for assessment, the Authority issued a reprimand to the data controllers concerned for failing to comply with these principles (Decision No 48/2021 of 8 April 2021 and Decision No 54/2021 of 22 April 2021).
The first of these two decisions concerned a notary who, as the former employer of a female employee, had consulted the National Register (to which he had access by virtue of his profession, benefiting from a special authorisation in this respect) to check the address of the employee in order to issue her with the eco vouchers still due to her following the termination of her employment contract. The Data Protection Authority notes, in particular, that the authorisation of a notary to access the National Register database is granted only for the performance of tasks falling within his competence, and that the legally regulated access to the National Register cannot be diverted from its purpose.
The second decision involved a child benefit fund (which also has a special authorisation to consult the National Register) which, in order to determine the amount of child benefits for one of its members, consulted the member’s data in the National Register. By doing so, the fund had access to data relating to the composition of the household and the member’s history, thereby gaining knowledge of the personal data of individuals who had been part of the member’s household, including his father, the complainant. The Data Protection Authority considered that in this case, the consultation went beyond what was strictly necessary, noting that the consultation of the entire history of its member without any time limit (and therefore since his birth) was disproportionate to be able to comply with its legal obligations, and to determine the amount of child benefits due to its member at a specific time. In this case, the Data Protection Authority also recalled that it is not competent to rule on the possible compensation of damage caused to the complainant , even in the event of established breaches.
In a third case relating to a rent dispute, the landlord’s lawyer (who also has a special authorisation to consult the National Register by virtue of his profession) had produced an extract from the tenant’s National Register in the context of the legal proceedings, although the information contained therein was not useful for that purpose. The Data Protection Authority therefore noted that, although the question of the relevance of the personal data thus communicated was questionable and it was the lawyer’s responsibility to produce only strictly necessary data, the complainant had been able to oppose against the production of this document before the Justice of the Peace and request its removal. Since the Justice of the Peace had in the meantime issued his decision, taking into account the disputed document, the Data Protection Authority noted that it did not have the competence to overturn this decision and therefore concluded that the case should therefore be closed without further action, particularly because it could not interfere with a judicial decision falling outside its jurisdiction (Decision No 51/2021 of 15 April 2021).
However, it should be noted that in an earlier decision (Decision No 06/2019 of 17 September 2019), the Data Protection Authority decided to impose an administrative fine of EUR 10,000 on a trader who offered as the only means of creating a loyalty card the reading of the electronic identity card, implying, therefore, the gaining access to, inter alia, the National Register number. The dissatisfied trader then appealed to the Market Court, which overruled the decision by a ruling of 19 February 2020 (No 2019/AR/1600), on the grounds that the penalty imposed was not sufficiently motivated. However, the Data Protection Authority has announced that it has filed an appeal with the Supreme Court against the decision of the Market Court, stating that if a similar case were to arise again, it would give different reasons for its decision (while maintaining the finding of a breach).
The employer may only use the National Register number of its employees under strict conditions, as laid down in the NR Act. This is, for example, the case for his obligations towards the NSSO. If allowed, this use must then be carried out in compliance with the principles developed under the GDPR.
Therefore, the use of an employee’s National Register number for purposes other than those legally permitted (in the framework of the exceptions to the prohibition of processing), for example, to identify employees internally (as a “service” number) or by including it in evaluation documents, is – in our opinion - contrary to both the Act organising a National Register of Natural Persons and the GDPR.