Under article 87 regulation (EU) 2016/679 General Data Protection Regulation GDPR, member states may define the specific conditions for the processing of a national identification number or any other identifier of general application. As discussed below, France has made an interesting application of this rule regarding, in particular, the social security number. 

French Approach Toward Social Security Numbers

In France, the number referred to as “NIR” (which stands for “numéro d’indentificaiton nationale” or “social security number”) has always required particular care and protection as it is the only unique identifier for each individual and is tied to personal data including gender and date of birth. The NIR may be used for identity theft while at the same time, be used as an error-free ID reference, for the purpose of combining data from various sources at a very large scale.

Therefore, France has provided for specific rules in relation to its use.

Decree of April 2019

Article 30 of the French Data Protection Act requires that processing activities involving the use of the social security number will be set by decree of the Council of State, including the categories of controllers and the permitted purposes.

On April 19, 2019, the French government adopted Decree number 2019-3014, which identifies controllers and the permitted purposes of processing. Such use is permitted in the fields of:

• Social protection

• Health

• Employment in the private and public sectors

• Finance, including tax and customs

• Justice

• Public statistics and census

• Education

• Housing

• The care of victims of nuclear tests

For most of these categories, the relevant controllers are public bodies, agencies, associations, funds, authorities, ministries, judges, etc. The decree describes in detail the permitted use in each of these fields with a reference to one or several laws that impose the use of the social security number in such context.

HR Processing in the Private Sector Under the Decree

Processing activities that may be performed by employers in the private sector are restricted to:

• Payroll

• Implementation of the new system of withholding of income tax

• HR management resulting from legal or regulatory provisions and collective agreements in as far as they relate to filings, contribution calculations and payment to organizations

• Implementation of the “personal activity account” (in French “compte personnel d’activité”) (CPA), which has various uses defined by law and is personal to each employee

In each case, usage is restricted to the uses of a social security number when and as imposed by applicable law.

In addition:

• Authorized agents of private employers and occupational and preventive physicians may process the social security number in connection with work-related accidents and for recording accidents at work and occupational illness, when and as imposed by applicable law

• French lawyers may use the social security number for the management of certain court proceedings to the extent strictly necessary

The implementation of the processing activities as set out by law is without prejudice to the other obligations on the controllers or their processors pursuant to Section 3 of Chapter IV of the GDPR.

Other Processing Activities Covered By the French Data Protection Act

The French Data Protection Act provides for specific rules for different categories of processing activities that may involve the use of the social security number, namely:

• Processing of personal data in the “health sector,” which is governed by a specific section of the French Data Protection Act

• Use of the social security number as identifier to access electronic services provided to users by French administration

• Processing involving the social security number used as a health identifier for persons under Article L. 1111-8-1 of the Public Health Code, for their care for health and medico-social purposes

• Scientific or historical research purposes

• In response to a health emergency

• Public statistics that are implemented by the public statistical service and do not include any sensitive data (article 9 GDPR) or data relating to criminal convictions, offenses or related security measures (article 10 GDPR)

Key Takeaway

There is a legitimate concern to protect individuals against the misuse of the national identification number. As a result, in some countries, including France, the regulation imposes severe restrictions. This is one of the areas where the call for harmonization by GDPR cannot be achieved and the organization may have to review their practices.