The national identification number (PESEL) does not need to be publicly disclosed
The Personal Data Protection Office seeks to ensure that the PESEL – the national identification number - is not revealed in the electronic signature certificate or used as an identifier in digital services. Therefore the Polish SA proposes that the Ministry of Digital Affairs should limit the publicity of PESEL while working on further regulations to counteract identity theft.
The representatives of the Personal Data Protection Office met with the officials of the Ministry of Digital Affairs to discuss the use of the PESEL number as part of the electronic signature certificate and an identifier in the electronic communication means. The meeting was held in connection with the President of the Personal Data Protection Office’s request of 14 June 2019 to the Ministry of Digital Affairs regarding the disclosure of the PESEL number in the certificate of qualified electronic signature.
For many years, the Personal Data Protection Office has been addressing the problem of disclosing a PESEL number in an electronic signature certificate. Recent changes to the Act on Identity Card - which provide for the disclosure of a PESEL number in a personal signature certificate - raise concerns of the Polish Supervisory Authority, which was signalled during the work on this amendment. The President of the Personal Data Protection Office receives many signals about the threat to the privacy of people using a qualified electronic signature. This problem was recently raised by the Ombudsman and the judiciary which took action through the Appeal Court in Wrocław to limit the disclosure of the PESEL number of court employees signing electronic protocols from the course of the court session.
The purpose of the meeting initiated by the Personal Data Protection Office was to discuss the relation of requirements which a qualified electronic signature should meet pursuant to eIDAS, in the context of Art. 87 of the GDPR, according to which Member States may determine specific conditions for the processing of a national identification number, which is the PESEL number.
The discussion on the specificity of identifiers used in certificates of qualified electronic signatures concerned the possibility of using other identifiers instead of the PESEL number, such as the tax identification number (NIP) number, identity card number or passport number.
Experts of the Personal Data Protection Office pointed out that the ongoing works at the Ministry of Digital Affairs on reducing identity theft should relate to the limitation of PESEL number disclosure in qualified electronic signature certificate and public records, because the disclosure of this number allows for identity theft.
Representatives of both institutions declared their will to cooperate in further activities at the inter-ministerial level in order to develop a comprehensive solution limiting the disclosure of the PESEL number. A particular concern of the Personal Data Protection Office will be the full implementation of Art. 87 of the GDPR to the Polish legal order and the subsequent increase in the PESEL number’s protection.
 Regulation (EU) No 910/2014 of the European Parliament and of the Council of 23 July 2014 on electronic identification and trust services for electronic transactions in the internal market and repealing Directive 1999/93/EC
 Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (General Data Protection Regulation)