The recent period has witnessed spreading issuance of electronic (chip) cards, by various institutions and in many areas of everyday life, that enable e.g. enjoyment of discounts, entry of buildings or use of various services. Collection of personal data occurs practically in all instances of production of these cards. In response to these facts, the Office for Personal Data Protection has decided to publish its below position, expressing the core of the Office’s approach to the issues.
Several types of electronic cards are issued currently. The simplest one is so-called white chip card, often erroneously referred to as anonymous. Anonymity of such card, however, consists in the fact that no visible identification data of the card holder (first name, family name, photograph…) are set out on it. In terms of the Act No. 101/2000 Coll., on the Protection of Personal Data and on Amendment to Some Acts, as amended (hereinafter “the Personal Data Protection Act”), anonymity of the card holder could be accepted only providing that the card enables its holder access into a building, to an information system (or, use of a service), while not permitting the holder’s unambiguous identification at such use. Hence, the system would, instead of identifying the holder, check only for the level of access rights provided by the card to its holder, i.e. no personal data would be processed in connection with a use of the card within the meaning of Article 4(a) and (e) of the Personal Data Protection Act. In fact, however, majority of the white cards are personalised. That means they authorise use of specific services only for a specified user (such as issuance of lunch meals, retrospective checks of the authorisation to enter etc. The system is then able to monitor activities of the white card holder in the same manner as those of a holder of any other card. This would certainly satisfy the provision of Article 4(e) according to which processing of personal data shall mean any operation or set of operations that is systematically executed by the controller or a processor in relation to personal data by automatic or other means, and therefore processing of personal data does occur.
Another card type includes single purpose personalised cards, such as client, benefit or subscription cards. Upon issuance of these cards, personal data are also processed as the cards are dedicated to a specific user who is unambiguously identified in the card - most frequently by his or her first name, family name, or sometimes photograph.
The last, currently the most widespread type of electronic cards includes multifunctional cards, enabling use of multiple types of services provided by multiple entities.
In terms of personal data processing relating to a provided product (service), a card represents an outward means with reference to various defined purposes. What is important is personal data processing (a database) in relation to which the card has been issued and, in particular, the purpose of such processing, not the card itself. In most instances, cards serve as a tool of performance of a service, i.e. they are a medium chosen for the purposes of completion of a contract (a service contract) entered into by the service provider and data subject. Issuance of a card and personal data processing is therefore an expression of a contractual relationship entered into on the initiative of the data subject (lodging an application for the card issuance) to which an exception provided by Article 5(2)(b) of the Personal Data Protection Act applies. According to that provision, the controller may process the personal data without the data subject’s consent if the processing is essential for fulfilment of a contract to which the data subject is a contracting party or for negotiations on conclusion or alteration of a contract negotiated on the proposal of the data subject. The foregoing therefore constitutes an acceptation of a product offer, with specified parameters.
In case an optional solution exists, i.e. an option to use the product also without a chip card, personal data processing will be possible without any formal consent of the data subject since, by having chosen the product, the client has acceded to the terms set by the service provider. In case the product provision is strictly preconditioned by the card holding requirement, it is essential to distinguish data processing for various purposes.
The above applies to processing of information necessarily required for a card to be issued and contract to be performed, i.e. there is the option of processing without consent. Where data to be processed go above the threshold of processing essential for fulfilment of a contract (recording of information such as from where an to which destination the data subject travels, at what times he or she goes to lunch etc.), the position of the Office for Personal data protection is that consent of data subject is essential. However, even where such consent has been obtained, the principle of privacy and personal life protection defining the threshold of the personal data processing scope must be respected.
Considering the fact that the offered product (service) can be used only in conjunction with the card, and, if the scope of the processed data is obviously inadequate to the defined purpose, freedom of such given consent may be contested. It is however exactly freedom, in terms of Article 4(n) of the Personal Data Protection Act, that constitutes an indispensable attribute of the described act. Consent must be informed, too, as required by Article 5(4) of the Personal Data Protection Act, according to which, when giving his consent the data subject must be provided with the information about what purpose of processing, what personal data, which controller and what period of time the consent is being given for.
Informing the data subject, however, is not tied solely to the act of consent. It may be necessary to provide data subject with information also in the cases where the Personal Data Protection Act allows processing without consent. This obligation is provided by Article 11 of the Personal Data Protection Act. Compliance with the information duty towards the data subjects (card users) gains particular importance in the cases where the actual environment in practice “gives no other choice” to the natural persons but to acquire a card and use it within the actual system or community they live in.
Relating to issuance and subsequent use of cards, an extensive database is created or may be created in an overwhelming number of cases. Such database may include, in addition to the identification data required for the card issuance, also information on use of separate services provided by the card, obtained through information systems involved in the respective project. The system is then able to store all information, as enabled by the relevant technology, on the card holder's activities, such as information when or how often the card holder (a pupil or student) attends the lessons and goes to lunch while at school, when or how often the card holder moves around a certain building (not just, say, a school building but also e.g. a student dormitory, library etc.) - the system therefore enables an option of keeping highly demonstrable records of the school attendance etc.
Collection of personal data that occurs in relation to issuance of cards, or, based on collection of additional information connected to use of the card and subsequent processing of such information is indisputably subject to application of the Personal Data Protection Act. In view of that, attention should be paid to the below groups of issues.
In the first place, basic relations in the processing of personal data should be made clear, i.e. who is the controller and who processor within the meaning of Article 4(j) and (k) of the Personal Data Protection Act. This step will be more complicated with "multifunctional" cards. A clear determination is required whether the card issuer coincides with the controller and whether owners of individual applications or functions of the card and of information technology systems involved in the project are processors, or, if all of the participants have the “controller to controller” relationship, i.e. if a single (multifunctional) card is going to have, in terms of the Personal Data Protection Act, several controllers of the personal data processed while the card is used by its holder.
A setup of mutual relationships between the card issuer and other participating parties is at their sole discretion, so it cannot be envisaged, recommended or even regulated who should hold the controller or processor status. It is true in most cases that the card issuer is the controller. Separate participants involved in the system may be in the processor position, or, all participants may have the controller to controller status, and, it is even possible for the card issuer to have the controller status and at the same time that of the processor towards the other entities - independent controllers.
If a processor appears in a relationship, a processor contract must be concluded between the controller and processor as provided by Article 6 of the Personal Data Protection Act. Such contract must be made in writing and shall in particular explicitly stipulate the scope, purpose and period of time for which it is concluded. The contract shall further contain guaranties by the processor related to the technical and organisational securing of the protection of personal data.
Furthermore, any personal data processed using the applications must be secured in the manner guaranteeing that information contained within separate applications may be accessed solely by its controllers, while each controller will be enabled access only to its own application. It is entirely inadmissible to make the data fully accessible to all of the controllers whose application is present in the card or to even grouping the data in any manner. The access setups must correspond to the mutual relationships setups at all times, guaranteeing compliance with all provisions of the Personal Data Protection Act, in this case particularly compliance with Article 13. The controller or, processor shall also make sure that the card manufacturer, upon completion of works, has liquidated all information provided to it and has terminated processing by doing so.
Correct determination of statuses of separate project participants is a starting point for complying with the other obligations provided by the Personal Data Protection Act. In most of the cases, personal data processing upon issuance of cards is subject to the notification obligation provided by Article 16 of the Personal Data Protection Act and the personal data controller must comply with it. The controller will not be required to comply with the notification obligation only in the instances when any of the exceptions provided by Article 18(1) of the Personal Data Protection Act may be applied to the processing performed by it (e.g. if an employer issues cards to its employees in order to monitor their work attendance. The employer is complying with a legal requirement by that, while the card is merely a vehicle chosen for legal processing).
It is obvious from the above that, in most cases, electronic cards are just a vehicle or tool serving to processing personal data in connection with provision of services. In the event any personal data is processed in connection with the service, persons (entities) offering such technical means to their clients (customers) shall bear in mind that this involves personal data processing which is wholly subjected to the Personal Data Protection Act regime. They must be further aware of the fact that duties arise for them from that. This may involve, in particular instances, obtaining of consent to personal data processing. It needs to be kept in mind that the information duty shall apply to such persons in any case and that all other statutory obligations of the controller, or, processors must be obviously respected, in particular obligations provided by Article 5(1) and (2) of the Personal Data Protection Act.
Note: The above document is available at the web pages of the Office for Personal Data Protection at http://www.uoou.cz/uoou.aspx?menu=22&lang=en
Mode No graphics is currently switched on. Therefore you see the web page with no decorative graphics as well as any advanced formatting. If your browser supports CSS2, you can switch a graphic mode on.