In exercising its supervisory powers under Act No. 101/2000 Coll., on the Protection of Personal Data and on Amendment to Some Acts, as amended (hereinafter referred to as “Personal Data Protection Act”), the Office for Personal Data Protection very often finds that copies of identity papers and other documents in the possession of natural persons are being made and filed by various persons and bodies. Although a copy in itself is obviously not of equal importance as the original document, the filing of a copy of an identity paper or of a public instrument is qualified as personal data processing under the Personal Data Protection Act. This means it should be carried out, like other types of processing, within the limits set by this law and in accordance with special legal regulations.
Persons that file copies of identity papers or public instruments for administrative purposes often argue they do this to be able to face the pressure of various supervisory bodies. These bodies, when checking whether the alleged facts have been verified by inspecting a valid identity paper, no longer accept as evidence a “mere” entry of the data in the relevant records, but require at least a copy of the document. Also, it is often claimed this copying serves rather to protect the person whose identity papers have been copied and filed, since the responsible clerk can rely on the already existing copies and compare them with the actual papers every time these are submitted again; this may possibly help identify forged documents presented by other persons. However, taking into account, among others, the current technological possibilities of making perfect copies of personal documents and identity papers and the rising rate of crime committed with the aid of forged identity papers, there is a clear need for the adoption of rules whereby the chances of legitimate copying of personal documents and identity papers would be reduced.
The amendments made to Act No. 328/1999 Coll., on Personal Certificates, in the wording of later regulations, and Act No. 329/1999 Coll. on Travel Documents and on Amendment to Act No. 283/1991 Coll., on the Police of the Czech Republic, in the wording of later regulations (Act on Travel Documents) shed some light on the current state of affairs. The amendments were published in the Collection of Laws as No. 559/2004 Coll. as a law amending Act No. 328/1991 Coll., on Personal Certificates, in the wording of later regulations, Act No. 329/1999 Coll., on Travel Documents and on Amendment to Act No. 283/1991 Coll. On the Police of the Czech Republic, in the wording of later regulations, (Act on Travel Documents), in the wording of later regulations, Act No. 200/1990 Coll., on Misdemeanours, in the wording of later regulations and Act No. 326/1999 Coll., on Residence of Foreigners in the Territory of the Czech Republic and Amending Some Acts, in the wording of later regulations which basically insert in the relevant provisions of the above laws clauses prohibiting the copying by any means whatsoever of personal identity cards or travel documents without the consent of the citizen to whom these identity papers or travel documents have been issued, unless a special legal regulation or an international convention binding on the Czech Republic stipulate otherwise.
In case any doubts arise concerning the term “consent”, the prohibiting clauses refer to the relevant provision of Article 5 of the Personal Data Protection Act. The provision of Article 5, last amended by Act No. 439/2004 Coll. and effective as of July 26, 2004, is based, together with the new definition of the data subject’s consent, on the principles of a free, deliberate and informed expression of a natural person’s will – a traditional wording, used also by those provisions of the Civil Code which concern legal acts in general.
The aforementioned legal framework also removes another, secondary problem which the Office for Personal Data Protection had to deal with in considering this issue. The question was whether, before the copying of an identity document with the consent of its holder, the person making the copy should also obtain the consent of third parties whose personal data are contained in the document. The data in question are the so-called “optional” data, i.e. the name, surname and personal identification number of the holder’s spouse or children. To ensure compliance with the Personal Data Protection Act, these data were often erased from the filed copies of identity papers. This will no longer be necessary since the new legal conditions for copying identity papers enable the holder to grant his or her consent to the copying as such, i.e. to the processing of personal data contained therein.
When the newly amended provisions of the Act on Citizen Certificates and the Act on Travel Documentst take effect, on 1 January 2005, making copies of identity papers or travel documents will as a rule be prohibited.
There will be basically two exceptions from the aforementioned rule:
in cases where the citizen – holder of the identity document will grant his or her consent to the copying, and
in cases where copying is required by a special legal regulation or an international convention binding on the Czech Republic, the making and filing of a copy will be permitted.
As regards the conditions under which the holder’s consent is obtained, as has already been said above, the subject who wishes to make a copy of the submitted identity document must persuade the holder of his intentions especially that a filed copy is so much needed and cannot be done without that this kind of personal data processing does not negatively affect the existing level of protection of the data subject’s (holder’s) privacy or the privacy of other persons whose data are also processed in the aforementioned manner. In this respect it should be pointed out that the range of data obligatorily included in identity papers has already been extended by previous amendments to include also the holder’s signature. The situation described above requires direct application of several provisions of the amended Personal Data Protection Act. Above all, it is Article 4, letter n) containing the definition of the “consent of the data subject”. Such consent is to be “a free and informed manifestation of will of the data subject the content of which is his assent to personal data processing”. Furthermore it shall apply the amended version of Article 5 Para. 4 (ex-Para. 5) stipulating the conditions which must be observed when the data subject is giving his or her consent. “When giving his or her consent, the data subject must be provided with the information about what purpose of processing, what personal data, which controller and what period of time the consent is being given for. The controller must be able to prove the consent of data subject to personal data processing during the whole period of processing.” Although the setting of new conditions for copying identity documents is doubtless desirable, these conditions must be considered and interpreted with respect to the whole context of rights and duties of a controller under the Personal Data Protection Act. Notwithstanding the granted consent, it must be ensured that the controllers also observe other data protection principles – legitimacy, proportionality and finality of personal data processing.
If the responsible subject chooses to file copies of identity documents, they automatically become controllers under the Personal Data Protection Act and are obligated to fulfil all duties imposed by the aforementioned Act. The filing of the copies itself is only one of the operations performed by a controller in personal data processing. There are other elements of equal importance:
fulfilment of the notification obligation of the controller towards the Office for Personal Data Protection under Article 16 of the Personal Data Protection Act;
the controller’s information campaign aimed at the data subjects, whose framework is set by Article 5 Para. 4 of the Personal Data Protection Act and which is carried out before the data subject grants his or her consent;
ability of the controller to prove that the consent of the data subject exists.
As for the second group of cases foreseen by the Act on Citizen Certificates and the Act on Travel Documents, i.e. cases in which the making of copies is authorized by a special legal regulation or by an international treaty binding on the Czech Republic, even now an example can be found of a special law providing that the required documentation to be kept on file should also include copies of identity documents. It is Act No. 61/1996 Coll., on Certain Measures AgainstMoney Laundering and on the Amendment of Related Acts, as amended. This law sets special conditions for identification of natural persons (Article 2, Para. 6 to 8) and for storing the collected data, among others also by filing copies of identity papers (Article 3 Para. 2). Under Article 2 Para.7 the one who has performed the identification under Article 6 (Identification on the request of the obligated person) shall annex to the public instrument certifying the facts established by the identification the copies of all relevant documents or parts thereof which have been used in the identification. Under Article 2 Para. 8, after the identification and other acts under Para. 6 and 7 have been performed, the documents used must be deposited with the obligated person. Until that moment the obligated person shall not effect any transaction under the aforementioned Act. Since these provisions concern a comparatively well-defined group of subjects and their activities (Notary Regulation. Act No. 41/1993 Coll., on the Verifying of the Conformity of a Transcript or Copywith a Document and on the Verifying of the Authenticity of Signatures by District and Municipal Authorities and on the Providing of Confirmations by Municipal Bodies and District Authorities, as amended. Decree No. 272/2000 Coll. on the Certification of the Authenticity of Signatures or of the Matching of Duplicates or Copies of Documents with the Ship´s Captain.), it is to be expected that the supervisory bodies will correspondingly increase their requirements as to the conditions in which documentation containing copies of these documents should be stored.
In this respect we must again refer to the relevant provisions of the Personal Data Protection Act, in particular to Article 13 and the following, which set the duties of the controller in arranging the processing of data. In addition to the conditions already stipulated in the earlier wording of the Personal Data Protection Act there is a new paragraph 2 in Article 13, under which “the controller or the processor shall be obliged to develop and to document the technical and organizational measures adopted and implemented to ensure the personal data protection in accordance with the law and other legal regulations”.
Despite the existence of a general legal framework for copying identity documents, there are no indications that the legislators would also be willing to set conditions in a similar manner for copying other instruments or documents of a personal character, e.g. birth, marriage and death certificates etc., as it has been done in the case of personal identity cards and travel documents. So far there are only a few legal provisions, which authorize the copying of certificates of completed education – e.g. in Act No. 18/2004 on the Recognition of Professional Qualifications or Decree No. 333/2004 Coll. on .Professional Qualification in the Phytosanitary Care Sector. In other cases the copying of personal documents must be refused as illegal. Only if the controller proves to the data subject the legitimacy of the request, the copy may analogically be made and filed with the consent of the data subject.
Mode No graphics is currently switched on. Therefore you see the web page with no decorative graphics as well as any advanced formatting. If your browser supports CSS2, you can switch a graphic mode on.