The qualified electronic signature certificate should not reveal the PESEL number
The President of the Personal Data Protection Office has requested the Minister of Digital Affairs to amend the Act on trust services and electronic identification so that the national identification number - PESEL number is not made public in the qualified electronic signature certificate.
This is another speech on the matter - but the demands of the supervisory authority have so far not brought the expected results.
The issue with the PESEL number has been signalled to the President of the Personal Data Protection Office by institutions and organisations where a qualified electronic signature is used. The PESEL number is obtained by the providers of public trust services (qualified electronic signature) and then made public, which in turn does not result from either European or national legislation.
The use of a qualified electronic signature certificate is regulated by the eIDAS Regulation (Regulation No 910/2014 of the European Parliament and of the Council of 23 July 2014 on electronic identification and trust services for electronic transactions in the internal market and repealing Directive 1999/93/EC) and the Act on trust services (The Act on trust services and electronic identification of 5 September 2016).
In light of the eIDAS regulation, the certificate identification code should be based on a number from the public register, which would unambiguously identify the person using the qualified electronic signature. In the opinion of the Personal Data Protection Office, this does not have to be a PESEL number but another identifier. PESEL number is a unique data, assigned to a citizen for their individual relations with the state - it not only uniquely identifies a natural person, but also allows for the determination of a number of additional information about them, such as gender or age of the person.
The law does not provide for the obligation to disclose the PESEL number in a document with an electronic signature. Also, the GDPR in art. 6 (1) (c), referring to one of the grounds legalising data processing, states that processing shall be lawful only if processing is necessary for compliance with a legal obligation to which the controller is subcject. Therefore, while it is justified to use the PESEL number in the case of verification of the person applying for the issue of a qualified electronic signature certificate, it is definitely doubtful to disclose this data to other persons gaining access to the content of the signature.
