Your national ID number: who may ask, and what leaks cost you

The number that indexes your life — tax, health, banking — is exactly what identity fraud wants. The GDPR lets countries fence it off, and most did: “everyone asks for it” does not mean everyone may.

Whether it is a BSN, NIF, PESEL, codice fiscale, personnummer or AMKA, national identification numbers get their own GDPR clause: Art. 87 lets member states set specific conditions, and most restrict processing to bodies with a legal gate — government, employers (payroll/tax), banks (AML), healthcare and insurers within their statutory lanes. Who typically may NOT demand it: webshops, gyms, hotels beyond what registration law lists, marketplaces “verifying” you, landlords at viewing stage — the ID-copy logic applies squared, because the number is the most reusable single field on the document. When a form demands it, ask “which law requires you to process my national ID number?” — bodies with a real gate answer instantly; everyone else backpedals. Redaction habit: where an ID copy is unavoidable, mask the number unless the recipient is in the legal-gate club; several governments ship official cover apps for exactly this. If your number leaks or is misused: it upgrades everything — breach risk assessments (Art. 34 notification more likely owed), your damages position, and the urgency of the identity-theft flow: fraud alerts at credit registers, document reissue where your national system supports invalidating the compromised number’s document, and a police report as the anchor. Some countries cannot reissue the number itself — which is precisely why the fence around it exists.

🗺️Country differences. Which bodies hold a legal gate, and whether numbers/documents can be reissued after fraud, is national — your DPA’s ID-number page has the country-specific list.

Verified against the sources above on 18 July 2026. Information, not legal advice.

← Privacy explained📞 Your data protection authority