GDPR and Smart Card Data
GDPR implications for smart card systems storing personal data: data minimization, consent, and cross-border considerations.
GDPR and Smart Card Data
The General Data Protection Regulation (EU 2016/679) imposes obligations on any organisation that processes personal data of EU/EEA residents. Smart card deployments routinely process personal data at multiple points: during personalisation, on-card storage, terminal-side transaction logging, and backend database management. GDPR compliance is therefore not optional for European card programmes — it must be designed in from the start.
Personal Data in Smart Card Systems
Smart cards often carry or trigger processing of the following categories:
| Data Type | GDPR Category | Examples |
|---|---|---|
| Identity data | Standard personal data | Name, date of birth, employee ID |
| Biometric data | Special category (Art. 9) | Fingerprint templates on ePassport or biometric access card |
| Financial data | Standard personal data | Account numbers, transaction history |
| Health data | Special category (Art. 9) | Medical card eligibility records |
| Location data | Standard personal data | Transit journey logs derived from card tap events |
| Behavioural data | Standard personal data | Purchase patterns inferred from EMVEMVApplicationGlobal chip payment card standard.Click to view → transaction logs |
Special category data (biometrics, health) requires a specific legal basis under Article 9 — typically explicit consent or the employment/social protection gateway — and demands elevated security measures.
Card Personalisation and Data Minimisation
During card personalisation, data preparation bureaux encode personal data onto the chip's file system (see the Card Personalization Systems Guide). GDPR Article 5(1)(c) requires that only data necessary for the stated purpose be collected and stored. Common personalisation data minimisation steps include:
- Store a reference identifier (e.g., hashed employee number) rather than full name on the chip whenever the terminal can resolve identity from the backend.
- Use derived credentials — the card stores a public key certificate; the backend holds the identity binding.
- Omit optional data fields (e.g., DG7 signature image in ePassports) unless the programme specifically requires them.
- Set retention limits: EEPROM records such as loyalty counters or transit logs should have defined purge conditions.
On-Card Biometric Data
Where the card stores fingerprint templates (e.g., national ID cards or high-security access cards) rather than relying on match-on-server, GDPR Article 9 requires:
- Explicit consent or a specific Article 9(2) gateway (often Article 9(2)(g) for public interest identity schemes).
- Data Protection Impact Assessment (DPIA) under Article 35 — biometric processing is explicitly listed as high-risk.
- Match-on-cardMatch-on-cardBiometricBiometric matching performed inside the smart card chip.Click to view → architecture where possible: keep the template on the chip, never transmit it to a reader. The Secure Element boundary ensures the template cannot be extracted externally.
Match-on-card implementations using a PACE-secured channel (as in modern ePassports) satisfy the technical safeguards requirement.
Data Subject Rights
Card programmes must implement mechanisms to satisfy GDPR data subject rights:
| Right | Implication for Card Systems |
|---|---|
| Access (Art. 15) | Cardholder must be able to obtain all personal data held |
| Rectification (Art. 16) | Process for updating incorrect data on chip and backend |
| Erasure (Art. 17) | Card revocation + backend purge procedure |
| Portability (Art. 20) | Export of transaction history in machine-readable format |
| Objection (Art. 21) | Opt-out path for profiling based on transaction data |
On-chip erasure of EEPROM or Flash memory must be cryptographic (overwrite with random data or destroy the encryption key) rather than logical delete, given that flash storage can retain data after logical deletion.
Data Processor Relationships
Card personalisation bureaux, terminal management providers, and transaction processors typically operate as data processors under Article 28. GDPR requires:
- A written Data Processing Agreement (DPA) for each processor relationship.
- Documented processor security measures — relevant certifications include ISO/IEC 27001 and SSAE 18 SOC 2.
- Notification obligations: processors must inform controllers of breaches within 72 hours (Art. 33).
- Sub-processor approval clauses for fourth-party relationships (e.g., the bureau's own cloud infrastructure provider).
Privacy by Design Checklist
| Control | Implementation |
|---|---|
| Minimise on-card data | Only encode fields strictly needed for terminal use case |
| Encrypt sensitive fields | Use card OS file-level access conditions + SCP03 for OTAOTAPersonalizationRemote card management via mobile network.Click to view → |
| Document retention | Define and enforce EEPROMEEPROMHardwareNon-volatile card memory for data.Click to view → record purge schedules |
| Conduct DPIA | Required before deploying biometric or large-scale monitoring cards |
| Train bureau staff | Personalisation operator access controls and background screening |
| Test erasure procedures | Verify cryptographic erasure before card reuse or recycling |
See the PSD2 SCA Guide for payment-specific GDPR intersections, and the ePassport Technology Guide for biometric data handling in travel documents.
คำถามที่พบบ่อย
Our guides cover a range of experience levels. Getting Started guides introduce smart card fundamentals. Security guides address Common Criteria certification and key management. Programming guides target developers working with APDU commands, JavaCard applets, and GlobalPlatform card management.