DNI and digital certificates for public employees: what does the AEPD say and what does it imply for administrations? 

Facebook Facebook Facebook Facebook Share

Recently, the Spanish Data Protection Agency (AEPD) has issued a sanctioning resolution against the Regional Government of Castilla-La Mancha (exp. EXP202406805) that once again puts the focus on a recurring issue: Is it correct for the ID card of public employees to appear in electronic signatures and signed documents? 

Below, we explain the legal keys and practical impact of this resolution, as well as the current situation of digital certificates such as T-CAT. 

What has the AEPD resolved? 

The resolution analyzes whether it is in accordance with the GDPR that, in documents signed electronically by civil servants, data such as the name, surname and ID of the signatory, accessible to third parties. 

According to the AEPD: 

  • The DNI is a piece of data great sensitivity, as it allows a person to be directly and unequivocally identified and carries high risks such as identity theft. 
  • Its inclusion in signatures or visible marks may represent a excessive data processing

They are potentially violated:

  • el data minimization principle (art. 5.1.c GDPR) 
  • and the beginning of data protection by design and default (art. 25 GDPR) 

For this reason, the AEPD concludes that it would be necessary avoid including the DNI in the visible information of signed documents, opting for less intrusive identification mechanisms. 

It's not a new debate. 

The AEPD had already spoken along the same lines in Report 0088/2020, where it stated that: 

  • The DNI it is not a data that must be included in administrative acts
  • It should not appear in the electronic signature or in the certificates. 

It would be necessary to adapt the regulations and promote alternatives such as:

  • professional identifiers 
  • position or unit information 
  • or even pseudonyms in some cases 

In other words, the AEPD itself points out that the solution lies in a regulatory modification of the digital certification system

What happened in this specific case? 

In the case of Castilla-La Mancha, the AEPD declares an infringement, but does not impose a penalty (as it is a public administration). 

Instead, it requires: 

  • remove the ID card from the properties visible when verifying documents 
  • adapt systems to comply with the principle of minimization 
  • accredit the measures adopted within a period of 6 months 

What is the underlying problem? 

Here is the key point: there is a conflict between data protection regulations and digital certification regulations

  • Law 6/2020, of November 11, 2020, regulating certain aspects of electronic trust services, obliges trust service providers to include the DNI in digital certificates 
  • In addition, the certificate profiles of the General State Administration require that the DNI appear in several fields of the certificate (such as Common Name)  
  • This data is a structural part of the certificate and is necessary for its validation and interoperability 

For this reason, lenders like the AOC cannot be changed unilaterally the content of the certificates without violating current regulations. The AEPD itself admits that the solution requires a legislative amendment, not a technical decision by the lenders. 

And the certificates with pseudonym? 

Although the regulations provide for certificates with professional identifiers or pseudonyms, these: 

  • can only be issued in very specific cases (public safety, classified information, etc.) 
  • are not generally applicable to all public employees 

What practical solutions do public administrations have at their disposal? 

Until the regulations are modified, administrations can apply measures to reduce the visibility of the ID card

1. Do not show the ID in the signature image 

Signature programs allow you to configure what data is displayed. This does not remove the ID from the certificate, but prevents it from appearing visibly in the document. See how avoid the signature image ID

2. Generate authentic electronic copies 

They allow: 

  • hide the ID in both the image and visible properties 
  • replace it with minimum signer data 

These copies have legal validity if they are accompanied by the organization's seal. See how generate a còpia authentic and hide the ID from the image and visible properties:  

3. Use other mechanisms 

Such as electronic seals and secure verification codes (CSV) 

Conclusion 

  • The AEPD considers that showing the DNI in signed documents may violate the GDPR. 
  • The current regulations on certificates requires including it, generating a regulatory conflict. 
  • Trusted service providers like AOC they cannot remove the DNI from certificates
  • The definitive solution is through a state and European regulatory reform
  • Meanwhile, administrations must implement measures to minimization in data visualization and access.
Published in

Subscribe to the AOC newsletter

Receive weekly doses of vitamins to move towards a digital government

Related entries

See all →
  • Registration entities idCAT and T-CAT ·
  • Digital identity
    • ...

Updated requirements for applying for theidCAT Certificate: everything you need to know

The idCAT A certificate is an essential tool for carrying out procedures with the administration in a secure and digital way. The requirements for obtaining it have recently been reviewed and updated, and...
  • Digital certification ·
  • Identity and digital signature

Prepare your 2025 Income Tax withidCAT Certificate

The 2025 Income Tax campaign begins on April 8 and will run until June 30. To file the tax return online, you must have a recognized digital certificate....
  • Digital identity ·
  • Identity and digital signature

Catalans abroad can obtain theidCAT Certificate with video identification

The Government of Catalonia, through the Open Administration of Catalonia (AOC) and with the support of the Departments of the Presidency and of the European Union and Foreign Action, has put...