Basic Standards Required for Protecting Privacy in the Case of Chip Cards

Chip cards are already a firmly established part of everyday life. Some basic standards are required, however, in order to ensure that the use of these cards does not pose a risk to the private domain.

Although the chip cards are issued to the users, they remain part of the issuing organisations' data processing system. These organisations must therefore ensure that technical and organisational measures are taken in order to prevent, for example, any unauthorised access to the data. This protection of access is especially important in the case of multi-function cards which are used jointly by several companies. In such cases it must be ensured that each one of these organisations can access only the data that specifically concerns them.

Since the introduction of chip cards involves certain risks for the private domain, card owners must be informed clearly and transparently about their use as well as about the risks involved and their rights. They must know where they can obtain information abut the stored data and how they can request that data be corrected or deleted. It must be ensured that stored data can be read, forwarded to third parties or modified only when those concerned have been informed. They must also know what consequences follow the loss of a card and what they should do in such an event.

The duty of the issuer to delete data as soon as it is no longer required must also be spelled out.

[July 2002]