GDPR Compliance Across EU Member States: Which National Identifiers Your PII Tool Is Missing
Tax identification numbers are among the most sensitive personal identifiers in any jurisdiction. They're used for tax reporting, government benefits, employment verification, and financial account opening. In the wrong hands, they enable identity theft, fraud, and unauthorized benefit claims.
GDPR categorizes them as regular personal data (not special category), but their sensitivity is high and their exposure creates significant real-world risk. Every EU member state has its own national identifier format — and most PII tools built for the US or UK market detect SSNs and NINOs fluently while completely missing the Steueridentifikationsnummer, Codice Fiscale, and BSN that European organizations process daily.
The European Tax ID Landscape
Each EU member state implements national identification differently:
Germany: Steueridentifikationsnummer (Steuer-ID)
- 11 digits, assigned at birth
- Format: non-zero first digit, no leading zeros in the 10-digit portion
- Example: 12345678901
- Also: Steuernummer (varies by state: 10-11 digits with state-specific formats)
France: Numéro fiscal de référence (SPI)
- 13 digits
- Issued by the tax administration (DGFiP)
- Often appears as "Identifiant fiscal" on tax documents
Italy: Codice Fiscale
- 16 alphanumeric characters
- Structure: 3 letters (surname) + 3 letters (given name) + 2 digits (year of birth) + 1 letter (month) + 2 digits (day) + 4 alphanumeric (municipality code)
- Example: RSSMRA85M01H501Z
- High-specificity format, verifiable by checksum
Spain: NIF (Número de Identificación Fiscal)
- For Spanish nationals: DNI number + check letter (8 digits + letter), e.g., 12345678A
- For foreigners: NIE (X/Y/Z + 7 digits + letter), e.g., X1234567A
- For entities: CIF (letter + 8 digits), e.g., B12345678
Netherlands: BSN (Burgerservicenummer)
- 9 digits with check digit validation (11-proef algorithm)
- Used for all government services and often appears in employment and benefits documents
Poland: PESEL
- 11 digits encoding date of birth, gender, and sequence number
- Format: YYMMDDXXXXX (date of birth encoded in first 6 digits)
Belgium: Numéro de registre national (RN)
- 11 digits encoding date of birth, sequence, and check digits
Portugal: NIF (Número de Identificação Fiscal)
- 9 digits with check digit
- Format differs from Spain's NIF despite same abbreviation
Sweden: Personnummer
- 10 or 12 digits encoding date of birth and sequence
- Format: YYYYMMDD-XXXX or YYMMDD-XXXX
Finland: Henkilötunnus (HETU)
- 11 characters encoding date, separator, sequence, and check digit
- Format: DDMMYY-XXXC
What Standard Tools Miss
PII detection tools built for US/UK markets typically include:
- US SSN (XXX-XX-XXXX)
- UK NINO (XX 99 99 99 X)
- US passport numbers
- US driver's license patterns
- Major credit card numbers
European national identifiers — even major ones like the Codice Fiscale, BSN, and Steuer-ID — are frequently absent from default configurations. Tools that support Presidio's default recognizer set without EU-specific extensions will miss these entirely.
The Operational Impact for Multinational Organizations
A German payroll outsourcing firm processes documents for 500 client companies. Their anonymization workflow correctly removes:
- Employee names ✓
- Email addresses ✓
- IBAN numbers ✓
- Phone numbers ✓
- German Steueridentifikationsnummern ✗ — not in their standard configuration
A DPA audit finding notes that payslip PDFs shared with client accounting departments contain unredacted Steuer-IDs. The firm faces:
- Remediation cost for historical documents
- DPA enforcement action (potential fine under GDPR Article 83)
- Contractual liability to clients whose employees' data was exposed
The compliance gap wasn't discovered proactively — it was discovered by the regulator.
Adding EU National Identifiers: Priority List
For organizations operating in multiple EU jurisdictions, the priority order for custom entity configuration:
Tier 1 (highest data processing volume):
- Germany: Steueridentifikationsnummer (employment-heavy documents)
- France: Numéro fiscal (payroll, tax documents)
- Italy: Codice Fiscale (extremely common, appears in all official documents)
- Spain: NIF/NIE (payroll, contracts, tax documents)
- Netherlands: BSN (employment, government benefits)
Tier 2 (significant but smaller markets): 6. Poland: PESEL (growing importance with Poland's workforce size) 7. Belgium: RN (Belgium hosts many EU institutions) 8. Sweden: Personnummer (high privacy awareness, strict enforcement) 9. Portugal: NIF (growing tech sector) 10. Austria: Sozialversicherungsnummer (social security context)
Tier 3 (specific use cases): Remaining 17 EU member states based on where your organization processes data.
Implementation Example: Adding the Steueridentifikationsnummer
The German tax identification number (Steuer-ID) follows a specific format that can be detected with high accuracy:
Pattern characteristics:
- 11 digits
- First digit: 1-9 (never 0)
- No three identical consecutive digits
- Check digit validation (custom algorithm)
Plain language description for pattern generation: "German tax identification numbers: 11-digit numbers where the first digit is between 1 and 9, and the remaining 10 digits can include zeros"
Generated pattern: Validated regex for Steueridentifikationsnummer with appropriate context matching (surrounding German-language tax document context improves precision)
Validation: Test against a sample set of German payslips and tax certificates. Verify detection rate and false positive rate before production deployment.
Integration: Add to your German-language document processing preset. If processing mixed-language document sets, combine with language detection to apply appropriate national identifier patterns per language.
Handling Multiple National Identifiers in a Single Workflow
For multinational payroll processors handling documents from multiple EU countries:
Option 1: Separate presets per country Create a "Germany GDPR" preset, "France GDPR" preset, etc. Apply the relevant preset based on document origin.
Option 2: Combined EU preset Create a single preset with all EU national identifier patterns active. Higher false positive risk for general text (11-digit numbers that happen to match a Steuer-ID pattern but aren't tax IDs), but simpler operationally. Appropriate for document types where national identifiers are expected throughout.
For payroll documents: Option 1 (country-specific presets) with appropriate routing For mixed document sets: Option 2 with threshold tuning
Conclusion
GDPR applies uniformly across the EU, but PII detection tools built for US markets often don't. The Codice Fiscale, BSN, and Steueridentifikationsnummer are as sensitive as SSNs — and as likely to appear in documents that organizations share, export, and analyze.
Custom entity creation closes the detection gap for any national identifier format in hours. Compliance teams can add the Steuer-ID pattern, test against sample German payslips, and deploy to all processing workflows without waiting for the tool vendor to add it to their default configuration.
The DPA audit finding that discovered the missing Steuer-ID detection could have been caught in a proactive compliance review that took an afternoon.
Sources: