The Legal Aspects of Loading Passport Data into the Yivi App
← Back to Knowledge Base

The Legal Aspects of Loading Passport Data into the Yivi App

Dibran Mulder 8 min read
passport GDPR privacy legal compliance data protection EU regulation

Introduction

Reading passports and other identity documents involves highly sensitive data. Processing this information understandably raises legal questions. As digital identity solutions continue to evolve, it becomes increasingly important to have clarity about the laws and regulations governing the reading and processing of passport data.

For example, is a user legally allowed to read the chip in their own passport? Which legal frameworks apply? And how does an organization like Yivi ensure compliance with European privacy regulations?

This article provides a comprehensive overview of the legal framework surrounding passport data processing in the EU, with specific attention to how Yivi’s architecture ensures both legal compliance and maximum privacy protection for users.

When it comes to reading passport chip data in the European Union, two major areas of legislation are relevant:

  1. EU regulations on document standards and issuance – These regulate how passports must be issued and which technical standards they must meet
  2. Data protection and privacy legislation – Primarily the General Data Protection Regulation (GDPR), which governs how personal data must be handled

It is crucial to understand that these frameworks serve different purposes and impose obligations on different parties.

EU regulations on document standards

The European Union has established clear technical standards for identity documents through two major regulations:

  • EU Regulation 2252/2004 – Establishes standards for passports and travel documents
  • EU Regulation 2019/1157 – Establishes standards for national identity cards

Both regulations require EU Member States to issue documents compliant with ICAO Doc 9303, the international standard set by the International Civil Aviation Organization. This standard defines the technical specifications for machine-readable travel documents, including the RFID chips embedded in modern passports.

A crucial distinction: issuance vs. reading

Here lies a common misconception: these regulations impose requirements on governments that issue documents, not on individuals who read their own documents.

There is no EU regulation that prohibits or restricts citizens from reading the data stored on their own passport chip. The regulations are focused on ensuring that Member States issue secure, standardized documents—not on restricting what passport holders can do with their own documents.

Extended Access Control (EAC)

The only exception concerns biometric data protected by Extended Access Control (EAC). Access to certain highly sensitive biometric data groups (such as fingerprints stored in some passports) requires government authorization and specialized terminal equipment. However, this restriction applies only to the most sensitive biometric data, not to the basic passport data that Yivi processes.

The standard passport data groups—including the Machine Readable Zone (MRZ), personal data, and facial image—are accessible to the passport holder through Basic Access Control (BAC), which requires only the information printed on the passport itself (document number, date of birth, and expiration date).

Public Key Infrastructure: verification without restrictions

One of the most important aspects of passport security is the ability to verify document authenticity. Modern e-passports use an advanced Public Key Infrastructure (PKI) that enables cryptographic verification of passport data.

In countries like the Netherlands and Germany, the national master lists containing the public certificates needed for verification are publicly available:

  • Netherlands: The NPKD (National Public Key Directory) provides the Dutch master list
  • Germany: The BSI (Federal Office for Information Security) maintains the German master list
  • Internationally: The ICAO PKD (Public Key Directory) provides international certificate data

The public availability of these master lists is intentional and serves an important security function. It allows any party—including individual citizens—to verify that a passport is authentic and has not been tampered with. There are no legal restrictions on consulting these public master lists or using them for verification purposes.

As outlined in our technical article on passport authentication, Yivi uses these publicly available master lists to perform strict cryptographic verification of passport authenticity, implementing both Passive Authentication (verifying the digital signature) and Active Authentication (proving that the chip is authentic).

GDPR: the primary privacy framework

Although EU regulations do not restrict reading your own passport, the General Data Protection Regulation (GDPR) sets clear requirements for how personal data must be processed.

When does the GDPR apply?

The GDPR applies when an organization processes personal data. In the context of passport data and Yivi, this means that whenever passport data is read and processed to create digital credentials, GDPR compliance is essential.

Article 6 GDPR: legal basis for processing

According to Article 6 of the GDPR, any processing of personal data requires a legal basis. The two most relevant grounds for passport data processing in the Yivi context are:

  1. Consent (Article 6(1)(a)) – The data subject has given clear consent for the processing of their personal data for specific purposes
  2. Public task (Article 6(1)(e)) – Processing is necessary for the performance of a task carried out in the public interest

For Yivi, user consent is the primary legal basis. Users make a deliberate, informed choice to scan their passport and load the data into their Yivi wallet. This consent is:

  • Freely given – Users choose whether they want to use the passport credential feature
  • Specific – Users understand that they are loading passport data into a digital credential
  • Informed – The process is transparent, and users understand what happens to their data
  • Unambiguous – The act of scanning the passport constitutes clear consent

Additional GDPR principles

Beyond having a legal basis, the GDPR requires that data processing comply with several core principles:

  • Purpose limitation – Data is collected for specific, explicit purposes
  • Data minimization – Only data necessary for the purpose is processed
  • Storage limitation – Data is not retained longer than necessary
  • Integrity and confidentiality – Appropriate security measures protect the data
  • Accountability – The organization must demonstrate compliance

As we will see in the next section, Yivi’s architecture is specifically designed to meet all of these principles.

Yivi’s privacy-first architecture: GDPR compliance by design

The way Yivi processes passport data is fundamentally different from traditional identity verification systems, and this difference is crucial for both legal compliance and privacy protection.

No server storage: a critical design choice

The most important aspect of Yivi’s architecture is this: passport data is never stored on a Yivi server.

When you scan your passport with the Yivi app:

  1. Data is read from the passport chip using your phone’s NFC function
  2. Data is sent to the Yivi server for cryptographic verification
  3. Authenticity is verified using official government master lists and PKI infrastructure
  4. Credentials are created using only the necessary attributes
  5. Credentials are returned to your Yivi app and stored locally on your device
  6. Data is never persisted on the server—not even temporarily cached

This architecture provides several crucial legal and privacy benefits:

Data minimization

The credentials created from passport data contain only the minimally necessary information. Instead of storing full passport data, Yivi creates specific attributes that can be selectively disclosed:

  • Age verification attributes – “18+”, “21+”, etc., without revealing the exact date of birth
  • Citizenship indicators – “EU citizen”, “Dutch national”, etc.
  • Minimal personal data – Only the data points required for verification
  • Derived attributes – Birth year instead of full date of birth, reducing data exposure

This selective disclosure capability means that when you use your Yivi passport credential, you share only the minimal information required for that specific purpose—a core GDPR principle.

User control and transparency

Under the GDPR, individuals have rights regarding their personal data, including:

  • Right of access – Know which data is being processed
  • Right to erasure – Have data deleted
  • Right to data portability – Transfer data elsewhere
  • Right to object – Object to certain processing activities

Yivi’s architecture inherently supports these rights:

  • Transparency: Users see exactly which data is included in their credentials
  • Control: Data is stored locally in the user’s app, under their direct control
  • Portability: Credentials can be reissued on another phone
  • Deletion: Users can delete credentials at any time by removing them from the app

Because Yivi stores no passport data on servers, there is no centralized database requiring ongoing rights management—the user retains full control.

Security and confidentiality

The GDPR requires appropriate technical and organizational measures to ensure data security. Yivi implements multiple security layers:

  • End-to-end encryption – Data is encrypted during transmission
  • Local-only storage – Credentials are encrypted and stored on the user’s device
  • Cryptographic verification – Passport authenticity is proven using advanced cryptography
  • No central data repository – No honeypot of passport data for attackers
  • Open-source transparency – Security measures are publicly verifiable

The absence of server storage dramatically reduces security risks. There is no central database to hack, no stored passport data to leak, and no ongoing vulnerability management for stored personal data.

Conclusion

Loading passport data into the Yivi app is on solid legal ground. Citizens may read the chip in their own passports, the public PKI infrastructure supports unrestricted authentication, and the GDPR provides a clear framework for safe and transparent processing. What sets Yivi apart is its architecture that goes beyond legal requirements: users retain full control, data is never stored centrally, and only strictly necessary attributes are shared. This makes Yivi a future-proof and privacy-friendly solution aligned with the principles of eIDAS 2.0 and international data protection standards.

For organizations, this presents a unique opportunity: strong identity verification without the risks and burdens of storing sensitive personal data. With Yivi, you can comply with regulations, respect user privacy, and offer a smooth onboarding or verification flow.

Would you like to explore the possibilities of international identity proofing for your organization? Feel free to contact us—we are happy to discuss the options.

Want to learn more about integrating passport verification into your organization? Contact us to explore the possibilities.