Can a bank copy clients’ ID cards? Key takeaways from the latest decision of the Polish Data Protection Authority (PUODO)
The Polish DPA (UODO/PUODO) determined that between April 1, 2019 and September 23, 2020, ING Bank Śląski copied and stored scans of clients’ and prospective clients’ ID cards. The authority concluded that this practice lacked sufficient legal basis, in particular under anti-money laundering and counter-terrorist financing regulations (AML).
PUODO’s concerns
The inspection revealed that, based on internal procedures, the Bank required ID card scans from clients or prospective clients even where it was not legally justified. Moreover, the Bank conditioned the provision of certain services on providing such a scan. ID cards were scanned also in cases unrelated to AML duties, e.g. in connection with ATM complaints.
PUODO’s findings
According to the authority, the Bank failed to demonstrate that making and storing ID card scans was necessary to fulfill statutory obligations. The Bank did not perform an individual risk assessment for each client or transaction, which led the authority to consider the practice unlawful. The Bank’s conduct violated, among others, the GDPR principle of data minimization.
The role of AML regulations
Banks must apply financial security measures required under AML laws, including client identification. However, these regulations do not impose a blanket obligation to routinely scan identity documents. Each such action must have a clear legal basis and be supported by an individual risk assessment. Only when an institution demonstrates that processing and copying data from an ID card is strictly necessary for AML purposes may it lawfully require such a copy.
Provisions breached by the Bank
GDPR requires that personal data be collected lawfully and only to the extent necessary to achieve a clearly defined purpose. Copying entire ID cards without a legal basis and actual necessity violates the principle of data minimization. By scanning ID cards in situations unrelated to AML duties, the Bank processed personal data unlawfully and excessively, thereby infringing the rights of current and potential clients.
Scale of the violation
Although data ID card scans do not fall under special categories of personal data, the scope of information contained therein (e.g. name, surname, PESEL number, photo, date of birth, parents’ names, maiden name, ID number and series) entails a high risk of violating individuals’ rights and freedoms. Even a PESEL number combined with a name and surname is enough to uniquely identify a person and can be misused for fraud, such as taking out a loan or committing identity theft.
Fine imposed on the Bank
As a result of the proceedings, PUODO imposed an administrative fine on the Bank in the amount of over PLN 18.4 million.
This penalty is consistent with the authority’s previous practice of imposing significant fines on large entities for processing the personal data of Polish citizens without a proper legal basis.
The decision is not final, and the Bank has already announced that it will appeal while also declaring full cooperation with the authority.
Key takeaways from the decision
The intervention by PUODO demonstrates that financial institutions must comply not only with AML regulations, but also with GDPR principles when processing personal data. Copying ID cards must always be preceded by an assessment of necessity and legal justification. The ING Bank case shows that even trusted financial institutions do not always act in full compliance with the law.
This article was prepared as part of the 57th edition of Compliance Insights. The graphic version in Polish is available on our LinkedIn profile and in the Polish Knowledge Base.
