Polish Data Protection Authority’s Position on Making Copies of Identity Documents by Banks
On September 9, the Polish Data Protection Supervisory Authority (UODO) issued its response to the letter of the President of the Polish Bank Association, wherein it clearly stated that the provision of the banking law (i.e. article 112b of the act) does not entitle banks to make copies of personal ID cards of their clients at all times (e.g. for the purpose of setting up a bank account or checking the client’s credibility). In the regulator’s opinion, making copies is permitted only when the law explicitly authorizes one to do so.
According to article 112b of the banking law, banks may process the information contained in identity documents of natural persons for the purposes of their banking activities. As such, this provision does constitute grounds for processing of personal data of the bank’s clients, however, it lacks the explicit authorization to record such data by making copies of the documents in which such data is embedded. Therefore, it should not be relied on by the banks when justifying making copies of client’s ID cards.
It is UODO’s view that copying identity documents almost always raises serious privacy concerns and, thus, the regulator is against such practice. Photocopying of ID cards (or other identity documents for that matter) facilitates identity thefts. These are oftentimes perpetrated by former (or even current) employees of the controllers (e.g. banks or telecommunication undertakings).
UODO stated that making copies may be allowed in some rare situations, pointing to provisions of the anti-money laundering laws (Act of 1 March 2018 on Counteracting Money Laundering and Terrorist Financing). Article 34 paragraph 4 of said act states that, for the purpose of applying financial security measures (enumerated in article 35 of the Act), obliged institutions (e.g. banks) may process information contained in the identity documents of a customer and of a person authorised to act on behalf of a customer and may make copies thereof. However, as the regulator pointed out, this provision may not be treated as an obligation to copy the ID cards every single time, but merely a right to do so where necessary and only in those cases enumerated in article 35 of the Act (i.e. whenever carrying out of an occasional transaction amounting to the equivalent of €15,000 or more, in a single operation or in several operations which appear to be linked or transferring funds exceeding the equivalent of €1,000).
According to UODO, each and every decision to copy the ID should be preceded by a thorough analysis and a verification whether such copying is absolutely necessary, in accordance with the principle of purposefulness and data minimization (as per article 5.1 b) and c) of the GDPR). The regulator emphasized that not all banks copy ID cards and that many utilize, in the first place, other less intrusive tools to verify the identity of their customers, e.g. by checking the PESEL numbers in the PESEL data base, which they are authorized to access under the Act of 24 September 2010 on population records. The regulator criticized the common practice of making copies of ID cards in connection with each and every banking activity and emphasized that copying ID cards should take place only when explicitly authorized by law and solely to the extent that the processing of the data embedded therein is necessary to achieve the purpose for which that data is collected.
Banks should always give due consideration to the protection of their clients’ personal information and weigh – on a case by case basis – the balance between the bank’s interest and the clients’ privacy.