The President of the UODO recommends developing guidelines on copying identity documents
The President of the Personal Data Protection Office has consistently taken the view that copying identity documents by the representatives of the institutions subject to the law must be preceded by an analysis of purposefulness, verification whether such an action is actually necessary. The practice varies, that is why the President of the UODO addressed the Chairman of the Polish Financial Supervision Authority (KNF) with a request to consider issuing by that regulator relevant recommendations on verifying the identity of clients.
Data Controllers and data subjects report doubts to the Personal Data Protection Office as regards copying identity documents by institutions subject to the law. The doubts relate to the proper verification of the identity of the clients of these institutions, fulfilling the obligations arising from the Act on Prevention of Money Laundering Practices which imposed on the so-called institutions subject to the law, such as banks, savings and loans associations or national payment institutions, the obligation to apply financial security measures, while complying with the provisions of the General Data Protection Regulation (GDPR).
Article 34 para. 1 of the Act on Prevention of Money Laundering Practices, specifying financial security measures, provides that this measure is, inter alia, customer identification and verification of his identity and not copying an identity document. The regulations provide for the possibility of copying identity documents. This solution should be considered as an entitlement of institutions subject to the law and not an obligation.
The President of the Personal Data Protection Office does not question the legitimacy of making copies of identity documents by institutions subject to the law, since they have such right pursuant to Art. 34 para. 4 of the Act on Prevention of Money Laundering Practices. However, he disputes that this practice must be carried out in case of every activity performed by the institutions subject to the law. The decision to copy an identity document, or a request for such copies should be preceded by a complex analysis of whether such action is actually necessary. Such verification should take into account the provisions of the GDPR, in particular, comply with the principles of purpose limitation and data minimization.
In the letter of 10th September 2019, the President of the Personal Data Protection Office which addressed to the General Inspector of Financial Information (GIIF) a question on what means should be used by the institutions subject to the law for clients identification, and whether in each case these institutions in order to fulfill the obligation to identify clients should obtain copies of documents from them, including identity documents. In response, the General Inspector of Financial Information agreed with the position of the President of the Personal Data Protection Office that verification of the client's identity does not have to always involve obtaining copies of documents. This authority also explained that in the course of conducted controls on the correctness of the fulfillment by institutions subject to the law of the verification of clients' identities, it did not expect them to submit copies of identity documents - as confirmation of correct verification of identity.
Despite the position taken by GIIF, the problem is universal and still valid. That is why the President of the UODO decided to implement a sector-specific inspection plan in relation to banks in terms of copying identity documents.
However, bearing in mind the difficulties that the institutions subject to the law fear to encounter in developing practices which would ensure a balance between the need to prevent such a serious phenomenon as money laundering and terrorist financing, and taking into account the provisions and principles of personal data protection, the President of the Personal Data Protection Office directed a request on 13 March 2020 to the Chairman of the Polish Financial Supervision Authority to consider the development of relevant recommendations by this regulator.
In the opinion of the President of UODO, a helpful tool for entities subject to the law would therefore be recommendations issued by the appropriate regulator, which would determine the circumstances when obtaining copies of identity documents is justified, when to use other tools and what kind of tools.
Appropriate recommendations issued by the regulator would constitute a valuable hint and reference for entities obliged to use security measures. The lack of uniform standards in this area generates doubts both of entities subject to the law and clients who are asked to submit copies of identity documents.
In response from March 30, 2020, the chairman of the Polish Financial Supervision Authority informed that the General Inspector of Financial Information is the competent authority in matters of counteracting money laundering and terrorist financing, as well as issuing recommendations and interpretations in this matter.
Below we attach letters (in Polish) related to the problem of frequent copying of identity documents, which were exchanged between UODO, GIIF and KNF.