photo
16.08.2022

Can financial institutions copy ID cards?

The Polish DPA invariably takes the view that copying of identity cards by financial institutions is legal only if undertaking of security measures to prevent money laundering and terrorist financing is necessary.

It happens that financial institutions, including banks, when concluding agreements with us for the provision of various types of services, such as setting up and maintaining a bank account, electronic banking, granting a loan or even executing a transfer order, make a copy of our identity document. They justify their action by the application of financial security measures referred to in the Act on  counteracting money laundering and the financing of terrorism of 1 March 2018 . They indicate that, in accordance with its Article 34 para. 4 obligated institutions for the purpose of applying financial security measures may process and copy the information contained in the identity documents of the client and the person authorised to act on their behalf.

Copying is not permitted for every activity

The Polish DPA's unchanged opinion is that this provision does not entitle financial institutions to copy  customer's ID card in every situation.

The Polish DPA points out that banks, according to Article 112b of the Banking Law, may process information contained in the identity documents of natural persons for the purposes of their banking activities. This means only that, on its basis, they have the right to process all personal data of customers which are included in the identity documents. However, this does not amount to the right to make copies of those documents.

 It is often sufficient to only present an identity document for inspection.

On the other hand, in accordance with the provisions of the Act on Counteracting Money Laundering and Terrorist Financing, obligated institutions, including banks, but also investment funds, entrepreneurs who own exchange offices within the meaning of the Foreign Exchange Law of 27 July 2002 and notaries in the scope of the activities referred to in the Act carried out in the form of a notarial deed, are entitled to make copies of identity documents for the purposes of applying financial security measures.

Importantly, however, they must carry out an assessment of the risk of money laundering and terrorist financing before applying financial security measures. At the same time, the provisions of this Act specify (Article 35)when obligated institutions apply financial security measures.

In addition, financial institutions as controllers are obliged to apply the provisions of the General Data Protection Regulation (GDPR). Therefore, before applying financial security measures, they must assess whether the processing of the personal data of a natural person contained in a copy of the identity card for these purposes is necessary. In accordance with the principles of purpose limitation and data minimisation referred to in Article 5 of the GDPR, ‘personal data must be collected for specific, explicit and legitimate purposes’, as well as ‘adequate, relevant and limited to what is necessary for the purposes for which this data is processed’.

A change of standpoint?

Recent press releases have raised doubts as to whether the Polish DPA has changed its standpoint on the copying of identity documents.

The Polish DPA's recommendations in this respect remain unchanged and are described on the DPA's website in various articles regarding copying of identity cards.

The decision of the DPA must take into account all the individual circumstances of the case.

It should be emphasised that the information published on the DPA's website is informative and educational. It also outlines a certain direction of interpretation.

What is more, DPA presents a binding standpoint only in an administrative decision issued after examination of all the circumstances of the case.

The activities of controllers vary and depend on different institutional, legal and organisational factors that may have a significant impact on the final assessment. Sometimes the decisions of the supervisory authority issued in similar cases may therefore differ. Reading of the decision makes it possible to know the specific circumstances that have influenced the final judgment of the authority.

The Polish DPA invariably takes the view that copying of identity cards by financial institutions is legal only if undertaking of security measures to prevent money laundering and terrorist financing is necessary.

It happens that financial institutions, including banks, when concluding agreements with us for the provision of various types of services, such as setting up and maintaining a bank account, electronic banking, granting a loan or even executing a transfer order, make a copy of our identity document. They justify their action by the application of financial security measures referred to in the Act on  counteracting money laundering and the financing of terrorism of 1 March 2018 . They indicate that, in accordance with its Article 34 para. 4 obligated institutions for the purpose of applying financial security measures may process and copy the information contained in the identity documents of the client and the person authorised to act on their behalf.

Copying is not permitted for every activity

The Polish DPA's unchanged opinion is that this provision does not entitle financial institutions to copy  customer's ID card in every situation.

The Polish DPA points out that banks, according to Article 112b of the Banking Law, may process information contained in the identity documents of natural persons for the purposes of their banking activities. This means only that, on its basis, they have the right to process all personal data of customers which are included in the identity documents. However, this does not amount to the right to make copies of those documents.

 It is often sufficient to only present an identity document for inspection.

On the other hand, in accordance with the provisions of the Act on Counteracting Money Laundering and Terrorist Financing, obligated institutions, including banks, but also investment funds, entrepreneurs who own exchange offices within the meaning of the Foreign Exchange Law of 27 July 2002 and notaries in the scope of the activities referred to in the Act carried out in the form of a notarial deed, are entitled to make copies of identity documents for the purposes of applying financial security measures.

Importantly, however, they must carry out an assessment of the risk of money laundering and terrorist financing before applying financial security measures. At the same time, the provisions of this Act specify (Article 35)when obligated institutions apply financial security measures.

In addition, financial institutions as controllers are obliged to apply the provisions of the General Data Protection Regulation (GDPR). Therefore, before applying financial security measures, they must assess whether the processing of the personal data of a natural person contained in a copy of the identity card for these purposes is necessary. In accordance with the principles of purpose limitation and data minimisation referred to in Article 5 of the GDPR, ‘personal data must be collected for specific, explicit and legitimate purposes’, as well as ‘adequate, relevant and limited to what is necessary for the purposes for which this data is processed’.

A change of standpoint?

Recent press releases have raised doubts as to whether the Polish DPA has changed its standpoint on the copying of identity documents.

The Polish DPA's recommendations in this respect remain unchanged and are described on the DPA's website in various articles regarding copying of identity cards.

The decision of the DPA must take into account all the individual circumstances of the case.

It should be emphasised that the information published on the DPA's website is informative and educational. It also outlines a certain direction of interpretation.

 What is more, DPA presents a binding standpoint only in an administrative decision issued after examination of all the circumstances of the case.

The activities of controllers vary and depend on different institutional, legal and organisational factors that may have a significant impact on the final assessment. Sometimes the decisions of the supervisory authority issued in similar cases may therefore differ. Reading of the decision makes it possible to know the specific circumstances that have influenced the final judgment of the authority.