The Polish Data Protection Authority (UODO) has put a decisive stop to this common practice by imposing a fine of €4.3 million (PLN 18.4 million) on ING Bank Slaski. The ruling, dated July 23, 2025, makes it clear that even Anti-Money Laundering (AML) laws do not provide a “blank check” for the indiscriminate collection of data.
The Case: Blanket ID scanning in the name of AML prevention
Over a 17-month period, ING Bank Slaski systematically scanned the identity documents of numerous customers and potential clients. In many instances, the bank refused to establish a business relationship if the individual did not consent to having their ID scanned. The bank justified this practice by citing its obligations under laws designed to combat money laundering and terrorist financing (AML).
However, the UODO investigation revealed that the bank’s internal policies mandated ID scanning without distinguishing between situations that posed a specific money laundering risk and those that did not. No case-by-case risk assessment was conducted before the IDs were scanned.
The Authority’s Decision: AML duties do not justify indiscriminate data collection
The UODO declared the bank’s practice unlawful, citing violations of the GDPR principles of lawfulness, purpose limitation, and data minimization (Articles 5 and 6 of the GDPR). The authority’s reasoning is of central importance to all “obligated entities” in the financial sector:
- AML laws require risk analysis, not blanket scanning: National AML laws require financial institutions to perform a case-by-case assessment of money laundering risks before applying security measures like identity verification. Therefore, the systematic, indiscriminate scanning of all customers’ IDs is not covered by legal obligations.
- Violation of data minimization: The authority found that a full scan of an ID captures significantly more data than is necessary for simple identification. For example, eye color, height, and signatures are visible. To fulfill legal duties, it would have been sufficient to manually record and store only the relevant data (such as name, date of birth, and ID number).
- High risk even without “sensitive” data: Although ID data is not classified as “special categories of personal data” (Article 9 GDPR), the UODO emphasized that processing it poses a high risk to the individuals concerned due to the danger of identity theft.
What does this ruling mean for your company (and not just for banks)?
- Legal obligations are not a blank check: Even if a law (such as the Money Laundering Act) requires you to collect data, you must always adhere to the principle of data minimization. Collect only the data that is strictly necessary to fulfill the specific legal requirement.
- No “just in case” data collection: Collecting data indiscriminately because it might be useful in a future scenario is a clear violation of the principle of purpose limitation. The necessity must exist at the time of collection.
- Review your identification processes: Companies in regulated industries (finance, telecommunications, gambling, etc.) must urgently review their “Know Your Customer” (KYC) processes. Is a full scan truly necessary and legally required, or is capturing specific data fields sufficient?
- Document your risk analysis: If you opt for more intensive data collection (such as a scan), you must be able to provide a documented, case-specific risk analysis that justifies that decision.
FAQ: ID Copies & GDPR – What you need to know
As a company, am I allowed to demand a copy of a customer’s ID card?
Only in very narrow, exceptional cases where a law explicitly mandates it. While a customer can provide a copy voluntarily, they must not be disadvantaged for refusing. As a standard procedure, it is almost always impermissible.
What if the customer voluntarily agrees to a copy?
Data minimization still applies. You must redact (or have the customer redact) any data not required on the copy, such as the access/serial number or biometric data.
Does this ruling apply to other industries, such as hotels or car rentals?
Yes, the principle applies across all sectors. Every company must be able to prove why an ID copy or scan is necessary for the performance of a contract or to fulfill a legal obligation. The hurdles for this are very high.
Is it enough to delete the ID copy after identification?
While this reduces risk, it does not “cure” the original violation of excessive data collection. The principle of “Privacy by Design” requires choosing the most data-efficient process from the very beginning.
Conclusion: An end to indiscriminate ID scanning
The ruling by the Polish Data Protection Authority is a milestone in the fight against excessive data collection. It makes it unmistakably clear that legal obligations must not be misused as a pretext for “data hoarding.” Every company is now called upon to critically examine its KYC and identification processes and reduce them to what is absolutely necessary. The era in which ID scanning was standard procedure is coming to an end.
