The bank cannot scan customers’ identity cards without appropriate purpose analysis

The processing of personal data obtained by copying (scanning) identity documents by a bank must be preceded by a purpose limitation analysis, i.e. verifying whether such an activity is indeed necessary. This bank did not do this and excessively-scanned the identity cards of customers and potential customers even when, for example, they submitted complaints. This is why the fine imposed by the President of the Personal Data Protection Office, Mirosław Wróblewski, amounts to PLN 18 416 400.

From 1 April 2019 to 23 September 2020, ING Bank Śląski (the Bank) scanned identity documents of customers and potential customers. It was not checked whether such actions were justified by the requirement for the bank to apply financial security measures under the Act on Counteracting Money Laundering and Financing of Terrorism (AML Act).

The President of Personal Data Protection Office carried out an inspection on the bank's processing of personal data of customers and potential customers. These were copies of (scanned) identity documents. In particular, during the inspection the following was checked: the legal basis for the processing of personal data, the scope and type of personal data processed, and the manner and purpose of the collection and making available of the data.

It has appeared that prior to the amendment of the AML Act on 13 July 2018, the bank had not copied customers' identity documents. However, after analysis, reconciliation and changes in banking processes, there was a change in practice and procedures. It has been assumed that in each of the cases indicated in these procedures and instructions, a scan of the customer's or potential customer's identity document should be carried out - in many situations, making the performance of activities for the customer conditional on it being obtained.

Thus, the Bank did not carry out an individual assessment of the risks associated with the customer concerned and its activities. Identity documents were also scanned in cases which did not comply with the obligations laid down in the AML Act (e.g. in a complaint about an ATM).

The scanning of identity cards by institutions is required to be lawful in the context of the AML Act only if it involves the necessary application of financial security measures to combat money laundering and terrorist financing under that law.

The bank's task is to carry out an individual assessment of the AML/CFT risk and to design security measures appropriate to its outcome (risk-based approach). It is only if the obligated institution demonstrates that, in order to combat money laundering and terrorist financing, it is necessary to apply financial security measures involving the processing of information contained in identity documents and the taking of copies thereof (scans), then it is entitled to demand that it be executed.

The Bank, as a controller, has infringed the rules on the protection of personal data through its actions (Article 5 (1)(a)(b) and (c), as well as Article 6 (1) GDPR). The infringement consisted of the unjustified processing of personal data of current and potential customers obtained through the scanning of identity documents in situations unrelated to its obligations under the AML Act.

According to the Bank's reports, e.g. in 2020, the number of customers was 4.72 million, including 4.24 million individual customers and 486 000 corporate customers. Mass processing must entail a higher level of responsibility of the controller and a higher level of due diligence required of the controller, as it may result in negative consequences for many persons.

It should also be noted that the Bank should be expected to take a professional approach to the question of the legal basis for data processing.

According to the Bank's explanations, the practice of copying identity documents concerned potentially a large group of customers over a relatively long period of time (i.e. for a period of approx. 18 months: from 1 April 2019 to 23 September 2020), which indicates a large scale of this processing, while customers were not found to have suffered any harm.

Although personal data processed by the Bank, obtained by scanning identity documents, do not fall within the special categories of personal data referred to in Article 9 (1) and 10 GDPR, but their scope (i.e. inter alia: name and surname, personal identification number (PESEL number), image, date of birth, parents' names, surname at birth, number and series of identity document), entail a high risk to the rights and freedoms of natural persons.

The personal identification number (PESEL number), together with name and surname, uniquely identifies a natural person in a way that attributes the negative effects of the infringement (e.g. identity theft, loan fraud) to that particular person.

In the view of the President of the Personal Data Protection Office, the administrative fine applied in this individual case is effective, proportionate and dissuasive.

Decision in Polish: DKN.5112.6.2020