Using xerox

It is common for companies to ask their customers to show their ID card or passport and even to scan it or request it to be sent by email in order to carry out the identification of a natural person. However, in doing so, companies may be in breach of the data minimisation principle contained in Article 5 of Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 (“GDPR“), which requires that only adequate, relevant and limited to what is necessary in relation to the purposes for which the data is processed may be collected. In this article, we look at the proper processing and misuse of ID cards by companies.

What is the AEPD’s (Spanish Data Protection Authority) criteria in relation to the capture of the national identity card image by courier companies?

The AEPD (Spanish Data Protection Authority) issued report 0048/2023 in relation to a consultation on whether the capture of the ID card image by courier companies in different cases is in accordance with data protection regulations.

In this report, the AEPD (Spanish Data Protection Authority), referring to previous consultations, stresses that the ID card number is particularly sensitive information, as its improper use or use without sufficient guarantees may have multiple unfavourable effects for the data subject. Therefore, the use of the ID card may be excessive or unnecessary to fulfil the purpose of identification and, if there are other less burdensome measures that fulfil the purpose of identifying a person, it is recommended not to use the ID card.

The report stresses that information from the ID card that is not necessary to confirm the identity of the data subject (taking into account the specific context), such as, for example, the number of the card or the photograph, could lead to the request for the ID card and the collection of a copy of the card being an excessive processing.

In order to determine whether it is, it would be necessary to analyse on a case-by-case basis and assess different aspects, such as the legal basis that legitimises such processing (especially if there is a law authorising it) as well as the risk involved in such processing, always starting from the respect of the principles of minimisation and proportionality, with the objective that personal data should only be processed if the purpose of the processing cannot be reasonably achieved by other means.

The report supports us in interpreting the principles of minimisation and proportionality, but it does not say in which cases ID cards data may be processed when there is no regulation expressly providing for its use, as is the case with money laundering prevention regulations, so that each company is itself responsible for analysing what processing of the ID document data it needs for its activity and for each purpose.

AEPD (Spanish Data Protection Authority) rulings on the misuse of ID cards by companies

The AEPD (Spanish Data Protection Authority) has also had occasion to rule on the improper use of the DNI by companies in several sanctioning resolutions it has imposed on companies in different sectors as a result of complaints from individual customers.

We can thus mention the recent decision handed down by the AEPD (Spanish Data Protection Authority) in case EXP202310910 as a result of the requirement by a concert organiser to provide a copy of the ID cards of the parents or guardians of minors under 16 years of age attending an event if they wished to gain access to it. The supervisory authority, in view of the facts alleged in the complaint, considers that the collection of the photocopy of the ID cards is a processing of personal data contrary to the principle of data minimisation regulated in article 5.1.c) of the GDPR, with the sanction being aggravated by the fact that the data protection policy, which referred to the repealed Organic Law 15/1999 on Data Protection, was outdated and did not provide information on the processing that was going to be carried out with the data obtained from the copy of the ID card, nor on the period for which the data would be kept. For all these reasons, the AEPD (Spanish Data Protection Authority) imposed a fine of €20,000.

It is also common practice for hotels to request a copy of the ID card at the time of check-in. Although this requirement is in line with the documentary registration obligations imposed by the applicable legislation, the processing may be excessive if a copy of the ID card is collected and more data than necessary is used, such as, for example, the photograph of the ID card without the customer’s consent and without informing about the purposes.

This is the result of the decision handed down in sanctioning procedure No: PS/00078/2021 in which a hotel was fined 30,000 € for using the photograph taken from passports to prevent fraud in the consumption of services, without informing guests of this processing and without obtaining their consent.

We can also mention sanctioning procedure PS/00413/2021 against a telephone company that required the courier company to take a photograph of the front and back of the customer’s ID card with the handset at the time of delivery in order to deliver a mobile phone to the customer.

The AEPD (Spanish Data Protection Authority), in view of the facts, determines that there are other procedures through which the identity of the addressee can be verified without the need to photograph their ID card by means of the application contained in the mobile phone of the company’s delivery driver, and concludes that this processing is excessive for the intended purpose and imposes a penalty of €100,000.

All these sanctions show that more and more citizens have become aware of the importance of protecting their data and are opposed to excessive or inappropriate data processing and, therefore, companies, in compliance with the principle of proactive responsibility, must carry out an exhaustive analysis of the data processing they carry out, assessing whether it is necessary and proportional for the different purposes for which it is collected, taking into account the casuistry of each activity. Compliance with data protection regulations requires constant updating of companies in this area by means of appropriate advice.

Do you need advice? Access our area related to the processing of ID cards and data protection:

Data Protection

Rate this post
← Go back to blog