Image: Szymon Pelc / shutterstock.com

ID card copied? No free ride for banks

Almost everyone is familiar with this: when contacting the bank, ID is requested as a matter of course - and is often copied straight away. However, what many consider to be standard practice can be illegal. This is exactly what the Polish subsidiary of ING Bank has now painfully experienced.

As a report by Two Towers Consulting reveals, the Polish data protection authority UODO has imposed a record fine of the equivalent of 4.3 million euros on the financial institution. The accusation: excessive and blanket processing of ID data without a clear legal basis. And this despite the fact that no concrete damage to those affected was proven. A ruling with a signal effect for the entire financial sector.

One ID card for everything? Not like that.

Between April 2019 and September 2020, ING Bank in Poland apparently had a simple principle: every customer contact = ID card scan. Regardless of whether it was about opening an account, a complaint or a technical complaint at the ATM - the ID was scanned and saved. The bank referred to its obligations under the Polish Money Laundering Act.

But this is the crux of the matter: not every customer contact falls under the Money Laundering Act. In the case of purely technical or general inquiries, there is no legal basis for requesting or storing copies of ID. This is precisely what the data protection authority criticized.

Criticism from the authority: No concept, no measure

The supervisory authority made it clear that ING Bank had failed to carry out a genuine purpose and risk analysis before introducing the practice. There was no differentiation according to case groups, no comprehensible examination of when an ID scan was really necessary. The procedure was applied across the board - a classic scattergun approach.

The result: violations of central principles of the General Data Protection Regulation (GDPR) - in particular the requirements of lawfulness, purpose limitation and data minimization. The number of customers affected was particularly serious: Around 4.7 million people were potentially affected, according to UODO.

Wake-up call for the industry: data protection is not an extra

The bank has since lodged an appeal against the decision, but the ruling is emblematic of a deeper problem: many financial institutions rely on blanket procedures instead of targeted and proportionate measures. What seems legally convenient is often questionable in terms of data protection law - and can be expensive.

The following applies in particular to highly sensitive data such as ID card information: only collect what is really necessary - and justify each individual processing operation well. A legal framework such as the Money Laundering Act is not a carte blanche for mass data collection.

When trust suffers

Trust in banks is not only based on stable accounts, but also on the handling of personal data. If entire ID databases are created out of convenience or fear of breaking the rules, just to "play it safe", something is going very wrong.

ING has not acted criminally here, but it has been grossly negligent - and that in an industry where trust is everything. It is not enough to "think along" with data protection. It must be an integral part of every process decision. Perhaps this million-euro fine will act as an urgently needed wake-up call - and not just for ING.