Banks are not always allowed to photocopy an ID card
According to the President of the Personal Data Protection Office (UODO), Art. 112b of the Banking Law Act does not allow banks to make photocopies and scans of clients' ID cards, e.g. to set up a bank account or to examine the customer's creditworthiness. In such situations, it is enough just to write down the data from ID card.
Making a copy of ID documents is legal only if it results directly from statutory provisions. Meanwhile, Art. 112b of the Banking Law allows for the processing of information included in identity documents of natural persons for the purposes of banking activity. However, this provision does not mention making copies of identity cards.
This statement was presented in response to a letter from the President of the Polish Bank Association who asked for an analysis of these regulations. In reply, the President of the Office indicates that copying ID documents raises the Supervisory Authority’s doubts almost every time.
This is why the President of UODO strongly opposes copying ID cards in any situation. In addition, making copies of ID documents makes it easier for unauthorized entities to use them for other purposes, including identity theft.
Nevertheless, there are situations when copying ID cards is legal. The basis for making copies of ID documents are the provisions of the Act of 1 March 2018 on Counteracting Money Laundering and Financing of Terrorism which stipulates that copying an ID card is allowed in cases such as carrying out an occasional transaction equivalent to EUR 15 000 or more, or when money laundering or terrorist financing is suspected.
However, the President of UODO indicates that the possibility of copying ID cards in the cases specified in this Act is not tantamount to such an obligation for banks. In addition, each time the bank decides to copy an ID document pursuant to Art. 34 of the Act on Counteracting Money Laundering and Terrorist Financing, this decision should be preceded by an analysis and verification of whether such action is necessary in accordance with the principles of purpose limitation and data minimisation referred to in the Art. 5 para 1 letter b) and c) of the GDPR – General Data Protection Regulation.