De Poolse gegevensbeschermingsautoriteit, Urząd Ochrony Danych Osobowych (UODO), heeft aan ING Bank een boete opgelegd wegens niet-naleving van de AVG bij identificatie op grond van de antiwitwasregels (nieuwsbericht in het Engels [1], nieuwsbericht in het Pools, uitspraak in het Pools). Die regels hebben, net als in Nederland, een Europese basis, zodat de beslissing ook voor de Nederlandse praktijk interessant kan zijn.

Hoewel UODO ook een Engelstalige versie van de site heeft, kon ik nog niet vinden of de uitspraak vertaald is.

De uitspraak wordt besproken op GDPR Hub. Daar wordt gezegd dat de bank zich schuldig maakte aan het excessief en zonder rechtsgrondslag verwerken van identiteitsdocumenten van klanten. Verder was UODO van mening dat de scans van identiteitsbewijzen meer gegevens bevatten dan nodig voor het doel van de bank. Naar de mening van UODO is het voldoende dat het sociale verzekeringsnummer wordt geregistreerd, dan wel als dat ontbreekt andere gegevens zoals het nummer van het identiteitsdocument.

Er zijn berichten dat ING Bank beroep instelt [2].

Identificatie wordt riskanter door nieuwe Europese regels
Onder het Europese antiwitwaspakket dat medio 2027 van toepassing wordt kan identificatie nog problematischer en riskanter worden, zoals Privacy First heeft gesignaleerd in de consultatie van de Europese Banken Autoriteit (EBA), lees de aankondiging inzake de consultatie deelname en het artikel Digitale identiteit wordt sluipenderwijs toch verplicht.

Noten:

[1] UODO schrijft onder meer:

It has appeared that prior to the amendment of the AML Act on 13 July 2018, the bank had not copied customers’ identity documents. However, after analysis, reconciliation and changes in banking processes, there was a change in practice and procedures. It has been assumed that in each of the cases indicated in these procedures and instructions, a scan of the customer’s or potential customer’s identity document should be carried out – in many situations, making the performance of activities for the customer conditional on it being obtained.

Thus, the Bank did not carry out an individual assessment of the risks associated with the customer concerned and its activities. Identity documents were also scanned in cases which did not comply with the obligations laid down in the AML Act (e.g. in a complaint about an ATM).

The scanning of identity cards by institutions is required to be lawful in the context of the AML Act only if it involves the necessary application of financial security measures to combat money laundering and terrorist financing under that law.

The bank’s task is to carry out an individual assessment of the AML/CFT risk and to design security measures appropriate to its outcome (risk-based approach). It is only if the obligated institution demonstrates that, in order to combat money laundering and terrorist financing, it is necessary to apply financial security measures involving the processing of information contained in identity documents and the taking of copies thereof (scans), then it is entitled to demand that it be executed.

The Bank, as a controller, has infringed the rules on the protection of personal data through its actions (Article 5 (1)(a)(b) and (c), as well as Article 6 (1) GDPR). The infringement consisted of the unjustified processing of personal data of current and potential customers obtained through the scanning of identity documents in situations unrelated to its obligations under the AML Act.

According to the Bank’s reports, e.g. in 2020, the number of customers was 4.72 million, including 4.24 million individual customers and 486 000 corporate customers. Mass processing must entail a higher level of responsibility of the controller and a higher level of due diligence required of the controller, as it may result in negative consequences for many persons.

It should also be noted that the Bank should be expected to take a professional approach to the question of the legal basis for data processing.

According to the Bank’s explanations, the practice of copying identity documents concerned potentially a large group of customers over a relatively long period of time (i.e. for a period of approx. 18 months: from 1 April 2019 to 23 September 2020), which indicates a large scale of this processing, while customers were not found to have suffered any harm.

Although personal data processed by the Bank, obtained by scanning identity documents, do not fall within the special categories of personal data referred to in Article 9 (1) and 10 GDPR, but their scope (i.e. inter alia: name and surname, personal identification number (PESEL number), image, date of birth, parents’ names, surname at birth, number and series of identity document), entail a high risk to the rights and freedoms of natural persons.

The personal identification number (PESEL number), together with name and surname, uniquely identifies a natural person in a way that attributes the negative effects of the infringement (e.g. identity theft, loan fraud) to that particular person. 

[2] Engelstalige berichten:
ING Bank Śląski will appeal against UODO’s decision, Polish News 28 augustus 2025,
ING is fined over PLN 18 million by the Personal Data Protection Office (UODO). The bank intends to appeal the decision, 1 News Day 26 augustus 2025.