Background information
- Date of final decision: 23 July 2025
- National case
- Legal Reference(s): Article 5 (Principles relating to processing of personal data), Article 6 (Lawfulness of processing)
- Decision: Administrative fine
- Key words: Administrative fine, Anti-Money Laundering, Data security, Lawfulness of processing, Data subject rights,
Data protection by design and by default
Summary of the Decision
Origin of the case
From 1 April 2019 to 23 September 2020, ING Bank Śląski (the Bank) scanned identity documents of customers and potential customers. It was not checked whether such actions were justified by the requirement for the bank to apply financial security measures under the Act on Counteracting Money Laundering and Financing of Terrorism (AML Act).
Key Findings
The President of Personal Data Protection Office, Polish Supervisory Authority (SA) carried out an inspection on the bank’s processing of personal data of customers and potential customers. These were copies of (scanned) identity documents. In particular, during the inspection the following was checked: the legal basis for the processing of personal data, the scope and type of personal data processed, the manner and purpose of the collection and making available of the data to third parties. It has appeared that prior to the amendment of the AML Act on 13 July 2018, the bank had not copied customers’ identity documents. However, after analysis, reconciliation and changes in banking processes, there was a change in practice and procedures. It has been assumed that in each of the cases indicated in these procedures and instructions, a scan of the customer’s or potential customer’s identity document should be carried out – in many situations, making the performance of activities for the customer conditional on it being obtained.
Thus, the Bank did not carry out an individual assessment of the risks associated with the processing of the customer’s personal data. Identity documents were also scanned in cases which did not comply with the obligations laid down in the AML Act (e.g. in a complaint about an ATM).
The scanning of identity cards by institutions is required to be lawful in the context of the AML Act only if it involves the necessary application of financial security measures to combat money laundering and terrorist financing under that law.
The bank’s task is to carry out an individual assessment of the AML/CFT risk and to design security measures appropriate to its outcome (risk-based approach). It is only if the responsible institution demonstrates that, in order to combat money laundering and terrorist financing, it is necessary to apply financial security measures involving the processing of information contained in identity documents and the taking of copies thereof (scans), that it is entitled to process these personal data.
Decision
The President of the Personal Data Protection Office has imposed on ING Bank Śląski an administrative fine of 4 375 273 € for infringement of Articles 5 (1)(a,b,c) and Article 6 (1) of the GDPR.
For further information:
• National press release: The bank cannot scan customers’ identity cards without appropriate purpose analysis
• National decision (Polish)
The news published here does not constitute official EDPB communication, nor an EDPB endorsement. This news item was originally published by the national supervisory authority and was published here at the request of the SA for information purposes. Any questions regarding this news item should be directed to the supervisory authority concerned.