There is great uncertainty among companies as to when the identity card may be copied. The State Commissioner for Data Protection and Freedom of Information of North Rhine-Westphalia (LDI NRW in German) has issued a recommendation on the use of the identity card (available only in German) with case studies from everyday practice. In the following some important points are summarized.
The principles of data minimisation and storage limitation in the GDPR
When collecting or storing personal data from an identity card, the principles for processing personal data must always be observed (Art. 5 GDPR). The principles of data minimisation and storage limitation are of particular importance here.
The principle of data minimisationsays that data should be processed in an adequate, relevant way and limited to what is necessary in relation to the purposes for which they are processed.The principle of storage limitation says that data should be processed in a form which permits identification of data subjects for no longer than is necessary for the purposes for which the personal data are processed.
In other words, copies of identity cards must be deleted or destroyed immediately after the required information has been established. Exceptions to this may arise from special legal retention periods.
Copying your identity card is illegal, if not necessary.
It is often not necessary to copy the ID card or passport as it is sufficient to present the document for identification purposes. The making and keeping of an ID copy is contrary to the principle of data minimisation, as the purpose of processing can be achieved without copying and storing. In such cases, a copy of an identity document should therefore not be made.
The State Commissioner for data protection names the following requirements for the collection and storage of copies of identity documents derived from the principles mentioned above:
- Copy must be required
The issuing of a copy of an identity document must be necessary in individual cases. If the identity card can be presented or inspected on site without great effort, it is not necessary to make a copy. - Purpose limitation of the identification
The copy of the identity card may only be used for the purpose of identity verification, use for other purposes is illegal. - Recognizability as copy
Pursuant to § 20 Paragraph 2 of the German ID Card Act, the copy of the ID card must be recognisable as such in order to protect legal transactions. - Blackening of statements
Information that is not necessary for identification (e.g. serial number, size, eye colour, etc.) must be blacked out. - Immediate destruction
The copy of the identity document shall be destroyed immediately after identification. Archiving is not permitted. If a record is required, it is sufficient to save a note: “Copy of identity document has been made” - No scanning of the identity card with subsequent storage
In its recommendation, the State Data Protection Commissioner lists selected practical examples of the copying of identity cards.
The following cases are highlighted in the brochure:
- Identity verification according to the new money laundering act
- scrap metal dealers
- telecommunications providers
- driving license
- request for self-disclosure of stored personal data to credit agencies or other companies
- conclusion of a contract and complaints
- check-in at the airport
- renting of living space
- hotel stay
- protection of minors
- vehicle registration
- deposit as security
- online identification
In these cases, the data collection must be evaluated not only according to the requirements of the ID card act but also according to the data protection laws. The principles of data minimization and storage limitation are of great importance. Following of these principles results in the correct collecting of ID card data. The mentioned brochure provides clarity on common cases.