The Spanish Data Protection Agency has fined Orange for photographing the ID cards of its clients at the time of delivering packages to their homes.
Specifically, it photographed the front and back of the ID card.
What was the procedure?
The employee of the delivery company used to take a photograph of the ID card and gave the information to the phone company Orange, who sent the package.
The transport company GLS announced that the security method used was IdentService.
The purpose of this security method is to ensure that the package is correctly delivered to the receiver, excluding that anyone can receive it.
The defendant stated that on its web page, it collects the conditions for package delivery, which includes a photograph of the customer’s ID card.
Pronouncement of the Spanish Data Protection Agency (AEPD)
Faced with this situation, the AEPD expressed its opinion claiming non-compliance with the following article:
Non-compliance with art. 5 GDPR
Article 5 of the General Data Protection Regulation refers to the principle of data minimization.
This principle is based on the need for such data to be processed in a way that is relevant, adequate and limited to what is necessary in relation to the purposes for which they are processed.
Only data that is strictly necessary for the processing may be collected.
The defendant company imposed the obligation to photograph the ID cards of its customers in order to proceed with the delivery of the package.
After examining the documentation provided, the AEPD determined that there are different methods for verifying the identity of the recipient of the package.
These methods do not require photographing the receiver’s identification documents.
In addition, European Court of Justice jurisprudence indicates that, if the objective can be achieved without processing the data, it must be processed.
Therefore, the processing of the personal data of the receivers of the packages is considered excessive and not limited with respect to what is necessary, in relation to the purposes for which they are processed.
In order to avoid the need to photograph the ID cards of its customers, the claimed company should identify its clients at the time of hiring the product.
Orange fined for photographing customers’ ID cards
Finally, the AEPD sentenced Orange to pay a fine of 100.000€, for infringing article 5.1.c) RGPD, typified in art. 83.5 of the same regulation.
Auratech Legal Solutions is at your disposal.
Leave a ReplyWant to join the discussion?
Feel free to contribute!