Photographing or copying a customer’s ID document may breach the GDPR data minimisation principle if less intrusive alternatives exist to verify identity. The Orange case showed that requesting a full image of an ID document to deliver a parcel may be disproportionate.
In this article we will discuss...
Why ID documents require special care
An ID document contains more information than many operations require: image, signature, number, date of birth, nationality and other data that may facilitate identity theft if misused. Before requesting a copy, the company must justify why it is necessary and proportionate.
Data minimisation
Article 5.1.c GDPR requires personal data to be adequate, relevant and limited to what is necessary. In many cases, visual verification, recording limited data or using a less intrusive identity check may be enough.
Common mistakes
- Requesting a full ID copy by default.
- Photographing both sides without justification.
- Not informing about purpose, legal basis and retention.
- Keeping copies longer than necessary.
- Allowing broad internal access to ID documents.
Checklist for companies
- Define why identity verification is needed.
- Check whether visual verification is enough.
- Request only strictly necessary data.
- Inform customers before collecting data.
- Protect and restrict access if a copy is truly necessary.
Conclusion
Copying or photographing ID documents should not be automatic. The company must be able to explain why a less intrusive alternative was not enough and how the document is protected.





Leave a Reply
Want to join the discussion?Feel free to contribute!