Auratech Legal Solutions

Photographing Customer ID Documents: GDPR Risks and Data Minimisation

multa a orange por fotografiar DNI de sus clientes

Photographing or copying a customer’s ID document may breach the GDPR data minimisation principle if less intrusive alternatives exist to verify identity. The Orange case showed that requesting a full image of an ID document to deliver a parcel may be disproportionate.

Why ID documents require special care

An ID document contains more information than many operations require: image, signature, number, date of birth, nationality and other data that may facilitate identity theft if misused. Before requesting a copy, the company must justify why it is necessary and proportionate.

Data minimisation

Article 5.1.c GDPR requires personal data to be adequate, relevant and limited to what is necessary. In many cases, visual verification, recording limited data or using a less intrusive identity check may be enough.

Common mistakes

Checklist for companies

Conclusion

Copying or photographing ID documents should not be automatic. The company must be able to explain why a less intrusive alternative was not enough and how the document is protected.

Exit mobile version