Polish DPA Fines Bank $5M for Excessive Scanning of Customer IDs

The bank copied documents from nearly 5 million customers in 2020, the DPA said, according to an unofficial translation. "Mass processing must be associated with a higher level of responsibliity" and greater due diligence to avoid negative consequences to many people.

ING Bank Slaski intends to appeal the decision by lodging a complaint with the Provincial Administrative Court in Warsaw, a spokesperson emailed us Tuesday. The bank fully cooperated with the DPA at every stage of the proceedings, he stressed. It collected scans of identity documents solely in cases where it was necessary to meet its obligations under anti-money-laundering and counter-terrorist financing laws, he added.

Data protection lawyer Jakub Schabowski wrote Tuesday that the decision to issue the fine was another "strong signal" from the watchdog that banks and financial institutions must carefully justify every instance of ID document processing,

Such copying and scanning is lawful data processing only if it's strictly necessary for anti-money laundering or combatting the financing of terrorism, based on an individual risk assessment, Schabowski noted.

The bank systematically copied clients' and potential clients' IDs between April 2019 and September 2020, even in situations that didn't involve anti-money laundering, he added.

He said the DPA found that the bank didn't carry out a proper risk assessment before beginning the practice and collected ID copies without a valid basis under the General Data Protection Regulation.

"Any decision to scan identity documents should make a company stop and think," Schabowski said. "It remains one of the most sensitive areas of personal data processing."