Introduction
You are probably familiar with it: the 'copy passport' that is often requested by service providers. Under the Money Laundering and Terrorist Financing (Prevention) Act (Wwft), certain institutions are obliged, among other things, to identify their clients. For this reason, a copy of the identity document is then requested. Is this permitted? And what about this from a privacy perspective (the General Data Protection Regulation, or AVG)? You can read it here.
Recent Amsterdam court ruling
The Amsterdam court recently dealt with a case that shows exactly where the tension lies between law enforcement (the Wwft) and customer privacy (the AVG). An entrepreneur has a business and a personal credit card with ICS. ICS asks the customer for re-identification: the customer has to upload a photo of his ID via an app and that photo must not be written on. The business owner disagrees and refers to the website of the Personal Data Authority, which states that a described copy of an identity document cannot be refused. However, according to ICS, a described copy cannot be checked for authenticity. Moreover, ICS provides the photo with a watermark and only then stores it.
According to the court, ICS has a duty of identification under sections 3 and 38 Wwft. Under the European Anti-Money Laundering Directive and the Implementing Regulations, identification may take place via secure electronic means of identification. The Wwft Guideline and the AFM's Sanctions Act also allow this. The court therefore ruled that the entrepreneur was not entitled to physical identification: ICS may require that identification and verification take place digitally. ICS also offered two alternatives for using the app (at home or at the notary's office), using a scanner and storing a copy of the unwritten ID.
But what about privacy? The court held that ICS is obliged under the Wwft to establish identity and that this cannot be done with a written copy. After all, the authenticity features would then be unreadable. Moreover, the copy must be stored to prove that ICS has complied with the Wwft (the legal basis for processing personal data).
Personal Data Authority
This judgment of the court can surely be called remarkable, since the website of the Personal Data Authority contains other information, namely:
Can I write something on a copy of my identity document?
Yes, you may. You always have the right to write a text through the copy of your identity document. This way, you protect the copy against identity fraud.
In some cases, an organisation or company has a legal basis to process a full copy of your identity document for a specific purpose.
For example, when you join a company as an employee. Your employer must then keep a copy of your identity document.
But even in these cases, you always have the right to write a text through the copy of your identity proof. For example: 'Copy for [name of employer] from [date]'.
This way, you protect the copy against identity fraud, as the entire copy will not be able to be used for any other purpose.
Note that all personal data (such as the photograph and the BSN) on the copy described must be legible. The photo must also be sufficiently visible to identify you.
Whatever you write on the copy must therefore not impair the identifying function of the copy. (...)
Can an organisation refuse a described copy of my identity document?
No, they may not. If that organisation has a legal basis to process a full copy of the identity document, then a described copy is sufficient for this purpose.
So you can choose to write on the copy. This is also advisable, as it protects the copy from identity fraud. (...)"
However, the court indicated that this information from the AP on making and storing a copy of the identity document is not clear, contains contradictions and also has no force of law.
You can read the court's full ruling here.
Financial Services Complaints Institute (Kifid)
Then there is the Kifid. This institute ruled in January 2022 that storing a full and unprocessed copy of an identity document violates the AVG. According to the Kifid, while a bank (in this case ABN AMRO) is allowed to ask for an unedited copy of a passport in order to investigate its authenticity, it is not then allowed to store that copy unaltered. According to the Kifid, this would not be necessary to comply with the Wwft. For this reason, the bank's conduct violates the AVG. In short: retrieval is allowed, but storage is not, at least not without shielding the passport photo and applying a watermark.
Final Remarks
Finally, this subject is far from crystallised and we suspect that this topic will set many pens in motion in the near future. Naturally, we will keep you informed. Want to know more? Feel free to call or email us: 043-365 20 88 or info@spee-advocaten.nl.