![UODO [POL] ¦ GDPR: Bank fined PLN 18.4 Million for unjustified Scanning of Customer IDs](/assets/images/posts/pexels-joaojesusdesign-925743_1024.webp)
26 August 2025
UODO [POL] ¦ GDPR: Bank fined PLN 18.4 Million for unjustified Scanning of Customer IDs
Bank Penalized for Skipping Risk Analysis, Unjustified ID Scans Trigger PLN 18.4M Fine
Poland’s Personal Data Protection Office (UODO) has imposed an administrative fine of PLN 18,416,400 (approx. EUR 4,326,749) on a bank for unlawfully processing personal data by scanning identity documents of customers and potential customers. The decision follows a comprehensive inspection into how the bank collected, processed, and justified the copying of ID documents between April 1, 2019, and September 23, 2020.
What the Inspection Found
UODO’s inspection focused on the bank’s legal basis for processing, the scope and type of data captured, and the methods and purposes of collection and sharing. Investigators found that before the July 13, 2018 amendment to Poland’s Anti-Money Laundering and Counter-Terrorism Financing (AML) Act, the Bank did not copy customer IDs. However, after internal analyzes and changes to procedures, the bank adopted a blanket policy that required ID scans across a wide range of interactions, effectively making them a prerequisite for many routine activities.
Crucially, the bank did not run individual risk assessments to determine whether scanning was necessary in each case, as required under the risk-based approach mandated by AML rules. ID documents were also scanned in contexts unrelated to AML obligations — such as when customers filed ATM-related complaints — indicating systemic overreach.
Why the Practice Was Unlawful
Under the AML Act, obligated institutions may process and copy identity documents designed only when such measures are necessary to apply financial security measures to prevent money laundering and terrorist financing. Necessity must be demonstrated through an individualized risk assessment — one that identifies specific risks and calibrates measures accordingly.
The Personal Data Protection Office concluded that the Bank acted without a proper legal basis under Article 6(1) GDPR and breached core data protection principles under Article 5(1)(a), (b), and (c):
- Lawfulness: No sufficient legal ground existed for scanning IDs in many of the situations examined.
- Purpose limitation: Data collected ostensibly for AML security measures was used in contexts beyond AML compliance (e.g., complaints).
- Data minimization: Scanning full IDs went beyond what was necessary for the purposes pursued.
Scale and Risk to Individuals
The bank’s own reporting indicates significant scale: in 2020, it served 4.72 million customers (4.24 million retail and 486,000 corporate). Mass processing heightens the controller’s responsibility and the due diligence required, because errors or overreach can impact large populations at once.
While UODO noted no identified individual harm arising from the scans, the nature of the data involved — names, PESEL numbers, images, dates of birth, parents’ names, maiden names, and document numbers — creates a high risk to rights and freedoms. In particular, the combination of the PESEL number with name and surname uniquely identifies individuals and can facilitate identity theft or loan fraud if mishandled.
AML Compliance Requires a Risk-Based Approach
The decision underscores a fundamental point for financial institutions: AML compliance is not a blanket justification for invasive data collection. The risk-based approach requires:
- Individual risk assessments: Evaluate the money laundering and terrorist financing risk associated with each customer and each transaction type.
- Necessity and proportionality: Implement only those security measures strictly needed to mitigate the identified risks.
- Documented justification: Keep records explaining why specific measures — such as scanning an ID — were necessary in each case.
Only when an institution can demonstrate that copying ID documents is necessary to apply AML financial security measures does it have the right to require such processing.
Regulatory Expectations and Professional Standards
UODO emphasize that a bank should be held to a professional standard in establishing the legal basis for processing. Changes to internal procedures after the 2018 AML amendment did not resolve the bank of its obligations under GDPR and AML to justify data collection case by case. The regulator assessed the fine as effective, proportionate, and dissuasive, reflecting the scale of processing and the systemic nature of the breach.
Implications for Financial Institutions
This case is a clear signal to banks and other bonded institutions:
- Do not default to scanning ID documents across the board. Align data collection with a documented, individualized risk assessment.
- Limit processing to what is strictly necessary for AML security measures. Complaints handling, customer service interactions, or routine operations may not warrant copying IDs.
- Revisit and refine procedures introduced after legislative changes. Ensure that internal controls, training, and audits enforce data minimization and purpose limitation.
- Maintain robust records of AML risk assessments and the rationale for any intrusive measures. These records will be critical in the event of regulatory scrutiny.
Conclusion
The fine against the Bank highlights the intersection of AML obligations and data protection requirements: compliance cannot come at the expense of GDPR principles. Financial institutions must design AML controls that are targeted, justified, and proportionate, avoiding blanket practices that expose customers to unnecessary risks and invite regulatory action.
Dive deeper
- UODO ¦ Case reference: DKN.5112.6.2020; Bank nie może skanować dowodów osobistych klientów bez stosownej analizy celowości (only available in Polish) ¦ Link