Ruling [NLD] ¦ Dutch Supreme Court Flags Key AML and Privacy Questions

Dutch Supreme Court seeks EU guidance on ID photo retention in AML checks

The Dutch Supreme Court has issued an interim ruling that could have wider implications for financial institutions carrying out customer due diligence (CDD) under anti-money laundering rules. The case concerns a cardholder who refused to complete an online identification process requested by CARD SERVICES1 (CS1), because it required her to upload a photo of her identity document and a selfie. CS1 argued that this step was necessary under the Dutch Anti-Money Laundering and Anti-Terrorist Financing Act, known as the Wwft (Wet ter voorkoming van witwassen en financieren van terrorisme). The cardholder objected, mainly because she did not want her photo and identity document image stored by CS1.

The dispute in context

CS1 had asked the customer in 2020 to re-identify herself online. The process required her to take a photo of her identity document and a selfie, then send both through the online system. When she refused, CS1 blocked the card and later terminated the agreement. The customer challenged that decision and argued, among other things, that storing her photo was unlawful under the General Data Protection Regulation, or GDPR.

At the heart of the case are two related issues. First, does merely storing a passport photo or selfie count as processing biometric data under Article 9 GDPR? Second, does the Dutch anti-money laundering legislation require a financial institution to keep a copy of the identity document used for customer verification, and if so, how does that obligation sit with the GDPR?

Bastian Schwind-Wagner _Follow

"The Dutch Supreme Court has raised important questions about the balance between AML compliance and data protection in customer identification. It held that storing a facial photo is not automatically biometric processing under the GDPR, but it was not prepared to give a final answer on whether financial institutions must keep a copy of an identity document under the Wwft.

The Court has referred key questions to the Court of Justice of the European Union, including whether a full copy of an identity document must be retained and whether a photo can count as data revealing race or ethnic origin. The outcome could shape how banks and other obliged entities handle digital identification and document retention across the EU."

Storage of a photo is not automatically biometric processing

On the first point, the Supreme Court took a clear position. It held that simply storing a photo showing a person’s face does not by itself amount to processing biometric data within the meaning of Article 4(14) GDPR. That provision covers personal data resulting from specific technical processing of physical, physiological or behavioural characteristics that allow unique identification. The Court relied on Recital 51 GDPR, which says that photographs are not systematically special category data and only become biometric data when processed through specific technical means for identification or authentication.

The Court stressed that a photo can be the source from which biometric data may later be derived, for example if facial recognition software is used. But the photo itself is not biometric data merely because it shows a face. On that issue, the Court found no reasonable doubt and decided not to refer the question to the Court of Justice of the European Union.

The real uncertainty: what exactly must be kept under the AML rules?

The more difficult issue concerns Article 33 of the Wwft, which requires institutions to record and retain documents and data used for customer due diligence. The Court found that the Dutch provision can be read in different ways.

One possible reading is that a financial institution may either store the basic identifying data or keep a copy of the identity document, but is not strictly required to keep the copy. Another reading is that a copy of the identity document is itself part of the mandated recordkeeping. If that is correct, the next question is whether the copy must be complete, including the photograph on the document.

The Supreme Court noted that the Dutch law was intended to implement Article 40 of the EU’s Fourth Anti-Money Laundering Directive. But it was not clear whether that directive actually requires member states to impose a duty to keep a full copy of the identity document used for verification.

Privacy concerns under the GDPR

The Court also raised a significant GDPR issue. If the law does require storage of a full copy of an identity document, including the photograph, that storage must still satisfy the GDPR. The Court questioned whether such a broad retention obligation is necessary and proportionate, especially since institutions can already report relevant identity details without submitting the full document to authorities.

This led the Court to ask whether such a retention rule would truly serve a legitimate public interest purpose and whether it would go beyond what is needed to combat money laundering and terrorist financing. The Court also observed that a full identity document contains more information than the minimum needed for customer verification.

Could a photo reveal ethnic origin?

The Court went one step further and raised a separate question about whether a photograph of a person can count as data revealing race or ethnic origin under Article 9 GDPR. That would matter because special category personal data are subject to stricter rules. The Court noted that earlier Dutch case law under the old data protection regime had treated facial photographs as potentially sensitive because racial characteristics might be inferred from them.

However, under the GDPR, the answer is not obvious. The Court asked the European Court of Justice to clarify whether a photo can be such data, and whether the answer depends on the purpose of the processing or on whether ethnic origin can be determined with sufficient certainty from the image.

Prejudicial questions to the Court of Justice

Because these legal questions are not settled, the Supreme Court announced its intention to refer several questions to the Court of Justice of the European Union. The Court wants guidance on whether the anti-money laundering directive requires retention of a copy of the identity document, whether that includes the photo, and how that should be reconciled with the GDPR. It also seeks clarification on whether facial photographs can amount to data revealing race or ethnic origin.

Why this matters for financial institutions

This interim ruling is important for banks, payment firms, and other obliged entities that rely on digital onboarding and periodic re-identification. It shows that while identity verification itself is a core AML obligation, the exact scope of document retention is still open to legal challenge when privacy objections are raised.

For now, the Dutch Supreme Court has confirmed that storing a customer photo is not automatically biometric processing. But it has also made clear that the wider legal basis for keeping identity document copies – especially full copies including photos – still needs clarification at EU level.

The final answer could affect how financial institutions design remote identification processes, how much customer data they retain, and how they balance AML compliance with data minimisation under the GDPR.

Dive deeper

• de Rechtspraak ¦ ECLI:NL:HR:2026:392 ¦ Link
• EUR-Lex ¦ Directive (EU) 2015/849 4AMLD ¦ Link
• EUR-Lex ¦ Regulation (EU) 2016/679 GDPR ¦ Link