Administrative fine of EUR 4 375 273 imposed by the Polish Data Protection Authority on ING Bank Śląski S.A. for scanning customers’ ID cards without a legal basis

       The National Center for Personal Data Protection (NCPDP), for informational and practical purposes, reports on the administrative fine in the amount of 4,375,273 euros imposed by the Polish Data Protection Authority (SA) on the company ING Bank Śląski S.A. for violating Article 5 (Principles related to the processing of personal data) and Article 6 (Lawfulness of processing) of the GDPR.

      Between April 1, 2019 and September 23, 2020, the bank systematically collected copies of ID cards, without verifying whether this practice was justified by Act on Counteracting Money Laundering and Financing of Terrorism (AML Law). In many cases, the provision of banking services was conditional on scanning the identity document, even in situations that did not require financial security measures (for example, in processing a complaint at an ATM).

       Following the investigation, it was found that the bank did not conduct an individual AML/CFT risk assessment, did not justify the need to scan documents in all cases, and processed personal data without an appropriate legal basis.

       In this context, the Polish SA imposed an administrative fine of EUR 4 375 273 on ING Bank Śląski for violating Article 5 (1) a), b), c) – the principles of lawfulness, purpose limitation and data minimization and Article 6 (1) – the lawfulness of processing of the GDPR.

       NCPDP, as the national supervisory authority for the processing of personal data, emphasizes the responsibility of personal data controllers to comply with the provisions of the legislative framework on the protection of personal data and to ensure that personal data processing operations comply with the legislation in force.