The Act on Public Documents, which came into force on 12 July, prohibits the making and trading of replicas e.g. of personal identity cards or driving licenses. According to the Personal Data Protection Office (UODO), not every copy of a public document will have the features of authenticity. Nevertheless, an entity that copies, for example an ID card, may be responsible for processing too wide a scope of personal data.
Under the new provisions, a person who makes, sells or possess a public document for sale will be punished by a fine, restriction of liberty or imprisonment of up to 2 years. Such a replica will be considered a copy or image of e.g. an identity card or a driving license, having features of authenticity, where the size of this copy or image would be of 75% up to 120% of the original of a public document.
However, there will be no criminal liability, provided for in the new regulations, in the case of making photocopies and computer printouts of public documents for official, business or professional purposes determined on the basis of separate regulations or for the use of the person to whom the public document was issued.
From the perspective of the principles of personal data processing, the entities that make replicas of identity documents should take into account the legal provisions on the basis of which they operate. They must also remember about the rules resulting from the GDPR, including the principle of data minimization. In many cases, making copies of documents confirming the identity leads to the acquisition of data that goes beyond the scope allowed by the law on the basis of which the entities operate. In every case, for example when an entrepreneur makes a copy of an ID card, the Personal Data Protection Office may investigate whether it is authorized to process such a scope of data contained therein. Therefore, the Supervisory Authority will verify whether the scope of the data processed is limited to what is necessary for the purposes for which the data is processed – whether the principle of minimization is not violated.
In the opinion of UODO, most of the entities that want to make photocopies of documents cannot justify such a goal by the conclusion of a contract. For example, under the Telecommunications Act, a telecommunications company is obliged to process data on the basis of personal data protection provisions. Therefore, the company must remember that it is allowed to process only those data that are justified by the specific purpose of processing. Meanwhile, new personal ID cards contain data that are unnecessary for the purpose of concluding a contract, such as image, gender or nationality.
Copies of documents are often made by banks. In the opinion of the President of the Personal Data Protection Office, this practice is allowed only in certain situations. It shouldn’t be used for opening an account, checking creditworthiness or entering into a loan agreement.
However, we should be aware that pursuant to Art. 34 para. 4 of the Act on Counteracting Money Laundering and Terrorism Financing, some entities are allowed to make copies of the client’s identity documents, like ID cards, for the purposes of applying financial security measures. The entities that are entitled to copy IDs on the basis of this Act are i.a.: banks, insurance companies, exchange offices and notaries.
