ING Bank Śląski intends to appeal the PLN 18.4 million fine imposed by the President of the Personal Data Protection Office (UODO) for scanning customer identity documents, ING spokesman Piotr Utrata said. The bank cites anti-money laundering regulations as the reason for collecting the scans.
On Monday, “Dziennik Gazeta Prawna” reported that the President of the Personal Data Protection Office (UODO) imposed a fine on ING Bank Śląski for violating the General Data Protection Regulation (GDPR) by copying customer ID documents. The newspaper explained that the Anti-Money Laundering and Terrorism Financing Act came into force in 2018; pursuant to this act, the bank began scanning customer ID cards, including potential ones. The UODO found that the bank's actions were excessive and violated GDPR regulations, DGP reported.
A spokesperson for ING Bank Śląski told PAP that the UODO president's decision “refers to the practice of scanning ID cards from April 2019 to September 2020.” “The Bank intends to appeal the decision by exercising its right to file a complaint with the Provincial Administrative Court in Warsaw. We emphasize that the Bank fully cooperated with PUODO (the president of the UODO – PAP) at every stage of the proceedings,” Utrata emphasized.
He added that the bank collected document scans in situations where it was “necessary to fulfill the obligations arising from the Act.” “The scans were obtained solely for this purpose. We emphasize that ING Bank Śląski complies with applicable legal provisions and compliance rules (actions guaranteeing compliance with the law – PAP),” the spokesperson assured.
According to the decision of the President of the Personal Data Protection Office (UODO), cited by “DGP,” signing a loan agreement, for example, was to be conditional on the client's consent to have the document scanned. “It was simply assumed that in each of the cases indicated in the aforementioned procedures and instructions, a scan of the client's or potential client's identity document should be performed – in many situations, the performance of activities for the client was contingent upon obtaining it. Therefore, the bank did not conduct an individual risk assessment of the client and the actions they took. The bank's practice (…) led to situations where identity documents were scanned in cases not related to the fulfillment of obligations specified in AML regulations,” the UODO decision, cited by the newspaper, emphasized.
As reported by the newspaper, the President of the Office also stated that the Act does not authorize automatic scanning of documents of all individuals who contact a bank. “Only the identification of this risk provides a basis for the application of appropriately selected financial security measures,” the DGP reported. The President of the Office also emphasized that copying documents is a right, not an obligation, of the bank, so any decision should be preceded by an analysis of whether it is necessary.
Following the inspection, the bank was required to change its procedures and ensure that it would only copy documents for the purpose of implementing and documenting financial security measures – primarily when entering into contracts with new clients or changing their data. “The bank's subsequent departure from the practice of obtaining copies (scans) of client identity documents in some situations confirms that such a necessity never arose in these cases, and that the previous operating procedures in this area were – even in the bank's own opinion – inconsistent with the provisions of the AML Act,” the President of the Personal Data Protection Office (UODO) stated in the decision imposing the fine. (PAP)
jls/ mmu/
