For organisations: rules for establishing identity

Do you, as an organisation, want to or have to establish someone's identity, for example a customer's? Then there are several ways to do this. The ‘most intrusive’ way to do this is to ask for or make a copy, scan or photo (hereinafter: copy) of this person's identity document. This is only permitted if you have a legal obligation to do so. The least intrusive way is to establish the identity without an identity document. On this page you can read which way you use in which situation.

On this page

Statutory rules for identification

Processing personal data for purposes of identification (establishing someone's identity) is subject to rules. These rules can be found, among other things, in the General Data Protection Regulation (GDPR) and the GDPR Implementation Act.

 

You do not process personal data if you ask people to show their identity document. This is why this situation does not fall under the GDPR and the GDPR Implementation Act.

Other (statutory) rules may apply, though, if you ask people to show their identity document. For example:

  • Pursuant to the Dutch Compulsory Identification Act, people are obliged to show their identity document in some situations.
  • Pursuant to the Dutch Passport Act, an identity document always remains the property of the state.

Ways to identify people

You can establish the identity of people in the following ways:

  • asking for or making a full copy of the identity document;
  • asking for or making a blocked copy of the identity document;
  • having the identity document shown (and possibly copying data from it);
  • establishing someone's identity without an identity document.

Full copy of identity document

You are only allowed to make or ask for a full copy, scan or photo (hereinafter: copy) of someone's identity document if this is permitted by law. For example, pursuant to the Dutch Wages and Salaries Tax Act, employers are obliged to make a full copy of the identity documents of their employees.

A full copy means that all personal data are visible, including the citizen service number (BSN) and the photo. Note: these rules are the same if you scan the identity document and ‘import’ personal data in the process.

Blocked copy of identity document

Do you not have a statutory obligation to make or ask for a full copy? Then you are sometimes allowed to make or ask for a copy of an identity document on which certain personal data have been blocked, such as someone's citizen service number (BSN). You are only allowed to make or ask for a blocked copy if there is really no other way. Always check, therefore, if there is a less intrusive way.

Having an identity document shown

Are you unable to establish someone's identity in a less intrusive way? Then it is often sufficient if that person shows an identity document. This is also called ‘providing proof of identity’ or ‘producing identification’. In that case, you are not allowed to make a copy of the identity document, not even a blocked copy.
After you have seen the identity document, you can note down the type of identity document and the document number, if desired. Note: sometimes you are required by law to copy certain personal data from someone's identity document. This applies, for example, for healthcare providers.
 

Establishing identity without an identity document

Is it possible to establish someone's identity without the identity document of this person? Then you have to opt for this way.

For example: You have a webshop. Your customers want access to their data. In that case, the customer number in combination with the name and address will often be enough for you to verify the identity of a customer. Do customers want to remove their account? Then they can log in and indicate that they want to remove their data.

Information provision when asking for a copy of an identity document

Do you ask for or make a (full or blocked) copy of someone's identity document? Then you will have to provide this person (the data subject) with certain information. Pursuant to the obligation to provide information from the GDPR, you are required to do this.

The information to be provided by you

You must provide the data subject of your own accord (and therefore not only when the data subject asks for this) with at least the following information:

Requirements the information must meet

The information must be transparent, understandable and clear. You must provide the information in simple language.

Inform and instruct your employees
 

You have to ensure that your employees who ask for copies know which information they have to provide. And that they actually provide this information.


Securing a copy of an identity card
 

Do you process a copy of an identity document? Then you must secure this copy very well to prevent the risk of identity fraud as far as possible.