For organisations: rules for establishing identity
Do you, as an organisation, want to or have to establish someone's identity, for example a customer's? Then there are several ways to do this. The ‘most intrusive’ way to do this is to ask for or make a copy, scan or photo (hereinafter: copy) of this person's identity document. This is only permitted if you have a legal obligation to do so. The least intrusive way is to establish the identity without an identity document. On this page you can read which way you use in which situation.
On this page
Statutory rules for identification
Processing personal data for purposes of identification (establishing someone's identity) is subject to rules. These rules can be found, among other things, in the General Data Protection Regulation (GDPR) and the GDPR Implementation Act.
You do not process personal data if you ask people to show their identity document. This is why this situation does not fall under the GDPR and the GDPR Implementation Act.
Other (statutory) rules may apply, though, if you ask people to show their identity document. For example:
- Pursuant to the Dutch Compulsory Identification Act, people are obliged to show their identity document in some situations.
- Pursuant to the Dutch Passport Act, an identity document always remains the property of the state.
Ways to identify people
You can establish the identity of people in the following ways:
- asking for or making a full copy of the identity document;
- asking for or making a blocked copy of the identity document;
- having the identity document shown (and possibly copying data from it);
- establishing someone's identity without an identity document.
Full copy of identity document
You are only allowed to make or ask for a full copy, scan or photo (hereinafter: copy) of someone's identity document if this is permitted by law. For example, pursuant to the Dutch Wages and Salaries Tax Act, employers are obliged to make a full copy of the identity documents of their employees.
A full copy means that all personal data are visible, including the citizen service number (BSN) and the photo. Note: these rules are the same if you scan the identity document and ‘import’ personal data in the process.
Blocked copy of identity document
Do you not have a statutory obligation to make or ask for a full copy? Then you are sometimes allowed to make or ask for a copy of an identity document on which certain personal data have been blocked, such as someone's citizen service number (BSN). You are only allowed to make or ask for a blocked copy if there is really no other way. Always check, therefore, if there is a less intrusive way.
Having an identity document shown
Are you unable to establish someone's identity in a less intrusive way? Then it is often sufficient if that person shows an identity document. This is also called ‘providing proof of identity’ or ‘producing identification’. In that case, you are not allowed to make a copy of the identity document, not even a blocked copy.
After you have seen the identity document, you can note down the type of identity document and the document number, if desired. Note: sometimes you are required by law to copy certain personal data from someone's identity document. This applies, for example, for healthcare providers.
Establishing identity without an identity document
Is it possible to establish someone's identity without the identity document of this person? Then you have to opt for this way.
For example: You have a webshop. Your customers want access to their data. In that case, the customer number in combination with the name and address will often be enough for you to verify the identity of a customer. Do customers want to remove their account? Then they can log in and indicate that they want to remove their data.
Information provision when asking for a copy of an identity document
Do you ask for or make a (full or blocked) copy of someone's identity document? Then you will have to provide this person (the data subject) with certain information. Pursuant to the obligation to provide information from the GDPR, you are required to do this.
The information to be provided by you
You must provide the data subject of your own accord (and therefore not only when the data subject asks for this) with at least the following information:
- The purpose for which you ask for the copy of the identity document;
- The legal basis for processing (Article 6 GDPR);
- Which personal data from the identity document you do not need, if the data subject provides a copy themselves. To ensure that you do not receive more personal data than strictly necessary.
Requirements the information must meet
The information must be transparent, understandable and clear. You must provide the information in simple language.
Inform and instruct your employees
You have to ensure that your employees who ask for copies know which information they have to provide. And that they actually provide this information.
Securing a copy of an identity card
Do you process a copy of an identity document? Then you must secure this copy very well to prevent the risk of identity fraud as far as possible.