GDPR and Identity Documents: Complete Compliance Guide for Businesses
GDPR compliance for identity documents: collection rules, retention periods, data protection requirements. Practical guide for businesses.
Collecting a copy of an identity document is routine for most businesses. It is also one of the highest-risk processing activities under the GDPR. An identity document contains sensitive personal data -- a unique number, photograph, signature, and sometimes biometric data -- whose non-compliant processing exposes the business to fines of up to EUR 20 million or 4% of global annual turnover. This guide covers the applicable rules, supervisory authority guidance, and the concrete measures required to process identity documents in full compliance.
The Legal Framework: What the GDPR Says About Identity Documents
The GDPR (Regulation EU 2016/679) does not contain specific provisions for identity documents. Their processing falls under the regulation's general principles, supplemented by national data protection authority guidance and case law.
The Core Principles That Apply
Five GDPR principles apply directly to the collection and processing of identity documents:
Lawfulness of processing (Article 6). Collecting an identity document must rest on a valid legal basis. Depending on the context, this may be a legal obligation (banking KYC, employment contract), performance of a contract (lease agreement), or the legitimate interest of the data controller (verifying a service provider's identity). Consent is rarely the appropriate basis due to the power imbalance between the business and the data subject.
Data minimization (Article 5(1)(c)). The business must collect only the information strictly necessary for the stated purpose. This principle has major practical consequences for identity document processing, detailed below.
Storage limitation (Article 5(1)(e)). Identity documents cannot be retained indefinitely. The retention period must be defined in advance and justified by the processing purpose.
Integrity and confidentiality (Article 5(1)(f)). Identity documents must be protected against unauthorized access, loss, destruction, or alteration through appropriate technical and organizational measures.
Transparency (Article 13). The individual whose identity is being verified must be informed clearly and completely: who processes their data, why, for how long, and what their rights are.
National Data Protection Legislation
National laws implementing the GDPR add important specifics. In the EU, each member state has supplementary legislation governing identity data. For example, national ID numbers and social security numbers are subject to strict purpose limitations -- their collection is restricted to specific uses such as payroll, social protection, and authorized research.
Criminal codes across EU member states also penalize identity theft and fraudulent collection of identity data (in France, this is covered by Articles 226-1 et seq. of the Penal Code and Article 226-4-1 on identity theft), reinforcing the obligation to secure collected documents.
Supervisory Authority Guidance: Practical Rules
Data protection authorities across Europe -- the CNIL in France, the ICO in the UK, the BfDI in Germany, the DPA in Ireland -- have published guidelines and recommendations on processing identity documents. While not legally binding in themselves, these recommendations are systematically used as reference points during enforcement actions.
When Can You Collect an Identity Document?
Supervisory authorities distinguish three levels of identity verification based on the purpose:
| Level | Description | Examples | Document Required |
|---|---|---|---|
| 1 - Declarative | Simple collection of name and surname | Newsletter signup, basic account creation | No identity document |
| 2 - Simple verification | Confirming the person is who they claim to be | Property rental, subscription signup | Presentation of document (no copy) or partial copy |
| 3 - Enhanced verification | Legal obligation to verify identity | Bank account opening (KYC), hiring, notarial acts | Full copy of identity document |
Critical point. Many businesses systematically collect full copies of identity documents when Level 2 verification would suffice. This commonly occurs with real estate agencies demanding front-and-back ID copies for simple property viewings, or companies photocopying visitor IDs at reception.
Data Minimization Applied to Identity Documents
Data minimization is the most frequently overlooked principle in identity document processing. Supervisory authorities provide precise guidance.
Redaction of unnecessary data. When a document copy is required, data not relevant to the stated purpose must be redacted. For example, when verifying a tenant's identity, the ID card number is unnecessary and should be obscured.
Prohibition on collecting certain data. Authorities emphasize that collecting the photograph from an identity document is justified only when physical identity verification is necessary (physical access control, biometric comparison). For purely administrative verification, the photo must be redacted.
Data to redact by purpose:
| Purpose | Necessary Data | Data to Redact |
|---|---|---|
| Property rental | Name, date of birth, validity | Photo, document number, signature |
| Bank account opening (KYC) | All document data | None (legal obligation) |
| Employment contract | Name, nationality, work authorization | Photo (unless for badge), signature |
| Age verification | Date of birth | Everything else |
| Registered mail delivery | Name | Everything else |
Retention Periods
The GDPR and national legislation impose strict retention periods that vary by processing purpose and legal basis.
| Context | Retention Period | Legal Basis |
|---|---|---|
| Banking/insurance KYC | 5 years after end of business relationship | EU AML Directive / national AML legislation |
| Employment contract | 5 years after departure of employee | Employment law |
| Property rental (accepted application) | Duration of lease + 3 years (statute of limitations) | Civil code |
| Property rental (rejected application) | Immediate deletion, 1 month maximum | Supervisory authority guidance |
| One-time identity verification | Duration of the verification only, no retention | Supervisory authority guidance |
| Notarial acts | 75 years | Legal obligation |
| AML/CFT compliance | 5 years after execution of the transaction | AML legislation |
Common mistake. Retaining identity documents of rejected rental applicants is a GDPR infraction. Multiple real estate agencies have been sanctioned on this exact point.
Technical Measures to Protect Identity Documents
The GDPR requires "appropriate" technical and organizational measures to protect personal data. For identity documents -- which carry a high risk of identity theft in case of a data breach -- these measures must be particularly robust.
Mandatory Measures per Supervisory Authority Guidance
Encryption at rest and in transit. As outlined in the CNIL's practice guide for security of personal data (2024 edition), digital copies of identity documents must be encrypted with a recognized algorithm (AES-256 minimum). Transmissions must use TLS 1.2 or higher.
Strict access controls. Access to identity documents must be limited to individuals with a justified operational need. Access rights must be reviewed quarterly. Every access must be logged in an audit trail.
Secure hosting. Identity documents must be hosted on servers located within the European Union, with a hosting provider offering sufficient guarantees. Certifications such as ISO 27001 or SOC 2 are recommended. For high-volume processing, sovereign cloud certifications (such as France's SecNumCloud) provide additional assurance. Our security page details the standards we meet.
Secure deletion. At the end of the retention period, documents must be deleted irreversibly (cryptographic erasure or physical destruction of the storage medium). Moving a file to the recycle bin does not constitute compliant deletion.
Recommended Measures for High-Volume Processing
For businesses processing more than 1,000 identity documents per month, supervisory authorities recommend additional measures:
- Data Protection Impact Assessment (DPIA). Mandatory when the processing is likely to result in a high risk to the rights and freedoms of individuals. Large-scale processing of identity documents falls into this category.
- Pseudonymization of extracted data. Data extracted from documents (name, number) should be pseudonymized in production databases. The link to the source document should be accessible only in a dedicated secure environment.
- Environment segregation. Production, testing, and development environments must be strictly separated. No real identity documents should be present in test environments.
Data Subject Rights
Individuals whose identity documents are collected have specific rights that the business must be able to fulfill within the legal deadlines.
Rights Summary Table
| Right | Response Deadline | Applicable to Identity Documents? | Specifics |
|---|---|---|---|
| Access (Art. 15) | 1 month | Yes | The business must provide a copy of all data held, including the document copy |
| Rectification (Art. 16) | 1 month | Yes | In case of identity change (marriage, etc.) |
| Erasure (Art. 17) | 1 month | Partially | Not possible if retention is a legal obligation (KYC) |
| Restriction (Art. 18) | 1 month | Yes | The document is retained but no longer used |
| Portability (Art. 20) | 1 month | Generally no | Applies only to data provided on the basis of consent or contract |
| Objection (Art. 21) | 1 month | Partially | Not possible if processing is based on a legal obligation |
Erasure Requests: Practical Scenarios
The right to erasure is the most frequent and most delicate request to handle for identity documents. Three typical situations:
Scenario 1: A customer requests deletion of their ID card copy after canceling their insurance policy. The insurer can refuse if the legal retention period (5 years) has not elapsed. However, it must inform the customer of the legal basis justifying continued retention and the scheduled deletion date.
Scenario 2: A rejected rental applicant requests deletion of their documents. The agency must delete all documents immediately. Refusal constitutes a GDPR infraction.
Scenario 3: A former employee requests deletion of their ID copy 6 years after leaving. The company must proceed with deletion, as the 5-year retention period has expired.
GDPR and Automated Document Verification
Using automated document validation solutions raises specific GDPR questions, particularly regarding automated decision-making and data processing agreements.
The Automated Decision-Making Question (Article 22)
Article 22 of the GDPR governs fully automated decisions that produce legal or similarly significant effects. An automatic file rejection based on identity document non-compliance potentially falls within this scope.
To remain compliant, the business must:
- Inform the individual that an automated decision may be made.
- Guarantee the right to human intervention (an operator must be able to review the file).
- Explain the logic behind the decision (reason for rejection, unmet criterion).
Well-designed AI solutions build these requirements in natively by providing a structured reason for each rejection and routing borderline cases to a human operator.
The Data Processing Agreement (Article 28)
When a business uses an external provider for document verification, it must formalize the relationship through a data processing agreement compliant with Article 28 of the GDPR. This agreement must specify:
- The nature and purpose of the processing.
- The types of personal data processed.
- The security measures implemented by the processor.
- The conditions for sub-processing.
- The terms for data return and deletion at contract end.
- The conditions for audit by the data controller.
Data Transfers Outside the EU
The choice of document verification provider must factor in data transfer implications. Since the invalidation of Privacy Shield by the CJEU and the reinforced requirements following the Schrems II ruling, transferring identity documents to servers outside the European Union carries major legal risks. Supervisory authorities explicitly recommend solutions hosted within the EU.
GDPR Compliance Checklist for Identity Documents
Here are the actions to verify to ensure your identity document processing is compliant.
Before Collection
- Verify that collecting the identity document is justified by an identified legal basis.
- Confirm that the required verification level (declarative, simple, enhanced) matches the stated purpose.
- Draft or update the GDPR privacy notice (Article 13) including: identity of the data controller, purpose, retention period, and data subject rights.
- Conduct a Data Protection Impact Assessment (DPIA) if processing is large-scale.
During Processing
- Apply data minimization: redact data not necessary for the stated purpose.
- Encrypt collected documents (at rest and in transit).
- Restrict access to authorized personnel only, with access logging.
- If using an external KYC compliance provider, verify the existence of an Article 28 data processing agreement and confirm EU data hosting.
- If automated decisions are made, guarantee the right to human intervention and decision explanation.
After Processing
- Schedule automatic deletion of documents at the end of the retention period.
- Implement a process for responding to data subject rights requests (access, erasure, rectification) within the one-month deadline.
- Document the processing in the record of processing activities (Article 30).
- Audit process compliance annually.
Enforcement Actions Related to Identity Documents
Data protection authorities regularly sanction violations related to identity document processing. In 2024 alone, France's CNIL issued 87 sanctions totaling EUR 55 million, doubling the number of decisions from 2023. Fine amounts have increased significantly since 2023. The full list of CNIL sanctions is publicly available.
| Year | Sanctioned Entity | Violation | Fine |
|---|---|---|---|
| 2023 | Real estate group | Unlimited retention of ID document copies | EUR 600,000 |
| 2024 | Fintech company | Failure to encrypt stored identity documents | EUR 1,200,000 |
| 2024 | Rental platform | Disproportionate collection (unnecessary documents) | EUR 400,000 |
| 2025 | Banking institution | Failure to inform individuals about retention periods | EUR 2,500,000 |
| 2025 | Temporary staffing agency | Failure to delete documents of rejected candidates | EUR 300,000 |
These sanctions illustrate the increasing vigilance of data protection authorities on this topic and the importance of rigorous identity document handling.
Balancing GDPR Compliance and Operational Efficiency
GDPR compliance and operational efficiency are not contradictory. The most advanced automated document verification solutions build GDPR requirements in natively: automatic data minimization, end-to-end encryption, scheduled deletion, full audit trails, and the right to human intervention.
CheckFile designed its document validation platform with native GDPR compliance. Documents are processed and hosted exclusively within the European Union, encrypted end-to-end, and automatically deleted at the expiration of the retention period you define. Every processing action is logged and auditable. Contact our team for a demo and a compliance audit of your current document workflows.