Scanning and copying of ID cards is a widespread practice in the German business sector. Copies of ID cards are required as proof of identity, taken to the file or scanned (e. g. by online services, credit agencies, logistics companies, fitness studios). Does this practice violate data protection law or the often claimed “ban” on copying ID cards? In short: In many cases it is – but not always. For instance, some companies enjoy exemptions from the legal rules that forbid copying. Also, while scanning is forbidden in principle, it is not clear whether this also applies to pure copying.
Permissibility According to the German ID Card Act (PAuswG): No Scanning, Copying only under Certain Circumstances
The extent to which data may be collected from the new ID card is governed by the German ID Card Act (Personalausweisgesetz – PAuswG). The Federal Data Protection Act (Bundesdatenschutzgesetz – BDSG) does not apply. In terms of scanning and copying, the PAuswG was supposed to provide clarity (cf. the commentary by the legislator):
In the future, the collection and use of personal data from or with the help of the ID card must only be carried out by the designated means. […] Other methods, such as the optoelectronic recording (“scanning”) of identification data or of the machine-readable area shall be explicitly excluded.
However, this prohibition on scanning has only been expressed incompletely or at least ambiguously in Sec. 20(2) PauswG. According to this provision, apart from the permitted reading of the integrated chip for “electronic proof of identity” (Sec. 18 PAuswG), any use of the ID card for “automated retrieval” or “automated storage” is prohibited. However, only scanning for storage purposes is clearly recorded and thus prohibited, as confirmed by a judgement of the VG Hannover (Az. 10 A 5342/11). Whether this also includes temporary scanning into a device’s RAM (e. g. in the context of a copying process with a modern copier) is not clear; in case of doubt, it is advisable to avoid also such temporary scanning.
The Hanover Regional Court, on the other hand, has left it open, “whether the mere copying of identity cards… is actually prohibited”. This is also not clearly stated in Sec. 20(2) PAuswG. For if you don’t consider that modern photocopiers have an electronic buffer, making a copy in paper form as such is actually neither an “automated retrieval” nor a from “automated storage”. As long as no automated storage takes place, some supervisory authorities therefore see room for the holder of an ID card to copy it – and for third parties to copy it on behalf of the holder (cf. e.g. the statements of the data protection authorities of Northrhine-Westphalia and Hamburg; however, the ULD Schleswig-Holstein, in p. 17 of its information brochure, is more restrictive). One possible area of application would be the identification by means of a copy of the identity card in case the holders excercise their right to access personal data, e. g. against credit agencies.
However, the opposite view is also held, claiming that not only scanning but also copying by private authorities is prohibited (apart from the special cases mentioned below, for example from the German Money Laundering Act). As an argument for this, some refer to the fact that the Federal Republic of Germany is the owner of the identity cards and as such has the power to determine how they may be used. In light of Sec. 20 PAuswG, however, it is doubtful whether the German state has in fact excercised this power to issue a general ban on copying.
In any Event, Use of Copies of ID Cards is Very Limited under Current Law
Even if one follows the view that copies of the identity card are not prohibited per se, the admissibility is strictly limited.
- The copy must serve the purpose of proving the identity (Sec. 20 para. 1 PAuswG).
- As always in data protection, the copy must also be necessary for this purpose. In the case of an “identification of a person that is present”, a copy is generally not necessary, as checking the original of the identification card is sufficient. In the case of “identification of a person absent” – by sending a copy – the copy must not be kept longer than necessary, which usually speaks for an immediate destruction.
- In some cases it is required that the copy is marked as such (e. g. by a handwritten label “COPY”) – although the question is whether there really is any danger of confusion a paper copy with the original ID card (which after all is clearly and obviously distinguishable as a chip card and by the protective cover).
- Often, the identification purpose can also be achieved if information which is not required is blackened. For this purpose, there are also privacy-enhancing copying stencils.
- Finally, it should be pointed out once again that automated storage (e. g. as PDF) is not allowed. This is clearly forbidden, as is the preceding act of scanning.
Exceptions according to the Money Laundering Act etc.
The situation is different where special laws take precedence over the PAuswG and allow copying in exceptional cases. Examples are:
- Section 8(1)(3) of the Money Laundering Act (Geldwäschegesetz – GWG): pursuant to this, banks, credit institutions, insurance companies, but also e. g. tax advisors, brokers or lawyers are in certain cases subject to legal recording obligations which they may fulfil by keeping copies of identity cards
- Section 95(4)(2) of the Telecommunications Act (Telekommunikationsgesetz – TKG): permits telecommunications providers to copy ID cards at the time of conclusion of the contract
- 3 Signature Ordinance (Signaturverordnung): on the basis of this provision, providers of certificates often require copies of identification documents in accordance with the Signature Act (Signaturgesetz)
- authorities are also partially authorised to collect copies (e. g. the Federal Motor Transport Authority when inspecting the register of driving aptitude, see Section 64(1) no. 2 Driving Licence Ordinance (Fahrerlaubnisverordnung))
Where there is no such clear permission, however, copies are prohibited in principle (or, only allowed under the above-mentioned tight conditions). Also common copying practices, e. g. of hotels (which are based on the Registration Act (Meldegesetz)) or age checks (according to the Youth Protection Act (Jugendschutzgesetz)) are therefore highly dubious.
As is so often the case, the legal situation is unfortunately opaque for non-legal practitioners. If a company or authority requires a copy of your identity card and you have doubts about the legality, you may contact your competent data protection authority or a lawyer.