UODO (Poland) - DKN.5112.33.2022

Summary

The Polish Data Protection Authority (UODO) fined an unnamed company PLN 5,898,064 (€1,392,768) for processing users' personal data excessively and without valid legal basis. The company requested photos of ID cards, passports, and payment cards from users suspected of fraud, violating Article 6(1) GDPR and the principles of lawfulness, data minimization, and accountability. The DPA ordered the company to cease the processing and delete all collected biometric and identification documents.

Full text

Help UODO (Poland) - DKN.5112.33.2022: Difference between revisions From GDPRhub Jump to:navigation, search VisualWikitext Latest revision as of 11:29, 20 April 2026 view source Dt (talk | contribs)Bureaucrats, Interface administrators, noContributionReport, Administrators306 edits Tag: submission [1.0] (No difference) Latest revision as of 11:29, 20 April 2026 UODO - DKN.5112.33.2022 Authority: UODO (Poland) Jurisdiction: Poland Relevant Law: Article 5(1)(a) GDPR Article 5(1)(c) GDPR Article 5(2) GDPR Article 6(1) GDPR Type: Investigation Outcome: Violation Found Started: Decided: 19.02.2026 Published: Fine: 5,898,064 PLN Parties: n/a National Case Number/Name: DKN.5112.33.2022 European Case Law Identifier: n/a Appeal: Unknown Original Language(s): Polish Original Source: Portal Orzeczen (in PL) Initial Contributor: dt The DPA fined a company PLN 5,898,064 (approximately €1,392,768) for unlawfully collecting images and scans of ID cards and passports of the users of its application. Contents 1 English Summary 1.1 Facts 1.2 Holding 2 Comment 3 Further Resources 4 English Machine Translation of the Decision English Summary Facts The Polish DPA conducted an investigation into a company (the controller) in October 2022 in relation to the processing of its users’ (the data subjects) personal data via the controller’s application. The DPA found that, if fraud was suspected, the controller may ask a user to identify themselves by sending a photo of the front of the credit or debit card linked to their account or a photo of an ID card or passport. The controller claimed it carried out the processing of personal data in accordance with Article 6(1)(f) GDPR based on its legitimate interest to verify the identity of a person suspected of fraud. Holding The DPA concluded that the controller violated several data protection provisions by processing the personal data of its users in an excessive and disproportionate manner when asking them to submit photos or scans of ID cards or passports for the purpose of identity verification. Specifically, the DPA found that the controller breached Article 6(1) GDPR by processing personal data without a valid legal basis. Therefore, the controller breached the principle of lawfulness under Article 5(1)(a) GDPR and the principle of data minimisation under Article 5(1)(c) GDPR. The DPA also held that the controller breached the principle of accountability in Article 5(2) GDPR. Therefore, the DPA fined the controller PLN 5,898,064 (approximately €1,392,768) and ordered the controller to bring its operations into compliance by ceasing the processing of those categories of data and deleting the data already collected. Comment Share your comments here! Further Resources Share blogs or news articles here! English Machine Translation of the Decision The decision below is a machine translation of the Polish original. Please refer to the Polish original for more details. [1] P. Fajgielski (in:) Commentary to Regulation No. 2016/679 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (General Data Protection Regulation) [in:] General Data Protection Regulation. Personal Data Protection Act. Commentary, 2nd edition, Warsaw 2022, article 5. https://sip.lex.pl/#/commentary/587773149/670977/fajgielski-pawel-komentarz-do-rozporzadzenia-nr-2016-679-w-sprawie-ochrony-osob-fizycznych-w...?cm=URELATIONS [2] D. Lubasz, W. Chomiczewski [in:] GDPR. General Data Protection Regulation. Commentary, ed. E. Bielak-Jomaa, Warsaw 2018, article 6. https://sip.lex.pl/#/commentary/587747147/544587/bielak-jomaa-edyta-red-lubasz-dominik-red-rodo-ogolne-rozporzadzenie-o-ochronie-danych-komentarz?cm=URELATIONS [3] D. Lubasz, Principles regarding the processing of personal data [in:] Meritum. Personal Data Protection, ed. D. Lubasz, Warsaw 2022, p. 112. [4] A. Maciaszczyk, The principle of purpose limitation, the principle of data minimization, and the principle of correctness in personal data protection, LEX/el. 2023. [5] See. P. Fajgielski [in:] Commentary on Regulation No. 2016/679 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (General Data Protection Regulation) [in:] General Data Protection Regulation. Personal Data Protection Act. Commentary, 2nd edition, Warsaw 2022, Article 6. [11] Annual Report 2024, available online: https://(…) [accessed June 13, 2025]; [12] Ibid.; [13] Judgment of the Court of Justice of the European Union of 27 April 2017, Akzo Nobel and Others v Commission, C-516/15 P, EU:C:2017:314; [14] CJEU judgment of 5 October 2023, Deutsche Wohnen, C-807/21, EU:C:2023:950. [15] (…), https://(…) [accessed 16 July 2025] [16] (…), https://(…) [accessed 16 July 2025] [17] (…), https://(…) [accessed 16 July 2025] [18] (…), https://(…) [accessed 16 July 2025] Retrieved from "https://gdprhub.eu/index.php?title=UODO_(Poland)_-_DKN.5112.33.2022&oldid=51372" Categories: UODO (Poland)PolandArticle 5(1)(a) GDPRArticle 5(1)(c) GDPRArticle 5(2) GDPRArticle 6(1) GDPR2026Polish This page was last edited on 20 April 2026, at 11:29. Content is available under Creative Commons Attribution-NonCommercial-ShareAlike unless otherwise noted. Privacy policy About GDPRhub Disclaimers

Entities