The topic Copying ID cards Data protection is of great importance in Germany. Until 2010, the copying of ID cards was prohibited by law. With the amendment to the ID card law, holders were allowed to make copies themselves. However, passing them on to third parties remains problematic.

The introduction of the GDPR brought stricter rules for the handling of personal data. The Identity protection and the preservation of the Privacy are in the foreground. Copies of ID cards are only permitted under certain conditions and with the express consent of the holder.

Despite the relaxation, copying ID cards remains a data protection concern in many cases. Companies must carefully check whether they actually need a copy or whether less sensitive data is sufficient. The principle of data minimization plays a central role here.

Important findings

  • Copying ID cards was prohibited until 2010
  • GDPR brought stricter rules for data storage
  • Copies of ID cards only permitted with the holder's consent
  • Data minimization is an important principle
  • Many industries have special regulations
  • Identity protection and Privacy have high priority

The legal basis: German ID Card Act and GDPR

The German ID Card Act and the General Data Protection Regulation (GDPR) form the legal basis for the handling of personal data in Germany. These laws regulate how companies and authorities are allowed to handle copies of ID cards and what rights citizens have when their data is processed.

Changes to the Identity Card Act since 2010

Since 2010, the German ID Card Act (PersAuswG) has allowed ID card copies to be made, but only with the holder's consent. This strengthens control over one's own digital identity. Important to know: Serial numbers may not be used automatically to retrieve personal data.

Effects of the GDPR on the handling of copies of ID cards

The GDPR has further tightened data protection. It requires that the processing of personal data is appropriate and limited to what is necessary. For companies, this means

  • Copies of ID cards must be clearly recognizable as such
  • Passing on to third parties is only permitted by the card holder
  • Data must be deleted after a certain period of time

Despite these regulations, there are exceptions, for example in the financial sector or with telecommunications providers. Here, copies of ID cards may be created and stored for longer under certain conditions. The Data security is always at the forefront in order to protect citizens' personal data.

Copying ID cards Data protection: principles and challenges

The copying of ID cards presents companies with data protection challenges. The principle of data minimization requires that only necessary information is stored. This serves to protect against Identity theft and creates trust with customers.

Since 2017, ID cards may only be copied with the holder's consent. This regulation applies equally to photocopying, photographing and scanning. Companies must check whether a copy is really necessary or whether individual data is sufficient.

ID card holders have the right to black out data that is not required. Access and document numbers are particularly sensitive. These measures increase the Counterfeit protection and reduce the digital footprint.

"The protection of personal data is crucial for trust between companies and customers."

Exceptions apply to certain sectors:

  • Banks and financial service providers may copy ID cards in accordance with the Money Laundering Act
  • Telecommunications providers when concluding contracts
  • Providers of certificates in accordance with the Signature Ordinance

Despite these exceptions, data protection remains a key challenge. Companies must carefully consider what data they actually need and how they can best protect it.

When is the copying of ID cards permitted?

Since July 2017, the ID Card Act has allowed ID cards to be copied under certain conditions. This change was made because the previous regulation proved to be impractical. The Identity protection remains an important topic.

Exceptions for certain industries and situations

In some sectors, copying ID cards is not only permitted, but even mandatory. Financial service providers must identify individuals in accordance with the Money Laundering Act. Telecommunications providers are allowed to copy ID cards, but are obliged to destroy the copies after the contract has been concluded.

The role of the consent of the ID card holder

The collection or processing of personal data from the ID card is only permitted with the consent of the ID card holder. This also applies to the creation of copies. A copy of an ID card may be passed on within an organization, but not to third parties.

Industry Permission to copy Special requirements
Financial service provider Yes Money Laundering Act
Telecommunications Yes Destruction after conclusion of contract
Hotel industry No Documentation of guest data only

To ensure data protection, companies should only make copies of ID cards that are absolutely necessary and black out irrelevant information. This serves to protect against Identity theft and complies with the principle of data minimization in accordance with the GDPR.

Data protection concerns with copies of ID cards

The practice of copying ID cards raises considerable data protection concerns. Many companies routinely request copies of ID cards without questioning their necessity or legality. This leads to numerous complaints to data protection authorities.

According to the amended ID Card Act, ID cards may not be copied without the holder's consent. Even with consent, the principle of data minimization applies. Complete copies often contain more data than is necessary for identification, which makes the Privacy of citizens is at risk.

A ruling by the Hanover Administrative Court confirmed the ban on scanning and storing ID cards. The Federal Ministry of the Interior also emphasizes the inadmissibility of reproducing ID documents.

A visual check of the ID card is often sufficient to verify identity without making a copy.

Companies should rethink their practices and only collect the personal data that is really necessary. The Data security and the protection of privacy must have top priority.

Aspect Legal assessment
Copying without consent Inadmissible according to § 20 para. 2 PAuswG
Copying with consent Observe the principle of data minimization
Complete copy Usually not necessary and questionable in terms of data protection law
Visual inspection Often sufficient for identity verification

Principle of data minimization: What data is really necessary?

The principle of data minimization is a central aspect of handling personal information. It requires that only data that is absolutely necessary for the respective purpose is collected and stored. This applies in particular to ID card data, which often contains more information than necessary.

Relevant data for various business purposes

For most business applications, the name, address and expiry date of the ID card are sufficient. As a rule, the ID number should not be recorded. When renting out residential property, for example, landlords are not allowed to make copies, but only a note about the identity check.

Techniques for minimizing the stored data

There are various methods to reduce the amount of data. Redaction of unnecessary data is a common practice. It is equally important to delete the data immediately after the purpose has been fulfilled. Telecommunications providers are required by law to destroy copies of ID cards after the contract has been concluded.

Industry Required data Storage period
Financial service provider Name, address, date of birth, ID number 5-10 years
Telecommunications Name, address Until end of contract
Letting Name, address Note only, no copy

The Counterfeit protection plays an important role in digital identity. New electronic ID cards enable secure verification without unnecessary data storage. Companies should always check whether a note "ID card has been presented" is sufficient instead of making a complete copy.

Redaction of identity card data: Rights and options

The redaction of ID card data is an important instrument for protecting identity and privacy. Since 2017, the ID Card Act has allowed ID cards to be copied under certain conditions. Nevertheless, citizens have the right to black out unnecessary data.

Particularly sensitive information such as access numbers should be made unrecognizable. This protects against data misuse and unauthorized access. Companies must inform customers of their right to redaction.

The Data security is in the foreground. A table shows which data can often be redacted:

ID card data Blackening recommended
Access number Yes
Serial number Yes
Place of birth Mostly yes
Name No
Date of birth Depending on the situation

It is important to note that some industries, such as financial service providers, are not allowed to redact certain data due to legal requirements. In these cases, data security must be ensured by other measures.

Special regulations for financial service providers and telecommunications providers

Financial service providers and telecommunications providers are subject to strict regulations when handling ID cards. These regulations serve to Counterfeit protection and the protection of digital identity.

Requirements of the Money Laundering Act

According to the Money Laundering Act (GwG), financial service providers must identify their customers. They store the name, address, date of birth, ID number and issuing authority. Copies of ID cards must be kept for five years and then deleted.

Data to be retained Storage period
Name, address, date of birth 5 years
ID card number, issuing authority 5 years
Copy of identity card 5 years, then deletion

Obligations under the Telecommunications Act

Telecommunications providers may request photo identification when concluding a contract. They use the data to fulfill the contract. The copies must be destroyed after the contract is concluded. This strengthens the digital identity of the customers.

Both sectors must comply with the GDPR. They inform customers about the purpose and duration of data storage. The forgery protection of ID cards plays an important role in identity verification.

ID card copies in everyday life: hotel industry, rental and retail trade

In everyday life, the question often arises as to the correct handling of ID cards. Identity protection plays a central role here. In the hotel industry, registration forms are mandatory, but copies of ID cards are not. Landlords are allowed to check ID cards, but not to copy them. These rules serve to protect personal data.

Strict regulations apply to copying ID cards in the retail sector. Data protection is the top priority here. Only data necessary for the contractual relationship may be noted. Only identity and age checks are permitted for age verification in youth protection. It is not permitted to leave the ID card as a deposit.

Since 2017, over 300 Europcar branches in Germany have been using the Genuine-ID EASYCHECK system. It enables ID documents to be checked quickly and securely. This electronic method protects against theft and detects possible document misuse. This ensures identity protection in the rental business without having to copy ID cards.

FAQ

What does the ID Card Act say about copying ID cards?

The 2010 ID Card Act allows copies of ID cards to be made with the holder's consent. However, only the ID card holder is permitted to pass them on to third parties.

What impact does the GDPR have on the handling of copies of ID cards?

The GDPR introduced stricter rules for the storage of personal data. Copies of ID cards are only permitted with the express consent of the holder and under certain conditions. Data processing must be appropriate, restricted to what is necessary and limited in time.

What does the principle of data minimization mean?

The principle of data minimization requires that only necessary data is stored. Companies must check whether a copy of an ID card is really necessary. ID card holders have the right to black out unnecessary data.

In which sectors are copies of ID cards permitted or required?

According to the Money Laundering Act, financial service providers must identify individuals. Telecommunications providers are allowed to copy ID cards, but must destroy the copies after the contract has been concluded. In other sectors, copies of ID cards are only permitted in certain situations.

Is a complete copy or scan of the ID card permissible?

A complete copy or scan of the ID card is generally not permitted and is usually not in line with data protection regulations.

What data may be stored for most business purposes?

For most business purposes, the name, address and period of validity of the ID card are sufficient. As a rule, ID numbers must not be noted.

Is it permitted to black out unnecessary ID data?

Blackening unneeded ID card data is permitted and often useful. It protects against unauthorized access and data misuse. Particularly sensitive data such as access and document numbers should be blacked out.

What obligations do financial service providers and telecommunications providers have?

Financial service providers are obliged to identify customers under the Money Laundering Act. Telecommunications providers may copy ID cards, but must destroy the copies after the contract has been concluded. Strict data protection regulations and retention periods apply.

Are hotels and landlords allowed to copy ID cards?

Registration forms are mandatory in the hotel industry, but not copies of ID cards. Landlords may check ID cards, but not copy them. In the retail trade, only data necessary for the contractual relationship may be noted.
DSB buchen
en_USEnglish