In this article, we explain why you must not request customers’ ID documents to manage incidents, lost orders or other requests related to their purchases.
- What is not allowed
- Why you must not request an ID document
- What you should do instead
- Legal references
You are not allowed to request the customer’s ID document, a copy of their ID document or any equivalent identity document to manage an incident or a lost order.
The customer already has a created and verified account, so requesting their ID document to manage incidents such as lost orders is not appropriate.
In addition, the GDPR requires the data minimisation principle to be applied. This means that only personal data that is adequate, relevant and strictly necessary for the specific purpose may be processed.
- Do not ask the customer for a copy or photo of their ID document.
- Do not request the ID document number unless there is an express instruction or legal basis that justifies it.
- Use the information available in the order and in the customer’s account to manage the incident.
- If you need to validate any detail, request only the minimum information required to resolve the case.
- GDPR, Article 5: sets out the data minimisation principle, under which personal data must be adequate, relevant and limited to what is necessary for the purpose of the processing.
- AEPD Report 7/2023: reminds that ID document information should only be processed when required by law or when strictly necessary for the intended purpose.
- AEPD: if there are less intrusive measures that allow the identification or verification purpose to be achieved, requesting an ID document should be avoided.