Photocopying of identity cards - legal or illegal?


Art. 4 of the Law on identity cards states that an identity card is a document confirming identity and citizenship. Is the photocopying of ID cards therefore legal, or maybe allowed in some situations? Do the banks that copy the evidence break the law? Can the employer photocopy the evidence?

When is copying an ID card legal?

The identity card includes, first of all, the surname, first name, PESEL number, date and place of birth, gender, age - these are personal data that should be protected, and their processing is subject to specific legal requirements. In addition, the evidence includes such information as the date of issue of the proof, its expiry date,

Article 79 of the Act on identity cards reads:


1) evades the obligation to have or replace an ID card,

2) keeps someone else's ID card without legal basis,

3) does not return an identity card in the event of loss of Polish citizenship,

shall be subject to the penalty of restriction of liberty or a fine. "

It is worth paying attention to point 2 - it is punishable to keep someone else's ID card. Therefore, it is not lawful to hold ID cards as collateral by various types of rental companies or telecommunications companies.

On the other hand, as regards the seizure of a photocopy of an identity card, the jurisprudence stipulates that photocopying itself is only a technical activity which is not prohibited. However, it is important not to process more information when copying evidence than is necessary to achieve the purposes of concluding the contract, i.e. not to process data when there is no legal basis for their processing.

If it is not possible to obtain relevant information by means other than copying the proof, then after the photocopying, all data should be obliterated and hidden beyond those necessary for the fulfillment of the purpose of the contract.

However, there are situations where photocopying of ID cards is legal - banks have such a right under Art. 112b of the Banking Law, which reads: Banks may process, for the purposes of their banking activity, information contained in identity documents of natural persons.

Photocopying of ID cards by banks may take place only when it is necessary for the performance of banking activities (e.g. granting loans, keeping accounts). However, it is forbidden to copy the evidence by banks for other purposes, e.g. for marketing purposes.

Photocopying of identity cards by the employer

GIODO is of the opinion that the photocopying of the identity card by the employer violates the Personal Data Protection Act - if this way the employer obtains more information than is entitled to it.

Art. 22 § 1 of the Labor Code indicates which personal data the employer may require from the employee. These are:

  • first name and last name,

  • parents' names,

  • date of birth,

  • place of residence (correspondence address),

  • education,

  • the course of previous employment.

In the following paragraphs of this article, we will read that the employer may also request other personal data of the employee and his PESEL number, as well as data on the names and surnames and dates of birth of children - but only if these data are necessary for the granting of appropriate employee benefits.

The disclosure of personal data to the employer takes place in the form of a declaration of the data subject, but the employer has the right to request that this information be documented.

Ideally, the employer should avoid copying ID cards. The above information can be obtained by other means than by copying ID documents. However, if a copy of the personal document is the only way to confirm the data needed to carry out the employment process, then in the case of photocopying of identity cards, the employer should cover and blur data that he does not need, and therefore which he has no right to process. Such data include, for example, gender, age, height, etc.

Start a free 30-day trial period with no strings attached!

What does the GDPR say about photocopying of evidence?

The GDPR does not explicitly prohibit the photocopying of identity cards, but it indicates the principle of minimalism, which says to process only such information that is strictly necessary for a given purpose. This means that it will not be possible to process data freely specified by the administrator. It is the controller who will be responsible for proving that specific data is necessary for him to achieve a specific purpose.