Data protection and money laundering law: inspection obligations regarding identity cards

von Nadja-Maria

A large amount of personal data can be found on an identity card. In many industries, particularly with regard to the Money Laundering Act, the question arises as to which personal data may be noted or copied and to what extent, or whether the ID card may even be scanned. In the following we give you a brief overview.

Money Laundering Act (GwG)

The new Money Laundering Act came into force on June 26, 2017. According to this, the so-called “obligated parties” such as credit and financial services institutions, insurance companies, tax advisors, real estate agents and goods dealers have their contractual partner for establishing a business relationship by recording their first and last name, place of birth, date of birth, nationality, address, type, number and Identify the issuing authority of the document presented for verification of identity. Pursuant to Section 8 (2) sentence 2 of the GwG, this recording obligation can also be carried out by presenting an ID, of which the person obliged can and must make a complete copy. There is no longer any obligation to redact certain data. According to § 8 III 2 GwG, these records are to be kept for five years and then immediately destroyed.

Obligation to test in the individual industries

In the brochure from June 2019 under the following link: (Click here/Link to the new page)there is a detailed statement by the State Commissioner for Data Protection and Freedom of Information North Rhine-Westphalia on the subject of data protection and identity cards.

This document contains important information and, above all, practical tips for various industries such as telecommunications providers (p. 5), motor vehicle trade (p. 6, 10), hotels (p. 9), rental (p. 9), road haulage (p. 10) etc. regarding the obligation of the obligated party to test.

What remains unchanged?

What remains unchanged is that ID cards may never be handed in as a deposit and that copies may only be made under very strict conditions. In these cases the copy must also be clearly marked. In addition, with electronic proof of identity, a legal basis such as consent or a legal requirement is still required for every data processing by the company, since the identity card contains a wealth of personal data. Likewise, only the personal data that are actually required for the business purpose may be collected for the electronic proof of identification.

If you have any questions, please do not hesitate to contact your special team at aigner business solutions GmbH. Simply fill out our contact form!


Nadja-Maria leitet unser Inhouse-Juristen-Team. Sie studierte an der Universität Passau Rechtswissenschaften mit anschließendem Referendariat sowie erstem und zweitem Staatsexamen. Ihr Spezialgebiet ist Datenschutzrecht. Ihr fundiertes Wissen hält sie jederzeit aktuell. Für unsere Kunden und unser Team hat sie so immer einen Rat für eine passgenaue Lösung parat.