News

🇪🇸 No ID card by email

Confidentiality & Security | 30/03/2025

💥 Requesting an ID by unsecured email can be very costly!

Source: PS-00457-2023
Country: Spain, AEPD

🧾 Facts

An investor requested information about several real estate projects in which they had invested.
In response, the project management company asked them to provide a scanned copy of their DNI (national ID card)… without providing any information about how the data would be processed.

🚨 Violations identified by the AEPD

🔹 1. Article 13 GDPR – Duty to inform

  • The company requested a copy of the DNI without providing:
    • the identity of the data controller,
    • the legal basis,
    • the purpose,
    • the data retention period,
    • the data subject’s rights.
  • It did not provide a privacy policy or processing register, despite multiple requests from the AEPD.
  • The AEPD concluded a total lack of transparency, violating the principles of lawfulness, fairness, and transparency (Article 5.1.a).

🔹 2. Article 32 GDPR – Security of processing

  • The ID copy was requested via unsecured email.
  • Email is an unencrypted channel, exposed to risks of interception.
  • The company did not implement appropriate technical or organizational measures to protect such sensitive data, nor did it perform a risk analysis.

⚖️ Basis for the fine

The AEPD highlighted:

  • A serious and manifest lack of diligence.
  • A refusal to cooperate during the procedure (no documentation provided).
  • The national ID card is highly sensitive, and vulnerable to identity theft.
  • The request for the ID was not illegitimate in itself (identity verification), but the lack of transparency and security made the processing unlawful.

💰 Penalty

  • €50,000 for violation of Article 13 (duty to inform)
  • €50,000 for violation of Article 32 (data security)
  • Total fine: €100,000

🔐 Key Takeaways

  1. Requesting an ID can be legitimate — only if full information is provided (Article 13).
  2. Never request identity documents via unsecured email.
  3. 🧾 Always maintain a register of processing activities, a clear privacy policy, and a risk assessment for processing sensitive data.
Back to news list

Explore all our areas of expertise:

Governance and Strategy Data Quality MDM / PIM Compliance