How to Store Client ID Copies Without Breaking GDPR
How to Store Client ID Copies Without Breaking GDPR
Most real estate agencies, property managers and gestorรญas keep a folder โ physical or digital โ full of client ID copies. DNIs, passports, residence cards, all scanned "just in case we need them later."
That habit is exactly what regulators are fining. In 2022 the Spanish Data Protection Agency (AEPD) fined a hotel โฌ30,000 for scanning a guest's full passport at check-in, ruling that keeping the whole image was excessive and had no legal basis behind it.
The uncomfortable truth: storing a copy of an ID is a separate processing activity from verifying identity, and most of the time you only need the second one. This article walks through what GDPR actually requires, when you may keep a copy, and how to identify clients without building a liability you don't need.
The rule that catches everyone: data minimization
Article 5.1.c) of the GDPR says personal data must be "adequate, relevant and limited to what is necessary" for the purpose you're pursuing. This is the data minimization principle, and it is the single reason most ID-copy practices are unlawful.
An identity document is a dense bundle of data. A DNI or passport carries the photograph, the document number, the expiry date, parents' names, the CAN number, sometimes a fingerprint reference. When you photocopy or scan the whole thing, you collect all of it โ even though your actual purpose (confirm this person is who they claim to be) rarely needs more than the name and ID number.
The AEPD has repeated the point in plain language: asking for and keeping a copy of the DNI cannot become a generalised practice. If no law expressly requires it, storing the copy is excessive and unlawful processing under Article 5.1.c).
"But I have to identify my clients" โ yes, and those are different things
Verifying identity and storing a copy are not the same act. You can be legally obliged to do the first without any right to do the second.
A good example is Spanish accommodation. Royal Decree 933/2021 forces hotels and vacation rentals to collect specific traveller data and report it. But in June 2025 the AEPD clarified that this obligation does not authorise requesting a copy of the identity document โ you collect the required fields, not the image of the card.
The same logic applies across sectors:
- KYC in real estate โ anti-money-laundering rules may require you to identify and record a client, but "record the data" is not the same as "keep a photo of the passport indefinitely."
- Front desk / customer service โ checking that someone is who they say they are can be done by inspection, without a copy leaving the counter.
- Contracts โ you usually need the name and ID number on the contract, not a scanned card in a shared drive.
So before you store anything, answer one question: *does a specific law require me to hold the copy, or do I just need to have identified the person?* If it's the second, don't keep the copy.
When you actually may keep an ID copy
Storing a copy isn't banned outright โ it's banned when it's unnecessary. You're on solid ground when all of these are true:
- You have a lawful basis for the copy specifically โ not just for the relationship. Consent, a legal obligation, or a documented legitimate interest that survives a balancing test.
- A concrete purpose requires the image itself, not just the data on it. "Audit trail for a regulated transaction" can qualify; "in case we need it" does not.
- You minimise even within the copy โ redact or avoid fields you don't need. If only the name and number matter, don't retain the photo and parents' names.
- You've set a retention period tied to that purpose, and you delete when it expires.
- You've secured it โ access controls, encryption at rest, no ID copies floating in email or an open WhatsApp gallery.
If you can't tick all five, you're carrying risk, not documents.
A practical checklist for compliant storage
Use this as a working procedure rather than a legal essay:
- Map each field to a reason. For every piece of the ID you hold, write down the law or purpose that justifies it. Anything without a line gets dropped.
- Separate "identified" from "stored." Where the law only asks you to identify, record a note that identity was verified (who, when, which document type and number) instead of the image.
- Set retention per purpose. A KYC record and a tenancy file don't have the same lifespan. Assign each a deletion date backed by a rule, and automate the deletion.
- Lock down the storage. ID copies belong in an access-controlled, encrypted system โ never in personal email, chat threads or an unstructured cloud folder.
- Log the basis. Keep your lawful basis and retention decisions documented; if a regulator asks, "we always did it" is not an answer, but a mapped register is.
- Give people a way out. Where you rely on consent, it must be genuinely optional and revocable.
The good news: turning a document into structured data is now trivial. Instead of archiving the raw image, you can extract just the fields you need from a DNI or passport and drop the rest. That way "identify the client" produces a clean record โ name, number, verification timestamp โ instead of a high-risk scan you now have to guard and eventually delete.
The safest default: see it, don't keep it
When you're unsure, the most defensible posture is the one the AEPD keeps recommending: inspect the document, capture only the data you're allowed to hold, and don't retain the image.
In practice that means the person shows the ID, a staff member confirms it, and your system stores the necessary fields plus a note that verification happened โ not a photograph of the card. For online flows, the same outcome comes from digital certificates, payment-method checks, or one-time codes.
This is where extracting data beats scanning documents. If your identification step reads the card and returns structured data you can push straight into Excel or your CRM, you get the compliance benefit (only necessary fields, no lingering image) and kill the manual typing at the same time. For accommodation specifically, the same approach lets you register travellers in SES.Hospedajes without keeping ID copies โ you capture the required fields and stop there.
Storing less isn't just cheaper and faster. Under GDPR, it's usually the lawful option.
WhappScan turns the ID a client sends over WhatsApp into just the structured fields you're allowed to keep โ so you identify people without hoarding documents. See how at whappscan.com.