Poland fines ING Bank Śląski 18.4m zloty over data privacy violations

Aug 27, 2025 | Business, Law

Keep our news free from ads and paywalls by making a donation to support our work!

Notes from Poland is run by a small editorial team and is published by an independent, non-profit foundation that is funded through donations from our readers. We cannot do what we do without your support.

Poland’s data protection agency has fined ING Bank Śląski – which is majority owned by the Dutch ING Group – 18.4 million zloty (€4.3 million) for breaching EU privacy rules. It is the second-largest such penalty ever issued by the agency.

The Personal Data Protection Office (UODO) said that ING, the fourth-largest bank in Poland in terms of assets, had unlawfully scanned and stored customers’ and prospective clients’ identity cards between April 2019 and September 2020.

The bank said it introduced the practice to comply with anti-money laundering (AML) rules but, according to UODO, its actions exceeded what was required by law. The bank said it would appeal the decision.

Under Poland’s 2018 anti-money laundering act, which implemented an earlier EU directive, lenders may process and copy information from identity documents. UODO, however, said that ING had applied the rule excessively and without adequate legal basis.

“Identity documents were…scanned in cases not related to the fulfilment of obligations specified in the AML act,” the agency said in a statement, noting that while the copying of documents is permitted, it is not mandatory and should be preceded by an assessment of whether it is necessary, something that ING failed to do on a large scale.

UODO gave the example of an individual who tried to file a complaint about a bank branch’s ATM. According to the Dziennik Gazeta Prawna daily, the person was informed by the bank that their identity card would have to be scanned before the complaint could be accepted, even though the query was unrelated to AML.

 

UODO also highlighted the risks related to the mass processing of personal data. It noted that any such activity “must be associated with a higher level of responsibility” and “a higher level of due diligence” on the part of the controller, “as it may have negative consequences for many people”.

In 2020, ING had 4.72 million customers in Poland, including 4.24 million individual customers and 486,000 corporate customers, said the agency, citing the bank’s data.

The bank said it had fully cooperated with UODO during proceedings, explaining that the scans were collected solely to meet obligations under the AML law. It has also changed its procedures, limiting the copying of identity documents only to cases involving new customers or existing client data changes.

However, UODO imposed a fine of 18.4 million zloty on ING, saying that the penalty was “effective, proportionate and had a discouraging effect”. Last year, the bank achieved a consolidated net profit of 4.4 billion zloty.

ING spokesman Piotr Utrata told Dziennik Gazeta Prawna that the bank would challenge the decision at the administrative court in Warsaw. The fine is the second-largest ever issued in Poland for violating EU data protection rules, and the biggest against a private company, the newspaper reported.

Earlier this year, UODO fined Poland’s state post office, Poczta Polska, 27 million zloty for unlawfully processing data from 30 million citizens while preparing for the 2020 presidential election, which was at one stage planned to be conducted by post because of the Covid pandemic.


Notes from Poland is run by a small editorial team and published by an independent, non-profit foundation that is funded through donations from our readers. We cannot do what we do without your support.

Main image credit: ING Bank Śląski press materials

Pin It on Pinterest

Support us!