Taking a photo of a customer’s ID as a requirement to deliver a courier package is “excessive”. This is established by a resolution of the Spanish Data Protection Agency, which has fined the company Orange 100,000 euros because a delivery person demanded to photograph both sides of the identity card of the person to whom he had to deliver a package that contained a mobile phone.
Data Protection believes that this practice is “excessive” and is not limited to “what is necessary”:
“Access to the image of the ID, photographing both the back and the front, and processing it for the purpose of delivering a product through the mobile terminal of the delivery company’s delivery company is considered excessive and not limited to what is necessary for relation to the relevant purposes.”
The resolution refers to article 5 of the EU General Data Protection Regulation :
“Personal data will be adequate, relevant, and limited to what is necessary for relation to the purposes for which they are processed.”
A case that dates back to 2020
The events date back to April 2020, when the person whose ID was claimed and a delivery man from the GLS company went to the Civil Guard barracks in Totana, in Murcia, because the first he complained that as a condition for handing over the package, he was required to take a photo of both sides of his ID.
In the allegations presented, Orange defends itself by pointing out that this system was implemented “as a reinforcement security measure against the cases of attempted fraud and impersonation that were occurring in 2020 in relation to the reception of home deliveries”. In fact, he alleges that he had already informed the buyer that, at the time of delivery, he had to have his ID available and that the delivery man could ask for it.
The company assures that the purpose of photographing the DNI is to be able to “accredit, subsequently and in the event that it is necessary, that the due diligence has been deployed in verifying the identity of the person to whom the contracted product is delivered”.
Data Protection, however, warns that a DNI contains much more information than is necessary to know that the person is the one to whom the package is addressed and asks to use ” less harmful and aggressive means for privacy” :
“The DNI contains not only the name and surname, the number and the photograph of the recipient, but also incorporates many other data: signature, address, place, and date of birth, key to access the information it contains, date of issue, date of validity, alphanumeric code, sending team and office, etc., completely additional data that are neither adequate nor relevant nor limited to the purpose of the delivery of the goods, and that to certify that the person who collects the product is the owner who provided the data at the time of contracting, other means must be used that are less harmful and aggressive for people’s privacy”
Read also: Rescue road to the Castle, students on their way to rediscover it
Photos sent over an encrypted channel
The delivery company, GLS, alleges that the delivery system in question is called IdentService and seeks to provide “more assurance that the package has indeed been delivered to the recipient and not to anyone else who may live in the same home address”.
This procedure was launched in 2018 at the request of a GLS client. The photos, the company insists, are transmitted through an encrypted channel to GLS’s system and are not stored on the delivery device of the delivery person, but instead, end up on the company’s own internal server.
GLS notes that only a maintenance technician has access to this server. Images are stored for one year and GLS customers can access them via a link, but without being able to view photos and IDs indiscriminately.
The resolution puts an end to the administrative process, but Orange can present an appeal for reinstatement or an administrative dispute before the National Court.