Can a rental company require a photo of my ID card?

More and more companies are asking for a photo or scan of your ID card as part of a contract or registration. The question, however, is whether this is allowed. The answer in most cases is no. A decision of the Belgian Data Protection Authority (DPA) of 19 August 2025 (No. 132/2025) affirms that requiring a copy of an ID card for anti-fraud purposes is often a step too far, especially when less intrusive alternatives exist.

The facts: an e-bike rental contract

The case revolved around a company that rents bicycles on a subscription basis. For the more expensive electric bikes, the company had implemented a specific procedure to prevent fraud. Customers had to register online, uploading a photo of their ID card. This photo was then forwarded to a specialized outside firm (a "processor") that verified the authenticity of the card.

A client opposed this practice. She believed that a visual inspection in the store, as used previously and again later, should suffice. She was particularly concerned about the processing of her national registry number, which appears on the back of the eID. When her request for access to her processed data went unanswered after a year, she filed a complaint with the DPA.

The decision of the Data Protection Authority

The DPA's Dispute Chamber ruled that the rental company had violated on several counts the General Data Protection Regulation (GDPR) .

The crux of the decision is that there was no valid legal basis for processing an ID card photo. The DPA analyzed the two most obvious legal grounds and rejected both:

1. Necessary for the performance of the contract (Art. 6.1.b GDPR): The DPA argued that taking and processing a photograph was not objectively necessary to execute the renting contract. A simple visual check of the identification card when the bicycle was picked up was sufficient to establish the identity of the renter. The fact that the company used this method both before and after the disputed period showed that the photo procedure was not essential.
2. Legitimate interest (Art. 6.1.f GDPR): Although combatting fraud is a legitimate and justifiable interest for a company, the procedure failed on the "necessity test." For a processing to be based on this ground, it must not only be appropriate, but also necessary. No less intrusive (equivalent) alternative must exist to achieve the same purpose. In this case, that alternative existed: the physical, visual inspection.

In addition to the lack of a legal basis, the DPA identified other violations:

• Lack of transparency (Art. 5.1.a, 12 and 13 GDPR): The privacy notice was incomplete. It did not mention third-party identity verification. It also was unclear about whether or not the bike's location data was continuously tracked.
• Violation of the right of inspection (Art. 12 and 15 GDPR): The company had not responded to the customer's request for access within the statutory one-month period. The argument that the e-mail had ended up in the spam folder was not accepted as a valid excuse.

Ultimately, the DPA imposed a reprimand on the unlawful processing and disregard of the right of inspection, and a warning for the lack of transparency about location data.

Legal analysis and interpretation

This decision is an important reminder of the strict interpretation of the necessity requirement within the GDPR. The ratio decidendi of the Litigation Chamber is clear: the fact that a processing operation is useful, convenient or desirable for a company does not make it "necessary" in the legal sense. Both for the performance of a contract (Art. 6.1.b) and for legitimate interest (Art. 6.1.f), the controller must be able to demonstrate that the method chosen is the least intrusive to achieve the intended purpose.

The DPA also makes a crucial distinction between the visual check of an identity card and the processing it in a file. In principle, an employee who compares the data on an eID with the registration data is not performing a processing operation covered by the GDPR, because the data is not intended to be stored. However, once a photo, scan or copy is taken, a new personal data is created that is stored, transmitted and retained. This is full-fledged processing to which the strict rules of the GDPR apply, including the requirement of a valid legal basis and the principle of minimal data processing (Art. 5.1.c GDPR).

Moreover, the failure to respond to a right of access in a timely manner illustrates a lack of internal procedures. It shows that the accountability obligation (Art. 5.2 GDPR) goes beyond simply drafting a privacy notice; companies must also take the technical and organizational measures to effectively guarantee the rights of data subjects.

What this specifically means

• For consumers: Be critical when a company requests a copy or photo of your ID card for an everyday contract (rental, subscription, purchase). Ask about the purpose and legal basis. Suggest an alternative, such as an on-site visual inspection. Know that you have the right to ask to see the data a company keeps on you and that they must answer within one month.
• For businesses and service providers: This decision sends a clear message. Evaluate your onboarding and verification processes.
  • Necessity: Is it really necessary to ask for a copy of the eID? Can you not achieve your goal (e.g., identity verification, fraud prevention) with a less intrusive method?
  • Documentation: If you do believe it is necessary, thoroughly document your consideration (the so-called Data Protection Impact Assessment or DPIA may be useful here) and the analysis of the legal basis.
  • Transparency: Make sure your privacy notice is complete, clear and specific. List all processing operations, the outside parties (processors) involved and the purposes. Do not scatter information across different documents such as general terms and conditions.
  • Data subjects' rights: Implement a watertight procedure to handle customer requests (inspection, deletion, etc.) correctly and in a timely manner. An e-mail in a spam folder is your responsibility.

Frequently asked questions (FAQ)

Is asking for a copy of my ID card always illegal?
No, not always. In certain sectors, such as the financial sector (to prevent money laundering) or at temporay employment agencies, there is a specific legal obligation. For most commercial contracts, however, there is no legal obligation and a visual check is sufficient.

What is the difference between showing my eID and having a picture of it taken?
Showing your ID card for a quick, visual check is generally not considered "processing" within the meaning of the GDPR. Taking a photo or scan creates a digital file. This is a full-fledged processing of personal data, to which all the protection rules of the GDPR apply.

My request for access to my data is being ignored. What can I do?
An organization is required by law to respond to your request within one month. If that deadline has passed, you can send a reminder. If no response is forthcoming, you may file a complaint with the Data Protection Authority.

Conclusion

This ruling by the DPA emphasizes that convenience for the entrepreneur does not take precedence over the personal data of the citizen. The principle of necessity must be interpreted strictly: if there is a less intrusive way to achieve a goal, it must be followed. For businesses, this is an incentive to critically scrutinize their data processing and ensure full transparency and respect for their customers' rights.