.png?width=126&height=101&name=logo%20(2).png)
.png?width=63&height=51&name=logo%20(6).png)
Glossary GDPR
GDPR
General Data Protection Regulation (GDPR) explained briefly
The General Data Protection Regulation (GDPR) forms the legal basis for handling personal data within the European Union. Digital identity verification often involves the use of sensitive data, such as identity documents or biometric features. The GDPR establishes clear guidelines on how companies can handle such data.
This article explains what the GDPR means in practice, the requirements it places on companies and how to implement verification processes in compliance with data protection regulations.
DSGVO definition
The General Data Protection Regulation (GDPR) is an EU regulation that came into force on 25 May 2018. Its purpose is to regulate the protection of personal data and the rights of individuals when their data is processed.
Its aim is to establish a consistent standard of data protection across the EU while facilitating the free flow of data. The GDPR applies to all organisations processing data from EU citizens, regardless of their location.
For example, if a company processes ID data, photos or videos for identity verification purposes, these are subject to the GDPR. Such sensitive data is particularly sensitive and may only be collected, stored, and shared under certain conditions. This makes the GDPR the central legal basis for digital verification processes.
GDPR requirements for digital identity verification
In order to integrate digital identity verification into their processes, companies must meet several requirements:
1. Legal basis
Any data processing must be based on a legal ground. This basis can be the express consent of the user or a legitimate interest, such as fraud prevention or anti-money laundering checks.
2. Purpose limitation and data minimisation
Any collected data may only be processed for the specified purpose. The principle of only processing as much information as is necessary applies. Superfluous information must not be stored.
3. Transparency
Data subjects must be clearly and understandably informed about data processing. This includes information about the controller, the purpose of use and storage periods, as well as their rights (e.g. the right to information).
4. Storage and deletion
Personal data must be deleted once the purpose for which it was collected no longer applies. Permanent storage is only permitted if there are legal retention obligations. These obligations can arise from the Money Laundering Act (GwG), for example, or from other regulatory requirements of the BaFin.
Financial institutions, insurers and crypto platforms that are required to verify identity under the GwG must retain certain data for up to five years. This includes copies of ID cards, identification logs and proof of allocation, for example. The data may only be deleted after this period has expired, unless other legal regulations require it to be stored for longer.
Technically integrated data protection: Privacy by Design
One of the central principles of the GDPR is privacy by design. Data protection must be ensured not only through contracts or guidelines, but also through the technical design of systems.
For digital identity solutions, this means:
- short storage periods
- secure data transmission (e.g. encryption)
- access restrictions and documented processes
- privacy-friendly default settings
A data protection impact assessment may also be necessary for procedures involving biometrics, for example.
Digression: The revised Data Protection Act (revDSG) in Switzerland
The revised Data Protection Act (revDSG) came into force in Switzerland on 1 September 2023. It modernises the country's data protection framework, aligning it with the European GDPR in key areas. The aim is to strengthen the rights of data subjects and facilitate international data exchange, particularly with the EU.
Although Switzerland is not an EU member state, many Swiss companies must still comply with the GDPR, for instance when processing the data of individuals residing in the EU. In everyday digital identity verification, this often results in duplicate requirements that must be considered by both the revDSG and the GDPR.
The following table shows the key similarities and differences between the two sets of regulations with regard to data-driven processes such as identity verification:
Differences and similarities: GDPR and revDSG
|
Aspect |
DSGVO (EU) |
revDSG (Switzerland) |
|
Scope |
Applies in all EU member states |
Applies only in Switzerland |
|
International scope of application |
Also applies to companies outside the EU if they process data from EU citizens |
Also applies to foreign companies with links to Switzerland |
|
Consent |
Must be voluntary, informed and verifiable |
Equivalent requirements |
|
Legitimate interest |
Admissible as a legal basis if interests can be weighed up |
Also permissible with similar weighing of interests |
|
Rights of data subjects |
Comprehensive: information, correction, deletion, data portability, etc. |
Designed accordingly, in some cases with restrictions on data portability |
|
Data protection impact assessment |
Mandatory for high risk (e.g. for biometric procedures) |
Also mandatory in high-risk situations |
|
Privacy by Design |
Legally established and mandatory |
Corresponding obligation also contained in the revDSG |
|
Obligation to report data breaches |
Within 72 hours |
No fixed deadline, but ‘as soon as possible’ |
|
Penalties |
Up to €20 million or 4% of annual turnover (also against companies) |
Maximum fine of CHF 250,000 – but only against natural persons (e.g. management); legal entities such as companies are not directly penalised.
|
GDPR-compliant identity verification with PXL Vision
PXL Vision's solutions allow digital identity checks to be carried out efficiently while complying with data protection regulations. Our software is designed to process only the necessary data. Verification is browser-based with no permanent data storage. This means that companies meet the requirements of the GDPR and revDSG while also creating a trustworthy user experience.
Further details on data protection and our comprehensive guidelines can be found in our Trust Centre.
FAQ: General Data Protection Regulation and identity verification
It means that data is collected lawfully, processed for specific purposes and deleted in a timely manner, in compliance with transparency and security requirements.
Not necessarily. Legal obligations or legitimate interests may also constitute a permissible basis.
Data such as biometric characteristics, ID information or video data from verification processes require special protective measures.
Only for as long as they are needed for verification purposes. After that, they must be deleted unless legal obligations require longer storage.
The GDPR applies to the processing of data belonging to EU citizens, including by Swiss companies. In addition, the revDSG is closely based on the GDPR.