The Passport Problem: AML Requirements vs GDPR Reality

The everyday tension

Obliged subjects must verify identity. Customers must hand over a passport copy. That copy then travels through email inboxes, WhatsApp threads and shared drives. None of those channels were designed for personal data of that sensitivity.

What the law actually requires

Law 10/2010 requires reliable identification, not specifically a photocopy. GDPR requires minimisation, security and purpose limitation. The two regimes are compatible — but only if the operational model is built deliberately.

Practical resolution

• Move identity verification to a controlled platform, not personal channels.
• Apply the 10-year retention rule as a maximum, not a default.
• Eliminate consent forms for AML processing — the legal basis is legal obligation.
• Prepare to migrate to reusable digital identity under eIDAS 2.0.