"Know Your Customer" and data protection

Procedure for secure online transactions

Online shopping, banking and digital services have become an integral part of everyday life, but they also harbour risks such as identity theft and payment fraud. To counter these threats, many companies implement KYC procedures to verify the identity of their customers before completing online transactions. Techniques such as two-factor authentication are now commonplace, but eID procedures and digital signatures are also on the rise. While these checks can help protect both consumers and businesses, they also raise questions about data protection and other consumer rights.

What is KYC and why is it used?

KYC is the process of verifying the identity of users before completing an online transaction. This is common practice in the banking and financial sector, but is also increasingly being used by e-commerce, telecommunications providers and online platforms. The purpose is to assess whether someone is a "good customer", but also to prevent fraud, money laundering and other illegal activities.

Beyond fraud detection, companies also use KYC for marketing and customer segmentation. Based on their purchasing behaviour, some customers may receive personalised offers, while others may be denied access to certain payment methods or even have their accounts restricted. Consumers have reported cases to the ECC network where repeated complaints or returns have led to account suspensions, often without justification.

Companies usually record the following:

• Name and postal address
• Email address and telephone number
• IP address and device type (PC, smartphone, operating system)
• Payment card or bank account details
• time
• occasionally the location

Many companies use scoring systems to assess the solvency and reliability of customers, often via external databases such as Schufa in Germany or KSV in Austria.

KYC requirements vary across EU countries

The rules for identity verification vary within the EU. Here are a few examples:

• Austria: In accordance with the Financial Market and Money Laundering Act, credit institutions and similar organisations must take measures to identify and verify the identity of their customers. For online accounts, this is regulated by the Identification Regulation (Online-IDV), which stipulates anti-counterfeiting measures, data protection and also when identification must be terminated. The Austrian Data Protection Act (DSG) allows additional information or copies of identification documents to be requested if there are reasonable doubts about identity. However, traders may not request proof of identity without good reason; this must not be disproportionate, arbitrary or discriminatory. Legitimate interests that permit proof of identification include, for example, verifying legal age (e.g. sale of alcohol, tobacco products) or fulfilling legal requirements for certain types of contracts or preventing fraud. Identity verification is also permitted for very expensive products or products that can be easily resold.
• Germany: Consumers may be asked to provide a copy of their identity card, but must be informed that they may black out irrelevant information (e.g. serial number). Persons other than the cardholder may not pass on the copy to third parties.
• France: Retailers may request proof of identity for card payments. However, consumers may refuse the template.
• Czechia: Anti-money laundering laws allow the copying of identity documents without consent of the consumer.
• Bulgaria: In general, retailers may not request copies of identity documents, except in certain sectors such as banking or gambling.

Tips: 

If you need to provide a copy of an identity document, it is a good idea to edit the copy using a watermark tool. These tools add personalised text. This allows you to add a note to the copy indicating its purpose (e.g. "This copy is for the sole purpose of verifying my order no. xxx with the seller xxx"). It also helps to limit the period of validity to a specific date. This greatly reduces the risk of unauthorised use of personal data and other misuse.

• Ensure that you do not disclose any sensitive data about your identity on any fake websites.
• In general, be cautious when asked to provide identification. Not all companies are legally entitled to request copies of identification documents.
• Ask why your data is needed.
• Check your rights under the General Data Protection Regulation (GDPR). Pay attention to automated customer ratings and, if applicable, options for rejecting them. So-called customer scoring can be to your disadvantage (e.g. in the case of health data or age).

Consumer rights under the GDPR

According to the General Data Protection Regulation (GDPR), companies must ensure that any collection and processing of personal data is necessary, proportionate and transparent. As a consumer, you can request access to your data, its correction or deletion.

In January 2025, the Dutch supervisory authority imposed a fine of €4.75 million on a well-known streaming portal for failing to inform its customers about how their data was used, shared, stored and protected, either in a privacy policy or in response to direct enquiries. Decisions made by the European Data Protection Board (EDPB) are publicly available, for example here regarding violations in Austria.

European developments: Digital identity and KYC

The European Digital Wallet, an initiative of the European Commission, aims to provide EU citizens with a secure, interoperable (ability of different systems, technologies or organisations to work together) and data-saving digital identification system throughout the EU. Consumers will be able to use the wallet to identify themselves digitally and sign legally valid contracts. The introduction is planned for 2026.

While this will make online transactions more convenient in the future by eliminating the need for data storage at multiple companies, we naturally also expect to retain full control over our personal data and have the right to challenge decisions based on automated assessments. At the same time, we need to consider what information we share, for what purpose and with whom. Carelessness and irresponsible behaviour can always lead to identity theft and misuse of our data, because technical safeguards are never perfect.

Conclusion: KYC must balance security and consumer rights

While KYC can help combat fraud, companies must ensure that data collection is fair, transparent and in line with GDPR regulations. Consumers should always be informed about how their data is used and have the opportunity to challenge unfair assessments or restrictions.

For further information on consumer rights in cross-border transactions, please contact us. We are part of the European Consumer Centres Network (ECC Network), which answered over 133,000 enquiries from European consumers in 2024.