IDPC Malta Reprimands Online Gaming Operator for GDPR Excessive Data Collection

[REDACTED]

vs

[REDACTED]

COMPLAINT

1. On the 4th September 2025, REDACTED lodged a data protection complaint with the Information and Data Protection Commissioner (the “Commissioner”) pursuant to article 77(1) of the General Data Protection Regulation1 (the “Regulation”), alleging that [REDACTED]2 (the “controller”) requested excessive and disproportionate information for the purpose of withdrawing funds.
2. The complainant claimed that the controller “requested a selfie holding proof of address in front of my house and a complete PayPal account statement including income, despite already having received my valid ID and proof of address. These additional requirements are excessive and not justified”. The complaint submitted the correspondence exchanged between herself and the controller concerning the subject-matter of the complaint. This included, in particular, an email dated the 26th August 2025, wherein the controller requested that the complainant provide the following information for the purpose of processing the withdrawal of funds:
   • a. proof of address (utility bill, bank statement, or registration extract not older than six (6) months);
   • b. a selfie holding proof of address in front of the complainant’s residence; and
   • c. a PayPal statement with visible income for the month of August.

---

1 Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (General Data Protection Regulation).

2 Having its registration number C [REDACTED] and its registration address at [REDACTED].

INVESTIGATION

Request for submissions

1. Pursuant to the internal investigative procedure of this Office, the Commissioner provided the controller with a copy of the complaint, including the supporting documentation submitted by the complainant, and enabled the controller to provide any information that it deemed relevant and necessary to defend itself against the allegation raised by the complainant. In addition, pursuant to article 58(1)(e) of the Regulation, the Commissioner requested the controller to provide the following information:
   • a. to specify which information is collected from data subjects for the purpose of processing the withdrawal of funds;
   • b. to provide a clear justification for why each category of information is collected for the purpose of processing the withdrawal; and
   • c. to indicate whether the controller has an internal policy that regulates the process of withdrawal, and if in the affirmative, to provide a copy.

Submissions of the controller

1. On the 16th December 2025, the controller provided the following submissions for the Commissioner to consider during the legal analysis of the case:

Registration Process

• a. that prior to using the services of the controller, each player is required to register on one of the controller's platforms and open a player account and during the course of the registration process, the player must accept the Terms and Conditions and is referred to the Privacy Policy of the controller;

• b. that the Terms and Conditions applicable to the German platform ██████████ are available at ██████████ and the Privacy Policy is available at ██████████:

• c. that the complainant opened a player account on the German platform available at [REDACTED] on the 8th August 2025 and prior to opening the gaming account on the controller's website, the complainant accepted the Terms and Conditions and was referred to the Privacy Policy of the controller;

Verification and Usage of the Services of the controller

• d. that, on the German platform, services are provided exclusively to verified players and following completion of the double opt-in process and upon the first login, the player may select one of three available verification options and once the verification process has been successfully completed, the player is entitled to deposit funds, participate in gambling activities, and withdraw funds. New players benefit from a welcome bonus;
• e. that the complainant decided to carry out the verification by the controller's verification partner, Shufti Pro, and during the Shufti Pro standard process according to Article 1.8 of the Terms and Conditions3, the complainant had to provide an official photographic identification document (passport, driving licence or personal ID card) and a selfie;
• f. that Shufti Pro reported a low face-match score as a warning, and the controller submitted the relevant evidence to the Commissioner with a request that the evidence be retained on the Commissioner's internal file and not disclosed to the complainant;
• g. that, on the 17th August 2025, the complainant did her first deposit including some betting activities and after fulfilling the criteria to gain the welcome bonus she intended to withdraw the total funds, including the bonus money;
• h. that the Fraud Team did further investigations and initiated a human check of the photographic identification document and selfie, and in the course of this review, the Fraud Team determined that the person pictured on the provided driving license4 is indeed different to the person on the selfie;
• i. that out of a total of more than three thousand (3,000) registered German customers in August 2025, only six (6) were subject to such an in-depth and case-specific review, and

---

3 "Article 1.8 On request, the customer shall undertake to provide a copy of an official photographic identification document (passport, driving license, personal ID card) as well as additional documents and information (for example: evidence of the used means of payment, proof of address, asset and salary information, selfies) before the withdrawal will be processed".

4 The evidence provided by the controller in its submissions indicate that the complainant submitted a copy of the identity card, rather than the driving licence.

three (3) of these accounts (the complainant's account) showed a similar registration pattern as well as comparable betting behaviour;

• j. that overall, the Fraud Team considered the suspicion of potential third-party use of the player account and, or third-party funding substantiated and the identified constellations indicate attempts to circumvent applicable limits or instances of actual third-party use of player accounts, for example through platforms, such as Robethood or Betcollabo;
• k. that the business model of Betcollabo is described in the German language on a YouTube video which can be found at https://www.youtube.com/watch?v=K7gSPC6HIA8 and in summary, the controller explained the procedure to the Commissioner on a confidential basis;

Data Collected at Registration Stage for the Purpose of Withdrawal

• l. that in a standard case, the following data are processed: first and last name, customer ID, address, email, date of withdrawal, payment type, payment solution, volume, transaction IP and country, registration IP and country, and payment account number;
• m. that the Fraud Team conducts sample checks for suspicious betting or player behaviour and in case of doubts to the origins of the funds and the betting or player behaviour, the Fraud Team requests further documents from the player in concern before a withdrawal is released;
• n. that the most established verification methods are in such cases a selfie in front of the house showing the player's resident address on the house number plate;
• o. that the request for specified excerpts referring to the player's bank account is also a well-established verification method in exceptional cases with suspicious behaviour and for these cases, the controller usually requests a selfie and a bank statement;
• p. that such specifications regarding withdrawals are defined in the Terms and Conditions, and therefore, players are informed that the controller may request identification documents before the withdrawal will be processed;

Why each category of information is collected for the purpose of processing the withdrawal

• q. that the purposes for the processing of player data are generally defined in article 8 of the Privacy Policy, and the controller promises security measures on a high standard to the players;
• r. that the controller is obliged to prevent fraud and other activities punishable by law and pursuant to the German gambling laws and supplementing provisions for the German market, the controller has to implement measures to limit circumventions;
• s. that the controller is required to conduct investigations to possible player collusion and to take appropriate measures to prevent such conduct, and for such reason, the controller reviews player's activities through both manual and automated checks;
• t. that due to the detailed description in Article F.7 and Article J.8 of the Terms, the standard procedure as well as the specified procedures are well known to players and easy to handle except the person who registered the player account is not the same as the person from the verification documents, and accordingly, refusal to comply with verification requests may indicate an attempt to conceal the involvement of a third party;

Internal Policy that regulates the process of withdrawal

• u. that for standard users, the controller uses a ruleset as a security measure to compare the player's data with the payment data, and a player can only withdraw funds to a payment which was already used for a deposit;
• v. that betting accounts with a focus on welcome bonus and similar betting behaviour as other accounts are subject to human checks for more specified investigations and request of additional verification documents, and according to Article F. 19 of the Terms and Conditions, the controller is entitled to withhold payments in the event of a suspicion of criminal activity or breach of the Terms and Conditions until a final decision has been made by the competent authority.

Submissions of the complainant

• 1. Pursuant to the internal investigative procedure of this Office, the complainant was provided with the opportunity to rebut the submissions of the controller. On the 18th December 2025, the complainant submitted the following arguments for the Commissioner to consider:

• a. that, contrary to the controller's claim that extreme measures were necessary, the complainant had already successfully completed the official identity verification process via Shufti Pro, a professional third-party KYC provider used by the controller, and this process involved biometric facial recognition and the scanning of official identity card document;

• b. that, in addition to the successful Shufti Pro verification, the complainant provided a standard selfie for manual identity verification and an official proof of her residential address (utility bill/registration), and these documents, combined with the Shufti Pro confirmation, are more than sufficient to fulfill all legal KYC and AML requirements;

• c. that the controller argued that the "house selfie" is necessary for fraud prevention, however, the complainant held that the controller could have asked for less intrusive information, such as a redacted PayPal or bank statement, which would have been a standard way to verify financial details without infringing the privacy of the complainant;

• d. that the controller's demand for a photograph of the complainant's private property is excessive and serves no additional legitimate purpose, as the identity and residence of the complainant were already substantiated;

• e. that the intrusive demand must be seen within the context of the second complaint lodged with the Commissioner (CDP/COMP/639/2025) regarding the controller's refusal to provide a complete transaction history following the exercise of the right of access;

• f. that the controller's claim that the person on the identity card document is different from the person on the selfie is categorically false, and the complainant stated that she is the person on both documents;

• g. that any "low face-match score" is a technical inaccuracy and if the controller truly had doubts about the identity of the complainant from the initial stages, it is highly contradictory that the controller allowed the complainant to deposit and gamble for months;

• h. that the complainant formally denied any connection to platforms like "Betcollabo" and "Robethood", and the complainant submitted that she is a private recreational

player using her own funds, and the controller's attempt to link the complainant's account to "organised patterns" based on the use of the welcome bonus is unsubstantiated generalisation intended to criminalise a legitimate customer; and

• i. that if the controller genuinely doubted the automated Shufti Pro result, the only proportional response under the Regulation would have been to carry out a certified video-call identification or post-ident process.
• As supporting documentation, the complainant submitted the Commissioner with copies of the following documents: (a) "Holding ID" selfie; (b) photos of the identity card (back and front); (c) a payslip containing the name of the employer, salary and the residential address of the complainant; (d) bank correspondence; (e) a screenshot taken from the PayPal account profile, showing the complainant's full name and address; and (f) a redacted photograph of the credit card used by the complainant for depositing funds.

Final submissions of the controller

1. On the 16th January 2026, the controller submitted the final arguments in relation to the case:
   • a. that the supporting documentation provided by the complainant to the Commissioner was not shared with the controller by either the Commissioner or the complainant, and therefore, the controller requested the Commissioner to make available the supporting documents mentioned in paragraph 6 of the decision;
   • b. that the verification value of the documents provided by the complainant to the Commissioner may be equivalent to that of the evidence requested by the controller from the complainant, and accordingly, the complainant's identity could be confirmed;
   • c. that the controller explained that the verification of the account of the complainant was conducted as an automated process via the verification partner, Shufti Pro, which reported a low face-match score as a warning indicator;
   • d. that the result produced by Shufti Pro does not lead to a rejection of the verification, and in this case, the overall automated assessment met the required verification threshold, and the account was therefore verified, and consequently, the complainant was permitted to deposit funds and participate in gambling activities;

• e. that it is important to clarify that account verification and withdrawal approval are separate processes governed by different internal controls, and the controller's internal fraud-prevention framework consists of an extensive ruleset with over one hundred decision nodes; and
  • f. that while the account passed the initial automated verification stage, the ruleset latter flagged the withdrawal request for further review and this triggered a secondary assessment, including a manual review by the Fraud Team on the 24th August 2025.
• The Commissioner notes that his role is to investigate the complaint lodged by the complainant on the 4th September 2025, specifically concerning the allegation of a request for excessive information. The Commissioner emphasises that his task is not to assist or enable the controller in verifying documents during the course of the investigation, but the scope of the investigation is to assess whether the request of the controller dated the 26th August 2025 was excessive in relation to the purpose which the controller intended to achieve.

LEGAL ANALYSIS AND DECISION

1. The Commissioner proceeded to examine the contents of the complaint, in which the complainant alleged that the controller requested excessive and intrusive personal data for the purpose of processing the withdrawal of funds, despite the complainant having already completed identity verification at the time of the registration of the player's account. In particular, the complainant provided the Commissioner with a copy of the email dated the 26th August 2025, in which the controller, in addition to the “ID card” selfie and the copy of the identity card provided by the complainant at the time of the account verification, requested the following additional information for the purpose of the withdrawal of funds:
2. a. proof of address (utility bill, bank statement, or registration extract not older than six (6) months);
   • b. a selfie holding proof of address in front of the complainant's residence; and
   • c. a PayPal statement with visible income for the month of August.
3. The Commissioner notes the submissions of the controller dated the 16th December 2025, according to which each player prior to registering an account on one of its platforms, must open a player account. In the course of the registration process, the player must accept the Terms and Conditions and is directed to the Privacy Policy of the controller. The Commissioner refers specifically to Article F.7 and Article J.8 of the Terms and Conditions, which are the most

relevant sections in relation to the collection of personal data from the data subjects for both account verification and withdrawal approval.

Article F.7 “Upon registration as well as in case of transactions, a “Know Your Client” procedure is carried out. This can be done directly via [REDACTED] [REDACTED] as well as via our verification partner [REDACTED] reserves the right to require the customer to use one or both of these methods at its own discretion.

In the course of this process identification documents as well as additional information documents such as proof of address, information about assets and incomes, selfies or further information may be required from the customer”.

Article J.8 “On request, the customer shall undertake to provide a copy of an official photographic identification document (passport, driving license, personal ID card) as well as additional documents and information (for example: evidence of the used means of payment, proof of address, asset and salary information, selfies) before the withdrawal will be processed”.

1. The Commissioner further notes article 8 of the Privacy Policy, which identifies the purpose for processing additional personal data of the players.

“We process your personal data for the following purposes:

...

We are obliged to prevent fraud and money laundering and to prevent inappropriate activities while using our services including financing terrorism, or the use of funds earned from activities punishable by law. We are also obliged to conduct investigations to possible player collusion and then prevent them [...] We exercise these activities via manual and automated checks (compliance with legal obligations)”.

1. In its submissions, the controller explained that the complainant opened the account on the 8th August 2025 and completed the verification process at the time of registration through the controller’s verification partner, namely Shufti Pro. As part of the Shufti Pro’s standard verification process, in accordance with Article F.7 of the Terms and Conditions, the

complainant was required to provide an official photographic identification document, such as a passport, driving licence, or identity card document, together with a selfie holding that document. The controller stated that Shufti Pro flagged the verification process of the complainant with a low face-match score, which was recorded as a warning. As evidence, the controller further submitted a screenshot from the verification partner's back-office system and provided this evidence to the Commissioner under lock and key.

1. The controller further explained that, on the 17th August 2025, the complainant did her first deposit including some betting activities. This was subsequently followed by further betting activities within a week. After fulfilling the criteria to gain the welcome bonus, the complainant intended to withdraw the total funds including the bonus money. Consequently, the Fraud Team did further investigations and initiated a human check of the photographic identification document and the selfie which were provided at the registration stage of the account, and in the course of this human review, the Fraud Team of the controller determined, that the person pictured on the provided identity document is indeed different to the person on the selfie. The controller considered the suspicion of potential third-party use of the player account and, or third-party funding substantiated. This led to the controller to conclude that the identified constellations indicate attempts to circumvent applicable limits or instances of actual third-party use of player accounts, for example, through platforms, such as Robethood or Betcollabo.
2. Before assessing whether it was justified for the controller to request a selfie of the complainant in front of her residence holding proof of address at the stage of the withdrawal of the funds, the Commissioner first notes that the controller had already been alerted at the stage of the account registration concerning the verification of the complainant's identity. Specifically, the verification partner of the controller, Shufti Pro, generated a low face-match score, which the controller itself described as a warning. Accordingly, the Commissioner requested the controller to clarify why the complainant was enabled to engage in gaming activities, when Shufti Pro issued a warning of a low face-match scoring. On the 16th January 2026, the controller submitted as follows:

"The verification was conducted as an automated process via our verification partner, Shufti Pro. While Shufti Pro reported a low face-match score as a warning indicator, this result alone does not automatically lead to a rejection of the verification. In this case, the overall automated assessment met the required verification threshold, and the account was therefore verified. Consequently, the Complainant was permitted to deposit

funds and participate in gambling activities” [underlined by the controller].

1. While the controller explained that the low face-match warning alone did not automatically result in the rejection of the account, the Commissioner notes that the account was nevertheless verified and allowed to operate despite an indicator of potential identity mismatch. The Commissioner further notes that the controller has subsequently sought to rely on the same low face-match warning issued at the registration stage as a justification for requesting additional checks at the withdrawal stage, including a selfie of the complainant holding proof of address in front of her residence.
2. The Commissioner expresses serious concerns regarding this approach. The low face-match warning generated by Shufti Pro at the registration stage indicated a potential mismatch between the complainant's submitted identification document and her selfie, as clearly demonstrated by the evidence provided by the controller during the course of the investigation. The Commissioner notes that when the controller proceeded to verify the account and allow full account activity, the controller may have been processing inaccurate personal data for an extended period.
3. This approach of the controller is inconsistent with the principle of accuracy in terms of article 5(1)(d) of the Regulation. The principle of accuracy requires the controller to take reasonable steps at the time of collection of the data in order to ensure such data are accurate and, where necessary, rectified or verified without undue delay. Within this context, the Commissioner considers that the controller did not take such reasonable steps to verify the accuracy of the personal data of the complainant at the registration stage, despite acknowledging that, in its own words, “Shufti Pro reported a low face-match score as a warning”. The subsequent reliance on the same warning generated by Shufti Pro at the registration of the player account to justify the request for additional information at the withdrawal stage raises concerns regarding the accuracy of the personal data collected by the controller at the time of the account verification stage.

4. Without prejudice to the foregoing, the Commissioner has proceeded to assess the necessity and proportionality aspect of the controller's request for additional information at the withdrawal stage, namely, the request contained within the email dated the 26th August 2025. The controller requested the complainant to provide proof of address, a selfie of the complainant holding proof of address in front of her residence, and a PayPal statement with visible income for the month of August.

5. In the present case, the Commissioner recognises that, under applicable law, the controller has a legal obligation to prevent fraud and other criminal offences arising from the use of its services by players. While this establishes a legitimate basis for requesting additional information from players, such request for additional information must be conducted in accordance with the principles of necessity and proportionality, ensuring that the means employed are strictly required to achieve the intended objective and do not impose an excessive intrusion into the complainant's right to the protection of personal data.

6. The Commissioner assessed the submissions of the controller dated the 16th December 2025, wherein it explained in further detail the information that it requests from its players following a reasonable suspicion:

“Our Fraud Team conducts sample checks for suspicious betting or player behaviour. In case of doubts to the origins of the funds and the betting or player behaviour the Fraud Team requests further documents from the player in concern before a withdrawal is released. The most established verification methods are in such cases a selfie in front of the house showing the player's resident address on the house number plate. The request for specified excerpts referring to the player's bank account are also well established verification method in exceptional cases with suspicious behaviour. For these cases usually the following data are requested and processed in order to prevent fraudulent behaviour:

• Selfie*
• Bank statement*

1. The controller further argued that only six (6) out of three thousand (3,000) individuals in August 2025 were subject to an in-depth and case-specific review, however, the Commissioner clarifies that the principles of necessity and proportionality must be assessed on a case-by-case basis. Even if the overall number of data subjects subject to further review is small, the method chosen by the controller to conduct the checks following a reasonable suspicion must meet the requirements of the Regulation.
2. The well-established principles of necessity and proportionality have been addressed by the European Data Protection Board (the “EDPB”) in its ‘Guidelines 01/2022 on data subject rights – Right of Access’. While the EDPB addresses these principles in the context of authenticating the identity of the requesting data subject following the exercise of the right of access, its interpretation of the principle of data minimisation is highly relevant to the present

case. The Guidelines highlight that any verification measure must be necessary and proportionate. This therefore means that pursuant to the principle of accountability as set forth in article 5(2) of the Regulation, the controller must first demonstrate that the request for information is strictly necessary to achieve its intended objective and that no less intrusive alternatives are available. Secondly, the controller must show that the request is appropriately balanced, ensuring that the intrusion into the right to the protection of personal data does not exceed what is required to achieve the controller's intended objective. To this end, the EDPB provides as follows:

"As indicated above, if the controller has reasonable grounds for doubting the identity of the requesting person, it may request additional information to confirm the data subject's identity. However, the controller must at the same time ensure that it does not collect more personal data than is necessary to enable authentication of the requesting person. Therefore, the controller shall carry out a proportionality assessment, which must take into account the type of personal data being processed (e.g. special categories of data or not), the nature of the request, the context within which the request is being made, as well as any damage that could result from improper disclosure. When assessing proportionality, it should be remembered to avoid excessive data collection while ensuring an adequate level of processing security.

The controller should implement an authentication procedure in order to be certain of the identity of the persons requesting access to their data, and ensure security of the processing throughout the process of handling an access requests in accordance with Art. 32 GDPR, including for instance a secure channel for the data subjects to provide additional information. The method used for authentication should be relevant, appropriate, proportionate and respect the data minimisation principle. If the controller imposes measures aimed at authenticating the data subject which are burdensome, it needs to adequately justify this and ensure compliance with all fundamental principles, including data minimisation and the obligation to facilitate the exercise of data subjects' rights (Art. 12(2) GDPR)" [emphasis has been added].

1. In addition, the Commissioner notes that, according to the settled case-law of the Court of Justice of the European Union (the "CJEU"), the necessity of processing personal data must be

assessed in light of whether less intrusive means could be used by the controller to achieve the same objective. Processing cannot be considered necessary where the objective can reasonably be met by equally effective but less restrictive means. The Commissioner refers to case C-439/19, wherein the CJEU held that:

“In the light, first, of the sensitivity of the data in question and the seriousness of that interference with the fundamental rights of data subjects to respect for private life and to the protection of personal data and, second, of the fact that, having regard to the findings in paragraph 111 above, it is not apparent that the objective of improving road safety cannot reasonably be achieved just as effectively by other less restrictive means, the necessity, in order to achieve that objective, of such a system of disclosure of personal data relating to penalty points imposed for road traffic offences cannot be regarded as established (see, by analogy, judgment of 9 November 2010, Volker und Markus Schecke and Eifert, C-92/09 and C-93/09, EU:C:2010:662, paragraph 86)” [emphasis has been added].

1. Finally, recital 39 of the Regulation, read in conjunction with the principle of data minimisation as set forth in article 5(1)(c), provides that personal data must be adequate, relevant and limited to what is necessary for the purposes for which they are processed. This includes demonstrating that the processing is limited to the minimum necessary. Recital 39 of the Regulation specifically mentions that personal data should be processed only where the intended objective cannot reasonably be achieved by less intrusive means:

“The personal data should be adequate, relevant and limited to what is necessary for the purposes for which they are processed. This requires, in particular, ensuring that the period for which the personal data are stored is limited to a strict minimum. Personal data should be processed only if the purpose of the processing could not reasonably be fulfilled by other means” [emphasis has been added].

1. The Commissioner also assesses the procedure of the controller which was mentioned in its submissions dated the 16th December 2025 concerning the requirement to conduct enhanced verifications. The Commissioner refers to Article J.8 of the Terms and Conditions, which provides that:

“On request, the customer shall undertake to provide a copy of an official photographic identification document (passport, driving license, personal ID card) as well as additional documents and information (for example: evidence of the used means of payment, proof of address, asset and salary information, selfies) before the withdrawal will be processed” [emphasis has been added].

1. The Commissioner notes that the wording used in Article J.8 of the Terms and Conditions is broad, referring to “selfies” and “proof of address” without explicitly specifying that the selfie must be taken in front of the residence of the data subject while holding a document verifying that same address. The Commissioner is of the view that the wording contained in the Terms and Conditions does not meet the requirement of transparency and fairness, as it fails to clearly inform the data subjects of the nature and the extent of the personal data that may be requested.
2. With regard to the suspicion of potential third-party use of the player account and, or third-party funding, the Commissioner recognises that the controller may legitimately request additional information in case of a reasonable suspicion. In fact, the Commissioner considers it justified for the controller to request limited and specified excerpts relating to the player’s bank or PayPal account in order to verify the ownership and source of the funds. In the present case, the Commissioner notes that the request of the controller is confined to the income of one single month and is sufficiently limited in scope, and therefore, is not considered excessive.
3. In relation to the request of a selfie showing the complainant holding proof of address, the Commissioner refers to the Implementing Procedures of the Financial Intelligence Analysis Unit, which sets out the requirement for subject persons to identify and, where applicable, verify the identity and permanent residential address of their customers. In particular, the Commissioner refers to Section 4.3.1.2 of the Implementing Procedures in relation to the non-face-to-face on-boarding, which outlines a non-exhaustive list of measures that may applied by the subject persons for verification purposes, on a risk-based basis depending on the nature of the relationship and the risk identified.
4. The controller has not demonstrated during the course of the investigation that less intrusive measures as specified in the Implementing Procedures would have been insufficient to address its suspicion of potential third-party use of the player account and, or third-party funding. In fact, by means of the submissions dated the 16th January 2026, the controller requested that the Commissioner provides the supporting documentation received from the complainant on

the 18th December 20255, noting that “[t]he verification value of these documents may be equivalent to the evidence requested by us from the Complainant” [emphasis has been added]. This therefore constitutes an acknowledgement by the controller that there may be means other than the house selfie to conduct its own verifications, which are as equally effective.

1. Accordingly, the Commissioner concludes that the requirement to provide a selfie showing the complainant holding the proof of address in front of her residence, together with a document verifying that same address, constitutes an excessive and intrusive verification measure, as there are less intrusive measures to effectively achieve the same intended objective.

On the basis of the foregoing considerations, the Commissioner hereby decides that, while the controller’s request for limited financial documentation is necessary and proportionate, the combined requirement of a selfie showing the complainant holding proof of address in front of her residence, together with a request for proof of address for the purpose of verifying the identity and address, exceeds what is necessary and proportionate for the stated purpose. This is particularly evident given the availability of less intrusive methods to verify identity and address that achieve the same intended objective without requesting excessive and disproportionate information from the data subject.

Accordingly, the controller infringed the principle of data minimisation as set forth in article 5(1)(c) of the Regulation, and as a result, the Commissioner is serving the controller with a reprimand pursuant to article 58(2)(b) of the Regulation.

In terms of article 58(2)(d) of the Regulation, the Commissioner orders the controller to revise its internal procedure and to cease requesting data subjects to provide selfies of themselves holding proof of address in front of their residences.

Ian DEGUARA (Signature)	Digitally signed by Ian DEGUARA (Signature) Date: 2026.04.17 16:52:11 +02'00'
-------------------------------	-------------------------------------------------------------------------------------------

Ian Deguara

Information and Data Protection Commissioner

---

5 Paragraph 6 of the decision.

Right of Appeal

In terms of article 26(1) of the Data Protection Act (Cap 586 of the Laws of Malta), “any person to whom a legally binding decision of the Commissioner is addressed, shall have the right to appeal in writing to the Tribunal within twenty days from the service of the said decision as provided in article 23”.

An appeal to the Information and Data Protection Appeals Tribunal shall be made in writing and addressed to ‘The Secretary, Information and Data Protection Appeals Tribunal, 158, Merchants Street, Valletta’6.

---

6 More details about the appeals procedure are available at this link: https://idpc.org.mt/appeals-tribunal