Two recent judgments show how difficult the relationship between sector-specific legislation and the General Data Protection Regulation (GDPR) can be in practice. In the case between a credit card holder and International Card Services (ICS), the question is whether a financial institution may request and retain an identity document and selfie for re-identification, and how far that latitude extends under the Dutch anti-money laundering and anti-terrorist financing act (Wet ter voorkoming van witwassen en financieren van terrorisme, Wwft) and the GDPR.
In the Inteligo Media/ANSPDCP case the central question is when an organisation may send a newsletter to users with a free account without a separate opt-in, and what role the GDPR still plays alongside Directive 2002/58/EC (hereinafter: the ePrivacy Directive).
GDPR and anti-money laundering rules: Dutch Supreme Court requests interpretation from the CJEU
On 13 March 2026, the Dutch Supreme Court (Hoge Raad) delivered an important interlocutory judgment in the case between a credit card holder and ICS. At the heart of the case is a question that affects many organisations in practice: may a financial institution require a copy of an identity document and a photograph for re-identification, and then retain them? In this judgment, the Supreme Court already clarifies one point, but on other points refers preliminary questions to the Court of Justice of the European Union (CJEU or the Court).
What were the facts?
ICS had asked an existing customer to identify herself again online. For that purpose, she had to upload, via smartphone or tablet, a photograph of her identity document and a selfie. According to ICS, this was necessary under the Wwft. Article 38 Wwft requires ICS to update the customer due diligence it had already carried out at the start of the credit card agreements pursuant to Article 3 Wwft. The credit card holder refused to cooperate with a new (online) identification procedure. Her objection in principle was not so much to identification as such, but above all to the storage and retention of her passport photograph and selfie. When she did not cooperate, ICS ultimately blocked her credit card and the agreement was terminated. ICS prevailed in the earlier instances. The case subsequently came before the Supreme Court.
This case concerned two questions: (1) is the recording or storage of a photograph by ICS a processing of biometric data, and (2) does Wwft customer due diligence include an obligation to retain a photograph, and if so, how does that relate to the GDPR?
1. Is a passport photograph or selfie biometric data?
On that point, the Supreme Court is clear: no, not automatically. Under the GDPR, biometric data are personal data resulting from specific technical processing relating to a person’s physical, physiological or behavioural characteristics, allowing or confirming the unique identification or authentication of that person. An example would be facial recognition in which a system creates a biometric template from a photograph. This follows from Article 4(14) GDPR and is linked to the prohibition on processing in Article 9(1) GDPR.
The Supreme Court therefore states: an ordinary photograph of a face is not immediately biometric data. More is required than mere storage. Only where that photograph is processed by specific technical means for the purpose of unique identification do you enter the realm of biometrics. This is a useful clarification; it is sometimes quickly said that a passport photograph or selfie is ‘biometric’, but legally it is not that simple.
Processing not automatically permitted
The fact that something is not biometric data does not, of course, mean that it may be stored without difficulty. In this judgment, the Supreme Court also emphasises that the recording and retention of a facial photograph does indeed constitute processing of personal data. A passport photograph or selfie remains personal data to which the GDPR rules apply.
2. Does the Wwft require storage of the full ID copy?
On that issue, the Supreme Court has not yet given a final ruling. On this point, the Supreme Court intends to refer preliminary questions to the CJEU. The core of the doubt lies in Article 33 Wwft. That provision prescribes that the documents and data used for customer due diligence must be recorded in a retrievable manner and must be retained for five years. But how far exactly does that obligation extend?
Broadly speaking, the discussion is this: may an institution suffice with recording relevant identification data, or must it actually retain a copy of the identity document used? And if such a copy may or must be retained, does that also apply to the passport photograph on that document?
This is legally important, because under the GDPR you may not process more personal data than is necessary. If the purpose can be achieved with fewer data, storage of a full ID copy quickly becomes difficult to defend.
The Supreme Court therefore doubts whether the Dutch provision in the Wwft, in conjunction with Article 40(1)(a) of the Fourth Anti-Money Laundering Directive (Directive (EU) 2015/849), should indeed be read as requiring a full copy of the identity document to be retained. And if so, whether that retention obligation also includes the passport photograph. The Supreme Court has referred these questions to the Court of Justice.
Another open question: can a photograph also reveal data concerning race or ethnic origin?
The cardholder had also argued that a passport photograph may reveal race or ethnic origin, thereby bringing Article 9(1) GDPR into play. On this point too, the Supreme Court has not yet made a final determination. It does note, however, that there is still uncertainty under the GDPR on this issue: this area of law is still developing.
The Supreme Court therefore also wishes to refer questions on this point to the Court of Justice. The following sub-questions arise here: (1) is it relevant for what purpose the photograph is processed, and (2) is it relevant whether race or ethnic origin can be inferred from that photograph with a sufficient degree of certainty?
For Dutch practice, Article 25 of the Dutch GDPR Implementation Act (UAVG) is also relevant here. That article provides, inter alia, that the processing of data from which race or ethnic origin appears may be possible where this is done for the purpose of identifying the data subject, and only insofar as this is unavoidable for that purpose.
What does this mean for organisations?
For financial institutions and other organisations subject to the Wwft, this is a relevant judgment. In any event, the Supreme Court clarifies one point: a stored selfie or passport photograph does not, without more, constitute biometric data processing. On the other important question, namely whether storage of the photograph or of a full ID copy is necessary at all and legally required, no final answer has yet been given.
Until the CJEU has ruled, it is therefore logical to critically reconsider identification processes. Organisations would be well advised to ask themselves:
-
Which statutory provision exactly provides the basis for storing an ID copy or photograph;
-
Whether a full copy is truly necessary, or whether recording limited identification data is sufficient. Limited identification data are, for example, the data mentioned in Article 33 Wwft itself (name, date of birth, address, document number, etc.), without storing a full ID copy.
-
How necessity and proportionality have been documented internally. Explicitly analyse the alternatives and record the reasoning as to why more data are needed in, for example, a DPIA, a record of processing activities, or an internal memorandum.
-
And whether privacy notices and customer communications on this point are sufficiently precise.
For organisations, the message is clear: do not look only at the label ‘biometrics’, but above all at necessity, proportionality and legal basis.
Inteligo Media/ANSPDCP
In a case of 13 November 2025, an important question arose: may an online publisher that allows users to create a free account then send a daily email newsletter containing summaries and links to articles without a separate opt-in?
The Court’s answer is relevant for many publishers, platforms and providers of content services: yes, that can be permitted in certain circumstances. But at least as important is the reason why the Court says so. The ruling clarifies three classic pain points in the practice of email marketing: when something constitutes ‘direct marketing’, when there is a sale of a product or service, and how the relationship between the GDPR and the ePrivacy Directive is to be understood.
The facts
The case concerned a Romanian publisher of online publications. Users could create a free account. This gave them access to additional articles and to a daily email newsletter containing an overview of new legislation and links to articles. They were also given the option of later taking out a paid subscription. At registration, users could indicate that they did not wish to receive the newsletter. Each email also contained an unsubscribe option. Despite all these safeguards, the Romanian supervisory authority still considered that the processing was unlawful. According to that authority, no valid consent (opt-in) had been obtained for sending the newsletter.
Do not look to the GDPR immediately
The Court starts with an important point: for this type of email communication, one should not automatically look first to Article 6 GDPR, which sets out the general legal bases for lawful processing of personal data. The first step here is Article 13 of the ePrivacy Directive: the ePrivacy rules on unsolicited electronic communications. In the Netherlands, those rules are primarily implemented in Article 11.7 of the Dutch Telecommunications Act (Telecommunicatiewet, Tw).
The general rule is that unsolicited commercial email is in principle permitted only with prior consent. There is, however, an important exception: the soft opt-in. That exception applies where an organisation obtained the email address in the context of the sale of a service or product, uses that address for its own similar products or services, and the recipient can object easily both when the address is obtained and in every message.
A substantive newsletter may also be direct marketing
Importantly, the Court held that the newsletter does fall within the concept of direct marketing. The newsletter at issue contained summaries of new legislation and links to substantive articles. At first sight, that sounds primarily informative or editorial, but the Court nevertheless states that this does not preclude such an email from simultaneously serving a marketing purpose.
What was decisive here was that the newsletter directed users back to the platform, encouraged them to read more articles and could ultimately contribute to their taking out a paid subscription. The email therefore had a commercial purpose. Organisations sometimes assume that a newsletter is not marketing as long as its content is sufficiently informative. The Court expressly adopts a functional approach: not only the tone of the content matters, but also the purpose of the message within the revenue model.
A free account as part of a sale?
At least equally relevant is what the Court says about the question of when an email address is obtained in the context of the sale of a product or service. In this case, the user did not pay for the account. Nevertheless, the Court held that in certain circumstances there can indeed be a sale of a service. The free account formed part of a broader commercial offering. The user received additional access and a newsletter, while the publisher was thereby able to direct users towards paid content. The free service thus had a clear promotional function within a commercial model. In other words: even if the user does not pay directly, there may still be a service that is economically connected with a paid proposition. For the purposes of Article 13(2) of the ePrivacy Directive, ‘sale’ therefore need not be limited to a classic transaction involving a direct price.
The relationship between ePrivacy and the GDPR
In this judgment, the Court makes it clear that where Article 13(2) of the ePrivacy Directive already applies, there is no need also to examine separately the legal bases under Article 6 GDPR. That follows from Article 95 GDPR. That provision prevents the GDPR from imposing additional obligations on points where the ePrivacy Directive already contains specific rules pursuing the same objective.
The GDPR therefore does not disappear from view, but its role changes. For the lawfulness of this type of marketing email, the first test lies here within the ePrivacy framework.
What does this mean in the Netherlands?
For Dutch organisations, the relevance of this judgment lies above all in the application of Article 11.7 Tw: the national implementation of Article 13 of the ePrivacy Directive. On paper, perhaps little changes; the soft opt-in rules already existed. What this judgment does show is how broadly, and at the same time how precisely, those rules can be interpreted in practice. A free account can therefore, in certain circumstances, be regarded as part of a service relationship, provided that it clearly fits within a commercial whole.
Many organisations work with a free account or a trial subscription. This judgment shows that such models may, in certain circumstances, fall within the scope of the soft opt-in. That does not mean that every free registration is suddenly sufficient. The newsletter must still relate to the organisation’s own similar services, and users must be given a simple and free opt-out both when their data are collected and in every email. In determining whether a newsletter falls within direct marketing, the decisive factor is the commercial purpose of the communication, considered also in the context in which it is sent. A commercial element is permissible, but it must not be the main message.
Would you like to read more case laws? View our privacy case law blog for February 2025 here.
