Facebook has been told to allow people to use pseudonyms on its site by a German regulator, which has ruled that the site’s “real name” policy violates the right to privacy.

The Hamburg data protection authority said on Tuesday that the site could not force users to give official ID such as a passport or identity card, nor could it unilaterally change their chosen names to their “real” names on the site.

Facebook’s enforcement of its policy, which limits individuals to one account each and requires that those accounts be held under their real name, frequently results in accounts with suspected pseudonyms being locked by the company until the owner can prove their name, or even just the name being changed back by Facebook.

Johannes Caspar, the Hamburg commissioner for data protection and freedom of information, said: “As in many other complaints against Facebook, this case demonstrates that the network wants to enforce the so-called real names policy with no regard to national legislation.”

He added that the requirement to use a real name violates the rights, enshrined in German law, to use a pseudonym, while requests for digital copies of an official photo ID also contradict the passport and ID card law. In addition, he said that “the unauthorised modification of the pseudonym … blatantly violated the right to informational self-determination and constitutes a deliberate infringement of the Data Protection Act”.

Facebook has repeatedly clashed with European data regulators, arguing that it should only be bound by the decisions of the Irish data protection office, since its EU headquarters are based in that nation. In June, after the Belgian privacy commission took the company to court over user tracking, a Facebook spokesperson said that the privacy commissioner should have worked with them “through a dialogue with us at Facebook Ireland and with our regulator, the Irish data protection commissioner”.

Caspar pre-emptively rejected that argument: “In this case, Facebook can not retreat to the position that the Irish Data Protection Act sets the standard here. Last year the ECJ blocked that position with case-law related to Google’s search engine. Facebook has economic activity in Gemany with its branch in Hamburg. So: if you like our game, you must play by our rules.”

In a statement, a Facebook spokesperson said: “We’re disappointed Facebook’s authentic name policy is being revisited, since German courts have reviewed it on multiple occasions and regulators have determined it fully complies with applicable European data protection law. The use of authentic names on Facebook protects people’s privacy and safety by ensuring people know who they’re sharing and connecting with.”

Facebook’s real name policy has long been one of the most controversial rules on the site. In February, the site was accused of discrimination after a number of Native American activists reported having their accounts suspended or names changed to match European norms. Dana Lone Hill argued that: “Katy Perry’s Left Shark from her Super Bowl halftime show has a Facebook page and we have to prove who we are.”

The policy hit the headlines again in June after Zip, a trans former Facebook employee who was instrumental in introducing the company’s custom gender feature, was required to “prove” her name to the company – the same name that had been on her name badge while she worked for Facebook.

“We use names that don’t match our ID on Facebook for safety, or because we’re trans, or because we’re just straight up not known by our legal names,” Zip wrote.

“Having chosen its policy, Facebook has to enforce it. And because its policy attempts to hammer the reality of names into a constrained model they end up having to make a trade-off in the edge cases. Some people are not allowed to use their names so that everyone else’s can be enforced.”