Skip to main content

Identity Check: Avoiding Abusive GDPR Requests

| Categories: Consumer Rights; Data Security;

Identity check

GDPR rights aim to ensure transparency of data processing, and to enable individuals to have a say in which information on them is stored. Replies to related requests may contain sensitive information, if not a copy of all data retained. If, for example, an access request is faked by someone simulating another’s identity, GDPR rights may be abused for privacy intrusion – and lead to unauthorized disclosure of personal information to third parties.

The EU General Data Protection Regulation (GDPR) grants individuals several rights regarding their personal information against anyone who processes it. Data subjects are entitled to request access to the data relating to them and to receive it in a structured, common and machine-readable format (data portability). Furthermore, under certain conditions, they have the right to erasure, to rectification of inaccurate information, to restrict the processing and to object to it.

As the British data protection supervisory authority and one of the German authorities explicitly acknowledge, the threat of third-party abuse justifies measures in order to prove the identity of an individual exercising his or her rights under the GDPR. We summarized its advice, depending on the media channel used to file the request. A spoiler in advance: There is no clear answer, it all depends, like often in data protection law, on an individual risk-assessment, particularly the nature of data concerned.

Request by e-mail

In case of an access request by e-mail, two cases have to be distinguished, depending on whether the access request comes from an e-mail address:

  • that is known to the data controller and that has been verified before, e.g. by clicking a confirmation link during a registration process. In that case, identity can be regarded as verified.
  • that is unknown to the data controller and therefore has not been verified yet. In such case, data controllers may demand additional proof of identity.

Where additional proof is required, businesses may choose between different measures:

  • The data subject may be asked to provide a blackened copy of its ID, only revealing name, postal address, date of birth and period of validity. For receipt of such documents, high data security standards must be met. Data controllers may either publish a public key for end-to-end encrypted mailing or provide the inquirer with a browser-based solution to upload the document in an HTPPS environment.
  • Identification is also possible via intermediary service providers under the electronic Identification, authentication and trust services (eIDAS) standard. eIDAS is a European legal framework for safe proof of identity, which is put in practice by, for example, the German “online ID”. eIDAS solutions are not yet popular and widespread with EU customers.
  • Another option is to use video-ident processes. With this procedure, the inquirer starts a video call, in which photos of the person and its ID are taken. In case your company outsources the identification process, when choosing a service provider, attention should be paid at its data protection standards.

For the decision on which of these procedures is used, companies should consider the nature of data and the level of the security that the respective procedure offers. For example, where sensitive data like health information, private communications on a dating platform or extensive user profiles are concerned, it is advisable to apply the video-ident process as it offers high level of security. Companies dealing with low-risk data may rely on ID copies, which are less burdensome for customers and probably cheaper for the company to review.

Request by user interface

The easiest way to grant access to GDPR rights is to integrate respective options into the app or website interfaces of password protected login areas. Where the user has proven identity by knowledge of the password, he or she can generally be regarded as identified. However, a German supervisory authority calls the use two-factor authentication “desirable” in order to mitigate the risks for users with weak passwords.

Request by telephone

Where customers raise GDPR requests during a phone call, companies may ask standard security questions about, for example, the date of birth or the postal address to prove the inquirer’s identity. A German supervisory authority notes that such information is not “really” secret, and that such procedure should not be used where sensitive information is concerned.

Request by mail

In case companies receive GDPR requests by mail and the inquirer indicates that he or she want to further communicate by mail also, companies may reply and demand a printed and blackened ID copy, containing only information on name, postal address, date of birth and period of validity.

GDPR Updates for non-EU companies

Are you compliant with the GDPR?

Under Art. 27 of the GDPR, many non-EU companies must appoint an EU GDPR Privacy Representative. To find out now if your company is subject to this obligation

take the test

Who is EU-REP.Global?

We are data protection service provider based in Germany, focused on compliance services under the EU General Data Protection Regulation. If you want to know more,

go to FAQ

EU Commission Sets Timeline for New SCCs after the “Schrems” Judgement

In a meeting of the European Parliament’s Committee on Civil Liberties, Justice and Home Affairs held in Brussels today, EU Commissioner Didier Reynders delivered remarks on what to expect for the future of international data transfers after the European Court of Justice has ruled the EU-US Privacy...


Data Mapping & the GDPR: "Records of Processing Activities"

Any privacy law implementation program is based a proper data mapping. But is it even a legal obligation? Under the GDPR, the answer is a clear "yes" for most of modern businesses. Article 30 requires companies to maintain so-called "records of processing activities" (also known as RPA or ROPA) with...


GDPR Enforcement: The Real Risks of Non-Compliance

Whereas public supervisory authorities granted an informal grace period to implement the new provisions of the EU General Data Protection Regulation (GDPR) and allocated many resources to awareness-raising campaigns in 2018, their focus clearly shifted towards enforcement in 2019. The risk of...