GDPR rights aim to ensure transparency of data processing, and to enable individuals to have a say in which information on them is stored. Replies to related requests may contain sensitive information, if not a copy of all data retained. If, for example, an access request is faked by someone simulating another’s identity, GDPR rights may be abused for privacy intrusion – and lead to unauthorized disclosure of personal information to third parties.

The EU General Data Protection Regulation (GDPR) grants individuals several rights regarding their personal information against anyone who processes it. Data subjects are entitled to request access to the data relating to them and to receive it in a structured, common and machine-readable format (data portability). Furthermore, under certain conditions, they have the right to erasure, to rectification of inaccurate information, to restrict the processing and to object to it.

As the British data protection supervisory authority and one of the German authorities explicitly acknowledge, the threat of third-party abuse justifies measures in order to prove the identity of an individual exercising his or her rights under the GDPR. We summarized its advice, depending on the media channel used to file the request. A spoiler in advance: There is no clear answer, it all depends, like often in data protection law, on an individual risk-assessment, particularly the nature of data concerned.

Request by e-mail

In case of an access request by e-mail, two cases have to be distinguished, depending on whether the access request comes from an e-mail address:

• that is known to the data controller and that has been verified before, e.g. by clicking a confirmation link during a registration process. In that case, identity can be regarded as verified.
• that is unknown to the data controller and therefore has not been verified yet. In such case, data controllers may demand additional proof of identity.

Where additional proof is required, businesses may choose between different measures:

• The data subject may be asked to provide a blackened copy of its ID, only revealing name, postal address, date of birth and period of validity. For receipt of such documents, high data security standards must be met. Data controllers may either publish a public key for end-to-end encrypted mailing or provide the inquirer with a browser-based solution to upload the document in an HTPPS environment.
• Identification is also possible via intermediary service providers under the electronic Identification, authentication and trust services (eIDAS) standard. eIDAS is a European legal framework for safe proof of identity, which is put in practice by, for example, the German “online ID”. eIDAS solutions are not yet popular and widespread with EU customers.
• Another option is to use video-ident processes. With this procedure, the inquirer starts a video call, in which photos of the person and its ID are taken. In case your company outsources the identification process, when choosing a service provider, attention should be paid at its data protection standards.

For the decision on which of these procedures is used, companies should consider the nature of data and the level of the security that the respective procedure offers. For example, where sensitive data like health information, private communications on a dating platform or extensive user profiles are concerned, it is advisable to apply the video-ident process as it offers high level of security. Companies dealing with low-risk data may rely on ID copies, which are less burdensome for customers and probably cheaper for the company to review.

Request by user interface

The easiest way to grant access to GDPR rights is to integrate respective options into the app or website interfaces of password protected login areas. Where the user has proven identity by knowledge of the password, he or she can generally be regarded as identified. However, a German supervisory authority calls the use two-factor authentication “desirable” in order to mitigate the risks for users with weak passwords.

Request by telephone

Where customers raise GDPR requests during a phone call, companies may ask standard security questions about, for example, the date of birth or the postal address to prove the inquirer’s identity. A German supervisory authority notes that such information is not “really” secret, and that such procedure should not be used where sensitive information is concerned.

Request by mail

In case companies receive GDPR requests by mail and the inquirer indicates that he or she want to further communicate by mail also, companies may reply and demand a printed and blackened ID copy, containing only information on name, postal address, date of birth and period of validity.