Guidance on how to identify data subjects

On July 1, 2019, the Bavarian Supervisory Authority for the public sector (“SA”) published guidance on how to verify the identity of data subjects exercising their data protection rights under the GDPR. The guidance is directed at public bodies, but is also helpful for private entities.

According to the guidance, the controller may only request the provision of additional information if it has “reasonable doubts” about the data subject’s identity. For example, if the data subject asks the controller to contact him/her using contact details other than those used previously, or if the form or wording of the request appears unusual, then the controller may request additional information.

In these cases, the controller should use “reasonable measures” to verify the identity of the data subject (Recital 64 GDPR). According to the SA, the measures to be used will depend on the nature of the data processed. In line with the principle of data minimization, the controller should consider the following two factors: (i) the information that it requires to identify data subjects, and (ii) the risks associated with providing that information to the wrong person.

For example, for “special categories of data” (Art. 9 GDPR), the controller should take additional precautions to ensure the identity of the data subject than for more “common” personal data, because the risks associated with providing the information to the wrong person in the first case is higher than in the second.

The guidance provides the following examples of measures that can help the controller verify the data subject’s identity:

  • checking the contact details given by the requesting data subject and matching them with any existing contact details already available;
  • if the data subject uses a new email address to send his/her request for access, asking the data subject to confirm the request via the email address previously used;
  • when the data subject and controller are parties to a long-term contractual relationship, asking the data subject to provide information generated in the course of the contractual relationship which is known to both;
  • if the information is highly sensitive, asking the data subject to visit the controller’s office and produce an identity card (a copy of the identity card should only be taken in exceptional cases and in compliance with Section 20(2) of the Identity Card Act (Personalausweisgesetz) and Sec. 18(2) of the Passport Act (Passgesetz)).

According to the SA, once the additional information is no longer needed to identify an individual, it should be deleted.

If a request for access is declined because the controller cannot ascertain the identity of the data subject, the controller must document its identification efforts.

 

Guidance on how to interpret the right of access

In its most recent annual report, the Hessian Supervisory Authority (“Hessian SA”) commented on the scope of the right of access under Art. 15 GDPR (Link to the report, cf. page 75 et seq.).

According to the Hessian SA, the controller must always provide the data subject a copy of the personal data, even if the data subject does not explicitly request a copy. Additionally, in principle, the controller must provide an explanation of the contents of the copies.

According to the Hessian SA, data subjects do not have the right to obtain a “copy” in the literal sense of a “photocopy” or “data set”. In GDPR terms, “copy” has the meaning of “a summary of the personal data structured in a meaningful way”. For example, where a company uses a human resources information system, providing access may consist of providing an excerpt of the profile of the data subject. Where a company uses a document management or registration system, providing access may consist of listing the stored documents or file numbers relating to the data subject.

Generally, a data subject cannot ask for copies of all documents concerning him or her, but he/she may be entitled to receive copies of individual documents or email correspondence in certain situations. This is the case, for example, where it is absolutely necessary to enable the data subject to check the legality of the personal data processing. If the controller processes large amounts of data about the data subject, it can ask the data subject to be more specific about the data he/she wants to access.

The SA reminds controllers that the right of access has exceptions both under Art. 15(4) GDPR and under the German law implementing the GDPR (cf. sec. 27(2), 28(2), 29(1), 2nd sentence and 34 German Federal Data Protection Act (BDSG)).

Under the GDPR, controllers can refuse to comply with or charge a reasonable fee for requests that are excessive. The controller carries the burden of proof.

If a controller is of the opinion that it has reasonable grounds not to provide access, it must inform the data subject. This information must include the reason for the refusal so that the data subject can verify and/or challenge the controller’s interpretation of the law.

Tags: Bavarian SA, Data Protection Rights, GDPR, Germany, Hessian SA, How to identify data subjects, reasonable measures, Right of Access
Print:
Email this postTweet this postLike this postShare this post on LinkedIn
Photo of Kristof Van Quathem Kristof Van Quathem

Kristof Van Quathem advises clients on information technology matters and policy, with a focus on data protection, cybercrime and various EU data-related initiatives, such as the Data Act, the AI Act and EHDS.

Kristof has been specializing in this area for over twenty…

Kristof Van Quathem advises clients on information technology matters and policy, with a focus on data protection, cybercrime and various EU data-related initiatives, such as the Data Act, the AI Act and EHDS.

Kristof has been specializing in this area for over twenty years and developed particular experience in the life science and information technology sectors. He counsels clients on government affairs strategies concerning EU lawmaking and their compliance with applicable regulatory frameworks, and has represented clients in non-contentious and contentious matters before data protection authorities, national courts and the Court of the Justice of the EU.

Kristof is admitted to practice in Belgium.

Read more about Kristof Van QuathemEmail
Show more Show less
Photo of Anna Sophia Oberschelp de Meneses Anna Sophia Oberschelp de Meneses

I advise companies across the EU on technology laws, with a focus on data protection, cybersecurity, and current consumer protection laws. I help businesses navigate complex regulations like the GDPR, AI Act, Digital Services Act, Unfair Commercial Practices Directive, and the upcoming Digital…

I advise companies across the EU on technology laws, with a focus on data protection, cybersecurity, and current consumer protection laws. I help businesses navigate complex regulations like the GDPR, AI Act, Digital Services Act, Unfair Commercial Practices Directive, and the upcoming Digital Fairness Act, turning legal requirements into practical, business-friendly solutions.

In data protection, I support tailored GDPR compliance, international data transfers, and privacy-conscious marketing. On cybersecurity, I guide clients through risk assessments, incident response, and evolving laws such as NIS2 and the Cyber Resilience Act. Regarding consumer protection, I advise on existing laws to help businesses revise their terms and conditions for compliance and review online interfaces to ensure all mandatory consumer information is clearly provided, tackling issues like dark patterns and unfair contract clauses.

Fluent in multiple languages and experienced across borders, I’m passionate about helping clients embed compliance into their operations and thrive in the fast-changing digital landscape.

Read more about Anna Sophia Oberschelp de MenesesEmailAnna Sophia's Linkedin Profile
Show more Show less