Guidance on how to identify data subjects

On July 1, 2019, the Bavarian Supervisory Authority for the public sector (“SA”) published guidance on how to verify the identity of data subjects exercising their data protection rights under the GDPR. The guidance is directed at public bodies, but is also helpful for private entities.

According to the guidance, the controller may only request the provision of additional information if it has “reasonable doubts” about the data subject’s identity. For example, if the data subject asks the controller to contact him/her using contact details other than those used previously, or if the form or wording of the request appears unusual, then the controller may request additional information.

In these cases, the controller should use “reasonable measures” to verify the identity of the data subject (Recital 64 GDPR). According to the SA, the measures to be used will depend on the nature of the data processed. In line with the principle of data minimization, the controller should consider the following two factors: (i) the information that it requires to identify data subjects, and (ii) the risks associated with providing that information to the wrong person.

For example, for “special categories of data” (Art. 9 GDPR), the controller should take additional precautions to ensure the identity of the data subject than for more “common” personal data, because the risks associated with providing the information to the wrong person in the first case is higher than in the second.

The guidance provides the following examples of measures that can help the controller verify the data subject’s identity:

  • checking the contact details given by the requesting data subject and matching them with any existing contact details already available;
  • if the data subject uses a new email address to send his/her request for access, asking the data subject to confirm the request via the email address previously used;
  • when the data subject and controller are parties to a long-term contractual relationship, asking the data subject to provide information generated in the course of the contractual relationship which is known to both;
  • if the information is highly sensitive, asking the data subject to visit the controller’s office and produce an identity card (a copy of the identity card should only be taken in exceptional cases and in compliance with Section 20(2) of the Identity Card Act (Personalausweisgesetz) and Sec. 18(2) of the Passport Act (Passgesetz)).

According to the SA, once the additional information is no longer needed to identify an individual, it should be deleted.

If a request for access is declined because the controller cannot ascertain the identity of the data subject, the controller must document its identification efforts.

 

Guidance on how to interpret the right of access

In its most recent annual report, the Hessian Supervisory Authority (“Hessian SA”) commented on the scope of the right of access under Art. 15 GDPR (Link to the report, cf. page 75 et seq.).

According to the Hessian SA, the controller must always provide the data subject a copy of the personal data, even if the data subject does not explicitly request a copy. Additionally, in principle, the controller must provide an explanation of the contents of the copies.

According to the Hessian SA, data subjects do not have the right to obtain a “copy” in the literal sense of a “photocopy” or “data set”. In GDPR terms, “copy” has the meaning of “a summary of the personal data structured in a meaningful way”. For example, where a company uses a human resources information system, providing access may consist of providing an excerpt of the profile of the data subject. Where a company uses a document management or registration system, providing access may consist of listing the stored documents or file numbers relating to the data subject.

Generally, a data subject cannot ask for copies of all documents concerning him or her, but he/she may be entitled to receive copies of individual documents or email correspondence in certain situations. This is the case, for example, where it is absolutely necessary to enable the data subject to check the legality of the personal data processing. If the controller processes large amounts of data about the data subject, it can ask the data subject to be more specific about the data he/she wants to access.

The SA reminds controllers that the right of access has exceptions both under Art. 15(4) GDPR and under the German law implementing the GDPR (cf. sec. 27(2), 28(2), 29(1), 2nd sentence and 34 German Federal Data Protection Act (BDSG)).

Under the GDPR, controllers can refuse to comply with or charge a reasonable fee for requests that are excessive. The controller carries the burden of proof.

If a controller is of the opinion that it has reasonable grounds not to provide access, it must inform the data subject. This information must include the reason for the refusal so that the data subject can verify and/or challenge the controller’s interpretation of the law.

Tags: Bavarian SA, Data Protection Rights, GDPR, Germany, Hessian SA, How to identify data subjects, reasonable measures, Right of Access
Print:
Email this postTweet this postLike this postShare this post on LinkedIn
Photo of Kristof Van Quathem Kristof Van Quathem

Kristof Van Quathem advises clients on information technology matters and policy, with a focus on data protection, cybercrime and various EU data-related initiatives, such as the Data Act, the AI Act and EHDS.

Kristof has been specializing in this area for over twenty…

Kristof Van Quathem advises clients on information technology matters and policy, with a focus on data protection, cybercrime and various EU data-related initiatives, such as the Data Act, the AI Act and EHDS.

Kristof has been specializing in this area for over twenty years and developed particular experience in the life science and information technology sectors. He counsels clients on government affairs strategies concerning EU lawmaking and their compliance with applicable regulatory frameworks, and has represented clients in non-contentious and contentious matters before data protection authorities, national courts and the Court of the Justice of the EU.

Kristof is admitted to practice in Belgium.

Read more about Kristof Van QuathemEmail
Show more Show less
Photo of Anna Oberschelp de Meneses Anna Oberschelp de Meneses

Anna Sophia Oberschelp de Meneses is an associate in the Data Privacy and Cybersecurity Practice Group.  Anna is a qualified Portuguese lawyer, but is both a native Portuguese and German speaker.  Anna advises companies on European data protection law and helps clients coordinate…

Anna Sophia Oberschelp de Meneses is an associate in the Data Privacy and Cybersecurity Practice Group.  Anna is a qualified Portuguese lawyer, but is both a native Portuguese and German speaker.  Anna advises companies on European data protection law and helps clients coordinate international data protection law projects.  She has obtained a certificate for “corporate data protection officer” by the German Association for Data Protection and Data Security (“Gesellschaft für Datenschutz und Datensicherheit e.V.”). She is also Certified Information Privacy Professional Europe (CIPPE/EU) by the International Association of Privacy Professionals (IAPP).  Anna also advises companies in the field of EU consumer law and has been closely tracking the developments in this area.  Her extensive language skills allow her to monitor developments and help clients tackle EU Data Privacy, Cybersecurity and Consumer Law issues in various EU and ROW jurisdictions.

Read more about Anna Oberschelp de MenesesEmail
Show more Show less