Upon receiving a request from a data subject, companies often struggle with finding the right way to verify the data subject´s identity. In a recent decision, the Dutch data protection authority shed some light on this issue. In this article, we explain what steps companies may take to verify the data subject’s identity in a GDPR compliant way, and which steps they would do better to avoid.
What rules does the GDPR impose on companies verifying the identity of a data subject?
In its Art. 12, the General Data Protection Regulation (GDPR) provides for general rules pertaining to the exercise of all data subject rights. While companies might most often be faced with requests of access or deletion of personal data, the rules equally apply to the right to data portability and the restriction of processing, amongst others.
According to Art. 12 GDPR, companies shall facilitate the exercise of data subject rights. A controller may only refuse to act on the request of a data subject if it can demonstrate that it is not able to identify the latter. Where the controller has reasonable doubts concerning the identity of the data subject making the request, it may request the provision of additional information necessary to confirm the data subject’s identity.
Based on this provision, and regardless of the information already available to them, companies obtaining a data subject request often routinely require the data subject to provide a copy of their ID, passport, drivers licence, or a similar official document prior to acting on their request. In a recent decision, the Dutch data protection authority (DPA), the Autoriteit Persoonsgegevens, put a stop to this practice.
What were the circumstances of the case?
The decision of the Dutch DPA was directed against DPG Media, a book and magazine publisher that in 2020 acquired the company Sanoma Media Netherlands B.V. The company processed personal data of its customers and subscribers, including their name, address, place of residence and/or e-mail address.
It offered two ways of exercising data subject rights, namely in the secure login environment or via other means of communication (letter, e-mail and web form). In the latter case, DPG Media always requested a copy of proof of the data subject’s identity prior to processing the request further.
Several data subjects lodged a complaint with the Dutch DPA contesting this practice.
What did the Dutch DPA decide?
In its decision, the Dutch DPA ruled that DPG Media’s requirement for data subjects to submit a copy of their identity documents as a precondition to processing their requests violated the GDPR. While the GDPR does not as such prohibit this practice, the Dutch DPA found that in the case at hand it was disproportionate, particularly in light of the nature and amount of personal data covered by the requests.
The authority underlined that DPG Media should have enabled data subjects to prove their identity in the least intrusive manner possible. In the case at hand, requesting a copy of an official identification document could not be considered the least intrusive means of identification.
Furthermore, the Dutch DPA pointed out that DPG Media failed to inform data subjects that they could redact certain data from the copies of their documents. However, in the same vein, the authority underlined that even if parts are redacted, it will often be disproportionate to require a copy of an identity document in order to confirm that a data subject really is who they claim to be.
The Dutch DPA concluded that in requiring data subjects to provide a copy of their identity document, DPG Media requested a disproportionate amount of data, and made it overly complicated for data subjects to exercise their data protection rights. For these violations, DPG Media was fined EUR 525,000.
What lessons can be learned from the Dutch decision?
The Dutch decision clearly demonstrates that data protection authorities will not tolerate companies misusing the option to verify the identity of a data subject exercising their data protection rights with the aim of hindering them in doing so, or gathering even more data about the data subject.
Furthermore, the decision underscores that companies need to design their identity verification process in a way proportionate to the nature (sensitivity) and amount of data covered by a request. Instead of automatically requesting additional information, companies should ideally verify the identity of a data subject based on the information they already have in their possession. For example, DPG Media had information on the data subject’s name, e-mail and subscription details. Given that the information covered by the requests was of low sensitivity, the identification process based on these pieces of information would have been both sufficient and proportionate.
In fact, in 2020, DPG Media already changed its practices. DPG Media now verifies the identity of data subjects by sending verification e-mails. The Dutch DPA confirmed that such an approach is GDPR compliant.
This being said, it cannot be followed from the Dutch decision that requesting a copy of an identification document would under no circumstances be allowed. Such an approach might be GDPR compliant, for example, if there are no other, less intrusive means available to identify the data subject, or if due to the amount or sensitivity of the personal data covered by the request (e.g., an access request covering an entire medical file), special caution is necessary. In such cases, however, companies should proactively point out the possibility of redacting certain pieces of information from the copy of the identification document.
Companies are well advised to put processes for the proper handling of data subject requests in place, covering, amongst other aspects, the verification of their identity. In this context, companies should opt for the least intrusive method available to effectively verify the identity of a data subject, and process merely the data truly needed for this purpose.
Companies should bear in mind that if they respond to a request improperly – e.g., if they delete personal data that should be kept longer according to statutory retention periods, or if they provide a copy of the data to the wrong recipient – this might in itself be a GDPR violation. In case there are any doubts, companies are therefore well advised to consult a data protection specialist prior to responding to a data subject request.