An individual has asked to provide information on his personal data which is stored by a company (GDPR). He has only provided his name and surname. He has signed the document electronically, i.e., we have no doubts that the one who e-signed owns the provided name and surname. On the other hand, when asked, he refused to provide his national ID number.
Based on the general knowledge, not having performed any query yet, name-surname combination may not be unique, i.e., there may be several people with the same name and surname registered in the company's system. At this point, is the company obliged to scan through its systems in order to attempt to comply with such request? I mean, first, the company will have to answer the question if the subject's name-surname combination points to a single person in the company's system. Then, if he's not the only one, in order to identify the person, does the company need to look at other data which may be provided and which may be stored inside the system (email, home address, etc.?
Or can the company legally just refuse to provide the information based on potential lack of provided data from the requestor's side?