1

An individual has asked to provide information on his personal data which is stored by a company (GDPR). He has only provided his name and surname. He has signed the document electronically, i.e., we have no doubts that the one who e-signed owns the provided name and surname. On the other hand, when asked, he refused to provide his national ID number.

Based on the general knowledge, not having performed any query yet, name-surname combination may not be unique, i.e., there may be several people with the same name and surname registered in the company's system. At this point, is the company obliged to scan through its systems in order to attempt to comply with such request? I mean, first, the company will have to answer the question if the subject's name-surname combination points to a single person in the company's system. Then, if he's not the only one, in order to identify the person, does the company need to look at other data which may be provided and which may be stored inside the system (email, home address, etc.?

Or can the company legally just refuse to provide the information based on potential lack of provided data from the requestor's side?

Improve this question
3
  • It is not completely clear to me what you have and what the individual is refusing to provide. What is "personal ID number"? Is this something you generate, and the individual may have lost? Is this a state issued ID number? Why is the individual refusing, and are there other reasonable methods of identification? I am pretty sure the answer does not depend on the actual uniqueness of the name.
    – User65535
    Commented Jul 9 at 13:50
  • How do you know that the person that e-signed the request is the person named? I can electronically sign a document that my name is Bob Smith. That doesn't mean I am actually Bob Smith and not Bob Smith's stalker. Whatever way allows you to know that the requestor is actually the person he or she claims to be is likely to give you enough context to uniquely identify the subject in your system. Or your inability to identify the individual likely means that you don't know for sure that the person is who he says he is.
    – Justin Cave
    Commented Jul 9 at 23:23
  • Do note some countries - like Germany - not only give you half a dozen ID numbers, but they even ban using those numbers outside of the context you are given them.
    – Trish
    Commented Jul 10 at 10:43

2 Answers 2

Reset to default
1

Does a company have an obligation to attempt to answer a GDPR request if the requestor may not have provided sufficient identification information?

No. The data controller has an obligation to not disclose personal data to the wrong/different person (which would be a personal data breach and/or adversely affect the rights and freedoms of other data subjects). The data controller 'may' (perhaps 'must', because it is obliged to facilitate the data subject's exercise of rights) ask the requester for additional information if the data controller has reasonable doubts about the requester's identity.

This information need not be (and in some circumstances shouldn't be) an ID card, passport or sensitive personal data. Maybe you have a customer number or account number; maybe they ask you a security question or shared secret phrase, or they send an email or SMS containing a hyperlink or code. Not for GDPR, but to verify my identity, one bank asked me what and when was my last known account balance. GDPR doesn't specify the authentication system.

Article 12:

  1. Without prejudice to Article 11, where the controller has reasonable doubts concerning the identity of the natural person making the request referred to in Articles 15 to 21, the controller may request the provision of additional information necessary to confirm the identity of the data subject.

Recital 57 Additional Information for Identification (not law - guidance):

If the personal data processed by a controller do not permit the controller to identify a natural person, the data controller should not be obliged to acquire additional information in order to identify the data subject for the sole purpose of complying with any provision of this Regulation. However, the controller should not refuse to take additional information provided by the data subject in order to support the exercise of his or her rights. Identification should include the digital identification of a data subject, for example through authentication mechanism such as the same credentials, used by the data subject to log-in to the on-line service offered by the data controller.

Recital 64 Identity Verification (not law - guidance):

The controller should use all reasonable measures to verify the identity of a data subject who requests access, in particular in the context of online services and online identifiers. A controller should not retain personal data for the sole purpose of being able to react to potential requests.

European Data Protection Board guidance says:

  1. ... the controller shall carry out a proportionality assessment, which must take into account the type of personal data being processed (e.g. special categories of data or not), the nature of the request, the context within which the request is being made, as well as any damage that could result from improper disclosure. When assessing proportionality, it should be remembered to avoid excessive data collection while ensuring an adequate level of processing security.

  2. The controller should implement an authentication procedure in order to be certain of the identity of the persons requesting access to their data34, and ensure security of the processing throughout the process of handling an access requests in accordance with Art. 32 GDPR, including for instance a secure channel for the data subjects to provide additional information. The method used for authentication should be relevant, appropriate, proportionate and respect the data minimisation principle. If the controller imposes measures aimed at authentifying the data subject which are burdensome, it needs to adequately justify this and ensure compliance with all fundamental principles, including data minimisation and the obligation to facilitate the exercise of data subjects’ rights (Art. 12(2) GDPR).

Footnote 34 leads to WP29 Guidelines on the right to data portability - endorsed by the EDPB page 14:

... data controllers must implement an authentication procedure in order to strongly ascertain the identity of the data subject requesting his or her personal data or more generally exercising the rights granted by the GDPR

Improve this answer
3
  • I have added to the question that it is not the question about identification. He is who he claims who he is, the request is signed electronically. However, logically thinking, there may be several people with the same name and surname. Do we even need to perform a check if it's the case? Or is it entirely up to us?
    – ZygD
    Commented Jul 9 at 6:39
  • 1
    @ZygD You must give the requester, e.g. John Smith, the personal data that relates to him and you must not give him the personal data of any other person named John Smith. You may not deny his request on the basis that he is named John Smith and you have other data subjects named John Smith. Your system must be able to distinguish between John Smiths (and not just for GDPR purposes, surely). You may ask John Smith for additional information so that he is provided the set of personal data that relates to him and no-one else. You must facilitate his rights and protect the rights of others.
    – Lag
    Commented Jul 9 at 7:22
  • On the other hand, it's possible that that distinguishing feature could be lost (if this John Smith is the one with the email address [email protected], that's enough distinction for most business purposes, but email addresses can be lost) and in that case, the requestor is probably out of luck. The data holder is obliged not to keep extraneous data like a government ID number merely because it could be used for authentication later.
    – Cadence
    Commented Jul 9 at 11:05
4

A firstname/lastname combination is clearly not enough identification for an SAR request. If it were, I could request data from anybody I know. That would be wild. I would get all my neighbours bank data and tax returns and secrets. No, SARs are not a means to just splurge data to random people that know your name.

Generally speaking, if you already have a method of identifying or authenticating users, then that is the preferred method. In other words, if they can sign up with their email, they should be able to request SAR or delete their account after proving they have access to their email (for example by clicking on a link sent to the email).

If they can "log in" whatever that means on your platform, then that is enough.

In case the normal authentication mechanism does not work ("I'm, so sorry, I forgot my password... oh my email? Sorry I changed providers. But I really am that person, believe me!") you are entitled to ask for more information.

While authenticating with you should not expose more private information, than you had before, sometimes an Id document is the only choice, if the person in question has lost all their provided authentication methods.

And I strongly urge you to do this. Do not send out your user's data to anyone who can spell GDPR correctly and claim to not being able to log in the normal way. Make sure you expose your user's data only to those who can identify themselves as that user.

Improve this answer
12
  • "authenticating with you should not expose more private information, than you had before" Is this based on anything? I had assumed that this would be the case, but cannot find anything official saying so.
    – User65535
    Commented Jul 8 at 15:00
  • 1
    @User65535 How would providing information that the data processor doesn't already have be useful in authentication? They can't check it against their records, so it serves no purpose.
    – Barmar
    Commented Jul 8 at 15:06
  • 2
    You do not have to do anything, until they have provided proof that what they ask for is actually their data. If they don't want to give you proof they are who they tell you they are, you don't have to do anything. Even saying "Yes, some Joe Smith is a customer of hours" would be a brech of privacy if you aren't sure that they are the Joe Smith in question.
    – nvoigt
    Commented Jul 9 at 9:10
  • 1
    As an example or guideline what do do, think of this: you should not give access to data to someone's stalking ex-husband. Even though they know everything, the name, date of birth, address, name of pets, car make and model, email... they are not the person. And you aren not allowed to give the real persons data to them. Unless they identify by proving they have access to said email, or have access to said address' mailbox or have an id document, they are just a random person on the internet, potentially the real persons stalker or identity thief.
    – nvoigt
    Commented Jul 9 at 9:17
  • 2
    Even if the surname is absolutely unique in your system, doesn't mean it is the person in question. If John Miller comes by your front desk, identifies himself and fills out a form that says "Miller", ddo you actually intent to give him the data of the "Miller" in your database, just because there is only one in there? Even if it is Jane Miller? The uniqueness of your data has no identifying value.
    – nvoigt
    Commented Jul 9 at 11:39

You must log in to answer this question.

Not the answer you're looking for? Browse other questions tagged .