Companies are allowed to request more information for proof of identity when data subjects wish to exercise a right under the GDPR. The GDPR does not specify exactly how a company should carry out the identification. Instead, the company must make its own assessment based on the circumstances of the individual case.
Request proof of identity when data subjects wish to exercise a right under the GDPR
When a company has a reasonable reason to doubt the accuracy of the identity when a person requests to have one of their rights under the GDPR satisfied, the company has the right to request additional information. An example of when a company may have doubts about identity is if a person has a user account for the company’s service with a registered email address, but submits the request from a different email address.
Minimize the risk of unauthorized access to personal data
If a company discloses personal data on request, but to someone other than the individual to whom the personal data belong, it constitutes a personal data breach. Companies shall prevent personal data breaches through various technical and organisational measures. Therefore, it may be appropriate to first prove the identity of the person making the request for disclosure.
It must be proportionate
Please note that companies may not process more personal data than necessary for the purpose. It must be proportionate. Therefore, it does not have to mean that a company needs to request a copy of a passport to identify a person, because it may pose a security risk. However, it may be appropriate in some cases. Companies need to think about being able to justify their decisions if they are burdensome. In other words, justify, for example, why it is strictly necessary to request an ID document.
Carry out a proportionality assessment
In order for a company to know what information is necessary for the purpose of identification, it must first carry out a proportionality assessment. Among other things, the company must analyse the consequences that the processing may have for the data subject. In addition, the company must consider the types of personal data to which the processing relates. If the processing concerns sensitive personal data, the company may need to take additional measures to ensure the identity of the recipient, so that the information is not disclosed to any unauthorized person.
Require identification document to identify a data subject
In some cases, companies have the right to require a copy of an ID document upon identification, when the data subject wishes to have a right satisfied. However, this is not always allowed, as it may pose a safety risk. To be allowed, it should both be strictly necessary and have the support of a law.