Guidance on how to identify data subjects

On July 1, 2019, the Bavarian Supervisory Authority for the public sector (“SA”) published guidance on how to verify the identity of data subjects exercising their data protection rights under the GDPR. The guidance is directed at public bodies, but is also helpful for private entities.

According to the guidance, the controller may only request the provision of additional information if it has “reasonable doubts” about the data subject’s identity. For example, if the data subject asks the controller to contact him/her using contact details other than those used previously, or if the form or wording of the request appears unusual, then the controller may request additional information.

In these cases, the controller should use “reasonable measures” to verify the identity of the data subject (Recital 64 GDPR). According to the SA, the measures to be used will depend on the nature of the data processed. In line with the principle of data minimization, the controller should consider the following two factors: (i) the information that it requires to identify data subjects, and (ii) the risks associated with providing that information to the wrong person.

For example, for “special categories of data” (Art. 9 GDPR), the controller should take additional precautions to ensure the identity of the data subject than for more “common” personal data, because the risks associated with providing the information to the wrong person in the first case is higher than in the second.

The guidance provides the following examples of measures that can help the controller verify the data subject’s identity:

  • checking the contact details given by the requesting data subject and matching them with any existing contact details already available;
  • if the data subject uses a new email address to send his/her request for access, asking the data subject to confirm the request via the email address previously used;
  • when the data subject and controller are parties to a long-term contractual relationship, asking the data subject to provide information generated in the course of the contractual relationship which is known to both;
  • if the information is highly sensitive, asking the data subject to visit the controller’s office and produce an identity card (a copy of the identity card should only be taken in exceptional cases and in compliance with Section 20(2) of the Identity Card Act (Personalausweisgesetz) and Sec. 18(2) of the Passport Act (Passgesetz)).

According to the SA, once the additional information is no longer needed to identify an individual, it should be deleted.

If a request for access is declined because the controller cannot ascertain the identity of the data subject, the controller must document its identification efforts.

Guidance on how to interpret the right of access

In its most recent annual report, the Hessian Supervisory Authority (“Hessian SA”) commented on the scope of the right of access under Art. 15 GDPR (Link to the report, cf. page 75 et seq.).

According to the Hessian SA, the controller must always provide the data subject a copy of the personal data, even if the data subject does not explicitly request a copy. Additionally, in principle, the controller must provide an explanation of the contents of the copies.

According to the Hessian SA, data subjects do not have the right to obtain a “copy” in the literal sense of a “photocopy” or “data set”. In GDPR terms, “copy” has the meaning of “a summary of the personal data structured in a meaningful way”. For example, where a company uses a human resources information system, providing access may consist of providing an excerpt of the profile of the data subject. Where a company uses a document management or registration system, providing access may consist of listing the stored documents or file numbers relating to the data subject.

Generally, a data subject cannot ask for copies of all documents concerning him or her, but he/she may be entitled to receive copies of individual documents or email correspondence in certain situations. This is the case, for example, where it is absolutely necessary to enable the data subject to check the legality of the personal data processing. If the controller processes large amounts of data about the data subject, it can ask the data subject to be more specific about the data he/she wants to access.

The SA reminds controllers that the right of access has exceptions both under Art. 15(4) GDPR and under the German law implementing the GDPR (cf. sec. 27(2), 28(2), 29(1), 2nd sentence and 34 German Federal Data Protection Act (BDSG)).

Under the GDPR, controllers can refuse to comply with or charge a reasonable fee for requests that are excessive. The controller carries the burden of proof.

If a controller is of the opinion that it has reasonable grounds not to provide access, it must inform the data subject. This information must include the reason for the refusal so that the data subject can verify and/or challenge the controller’s interpretation of the law.