Does a company have an obligation to attempt to answer a GDPR request if the requestor may not have provided sufficient identification information?

Question

An individual has asked to provide information on his personal data which is stored by a company (GDPR). He has only provided his name and surname. He has signed the document electronically, i.e., we have no doubts that the one who e-signed owns the provided name and surname. On the other hand, when asked, he refused to provide his national ID number.

Based on the general knowledge, not having performed any query yet, name-surname combination may not be unique, i.e., there may be several people with the same name and surname registered in the company's system. At this point, is the company obliged to scan through its systems in order to attempt to comply with such request? I mean, first, the company will have to answer the question if the subject's name-surname combination points to a single person in the company's system. Then, if he's not the only one, in order to identify the person, does the company need to look at other data which may be provided and which may be stored inside the system (email, home address, etc.?

Or can the company legally just refuse to provide the information based on potential lack of provided data from the requestor's side?

Answer 1

A firstname/lastname combination is clearly not enough identification for an SAR request. If it were, I could request data from anybody I know. That would be wild. I would get all my neighbours bank data and tax returns and secrets. No, SARs are not a means to just splurge data to random people that know your name.

Generally speaking, if you already have a method of identifying or authenticating users, then that is the preferred method. In other words, if they can sign up with their email, they should be able to request SAR or delete their account after proving they have access to their email (for example by clicking on a link sent to the email).

If they can "log in" whatever that means on your platform, then that is enough.

In case the normal authentication mechanism does not work ("I'm, so sorry, I forgot my password... oh my email? Sorry I changed providers. But I really am that person, believe me!") you are entitled to ask for more information.

While authenticating with you should not expose more private information, than you had before, sometimes an Id document is the only choice, if the person in question has lost all their provided authentication methods.

And I strongly urge you to do this. Do not send out your user's data to anyone who can spell GDPR correctly and claim to not being able to log in the normal way. Make sure you expose your user's data only to those who can identify themselves as that user.

Answer 2

Does a company have an obligation to attempt to answer a GDPR request if the requestor may not have provided sufficient identification information?

No. The data controller has an obligation to not disclose personal data to the wrong/different person (which would be a personal data breach and/or adversely affect the rights and freedoms of other data subjects). The data controller 'may' (perhaps 'must', because it is obliged to facilitate the data subject's exercise of rights) ask the requester for additional information if the data controller has reasonable doubts about the requester's identity.

This information need not be (and in some circumstances shouldn't be) an ID card, passport or sensitive personal data. Maybe you have a customer number or account number; maybe they ask you a security question or shared secret phrase, or they send an email or SMS containing a hyperlink or code. Not for GDPR, but to verify my identity, one bank asked me what and when was my last known account balance. GDPR doesn't specify the authentication system.

Article 12:

6. Without prejudice to Article 11, where the controller has reasonable doubts concerning the identity of the natural person making the request referred to in Articles 15 to 21, the controller may request the provision of additional information necessary to confirm the identity of the data subject.

Recital 57 Additional Information for Identification (not law - guidance):

If the personal data processed by a controller do not permit the controller to identify a natural person, the data controller should not be obliged to acquire additional information in order to identify the data subject for the sole purpose of complying with any provision of this Regulation. However, the controller should not refuse to take additional information provided by the data subject in order to support the exercise of his or her rights. Identification should include the digital identification of a data subject, for example through authentication mechanism such as the same credentials, used by the data subject to log-in to the on-line service offered by the data controller.

Recital 64 Identity Verification (not law - guidance):

The controller should use all reasonable measures to verify the identity of a data subject who requests access, in particular in the context of online services and online identifiers. A controller should not retain personal data for the sole purpose of being able to react to potential requests.

European Data Protection Board guidance says:

70. ... the controller shall carry out a proportionality assessment, which must take into account the type of personal data being processed (e.g. special categories of data or not), the nature of the request, the context within which the request is being made, as well as any damage that could result from improper disclosure. When assessing proportionality, it should be remembered to avoid excessive data collection while ensuring an adequate level of processing security.

71. The controller should implement an authentication procedure in order to be certain of the identity of the persons requesting access to their data³⁴, and ensure security of the processing throughout the process of handling an access requests in accordance with Art. 32 GDPR, including for instance a secure channel for the data subjects to provide additional information. The method used for authentication should be relevant, appropriate, proportionate and respect the data minimisation principle. If the controller imposes measures aimed at authentifying the data subject which are burdensome, it needs to adequately justify this and ensure compliance with all fundamental principles, including data minimisation and the obligation to facilitate the exercise of data subjects’ rights (Art. 12(2) GDPR).

Footnote 34 leads to WP29 Guidelines on the right to data portability - endorsed by the EDPB page 14:

... data controllers must implement an authentication procedure in order to strongly ascertain the identity of the data subject requesting his or her personal data or more generally exercising the rights granted by the GDPR