The General Data Protection Regulation (GDPR) significantly enhances data subject rights, including the right to information, access, rectification and erasure. It is common for businesses to question how to deal with data subject access requests (DSAR) where a data subject requests a copy of their personal data.
When responding to a DSAR, an organisation may be required (or think it necessary) to ask a person to prove their identity depending on the type of data requested and their policies. The Data Protection Commission (DPC) has published guidance on this for organisations which, although helpful, does, unfortunately, leave a significant degree of ambiguity. The DPC guidance states that:
“Individuals should be sufficiently clear about what information they are seeking, and proof of their identity should only be requested where reasonable and proportionate to do so…Seeking proof of identity would be less likely to be appropriate where there was no real doubt about identity; but, where there are doubts, or the information sought is of a particularly sensitive nature, then it may be appropriate to request proof. Controllers should only request the minimum amount of further information necessary and proportionate in order to prove the requester’s identity.”
With that in mind, businesses and Data Protection Officers may find themselves asking what constitutes a reasonable request for further information for verifying identity? And do you need to ask for additional information in all circumstances? We look at the DPC’s decision in Re Groupon International Ltd (Groupon), where the DPC went into further detail about what is reasonable and proportionate to request in terms of identity verification for DSARs.
The complainant alleged that Groupon infringed upon his rights under the GDPR. Groupon had required the complainant to provide a copy of his national identity card to verify his identity before effecting his request for the erasure of his personal data. Groupon would not process his request without him providing identification. It’s policy at the time was that an individual must provide identification when making a DSAR. It later effected his second erasure request without his national identity card for verification purposes.
The DPC’s decision turned on the principle of “data minimisation” under Article 5(1)(c) of the GDPR, which states that personal data shall be “adequate, relevant and limited to what is necessary in relation to the purposes for which they are processed”. The DPC held that Groupon infringed Article 5(1)(c) by its failure to adhere to this principle. The DPC specified that the infringement occurred when Groupon “required submission of a copy of a national ID card in order to verify account ownership for the purposes of processing an erasure request, in circumstances where no such verification was obtained or required in order to initially open an account.” The DPC advised that a less data-driven means of verification (email confirmation) was available to Groupon at the time.
A company may ask for this kind of data, i.e. a national identity card, if they hold reasonable doubts about the requester’s identity. The DPC provides further guidance to organisations regarding the threshold of reasonability in this decision. The DPC found that Groupon did not demonstrate or indicate that it had reasonable doubts about the complainant’s identity, such as would have justified it in requesting the provision of additional information to confirm his identity under Article 12(6) of the GDPR. Notable, the DPC stated, “the fact that Groupon ultimately gave effect to the erasure request in the absence of the submission of a copy of a national identity card demonstrates that no such reasonable doubts concerning the identity of the complainant existed. As such, the request for additional identification was an infringement of Article 12(2) of the GDPR.”
In essence, Groupon should not have requested that the complainant provide a copy of a national identity card when he submitted his request for the erasure of his personal data without establishing a reasonable doubt concerning his identity or whether the requested document was relevant and proportionate.
The decision highlights the need for organisations to consider both of these principles when verifying individuals’ identities in DSARs. However, there is a delicate balance needed when organisations are processing significant amounts of data or special category data, i.e. health information or biometric data. Organisations need to be sure that they are dealing with the correct individual in a DSAR to ensure they are complying with the GDPR requirements of maintaining “appropriate technical and organisation security measure”. There has been a significant increase in fraud and security breaches in the current climate due to phishing attacks and social engineering to gain access to the ICT systems (DPC Annual Report, 2020). With this backdrop, we think it’s fair to expect that in time the DPC and perhaps the European Data Protection Board may consider issuing further guidance on the meaning of reasonable and proportionate in such circumstances where an organisation needs to verify the identity of the data subject.
We are available to advise businesses with any data protection issues they face. Please contact any member of the Technology team or your usual William Fry contract with any queries.
Contributed by Roisin Culligan