The Danish Data Protection Authority concluded that requesting data subjects to submit a passport, driver’s license, or national identity card, in order to support the exercise of their rights does not comply with the GDPR.
The Danish Data Protection Authority has ruled in a case in which a British citizen complained that Pandora A / S had asked him to submit a passport, driver’s license or national identity card before Pandora would consider his request for deletion.
Pandora stated that, for security reasons, the company had established a general procedure for submitting credentials in connection with requests to exercise the rights of data subjects.
The Data Inspectorate found that Pandora’s general procedure, *which without exception required ID validation* in connection with processing requests for the exercise of data subjects’ rights, did not comply with the Data Protection Regulation.
The Danish Data Protection Authority emphasized, among other things, that the data controller has a duty to make a concrete assessment of whether there is a reasonable doubt about the identity of the natural person when receiving requests for the exercise of data subjects’ rights.
The case is the first case where the Danish Data Protection Agency has taken a decision as the lead supervisory authority under the “one-stop shop mechanism” in connection with cross-border processing of personal data.
https://www.datatilsynet.dk/tilsyn-og-afgoerelser/afgoerelser/2019/okt/id-validering-ifm-anmodninger-om-udoevelse-af-registreredes-rettigheder/
Paper: Personal Information Leakage by Abusing the GDPR “Right of Access”
Study in risks related to identification of data subject in DSAR context
https://robyns.me/docs/dimartino2019personal.pdf