In February 2022, both the Dutch Data Protection Authority (DPA) and the Spanish Agencia Española de Protección de Datos (AEPD) imposed a fine on organisations that asked for a copy of the applicant’s identity document when someone requested access to data. Both fines have Dutch “roots” because it was Dutch complainants who triggered the investigations by the two authorities.
This blog discusses the legal requirements and the reasonable measures that an organisation may, or even must, take to verify the identity of the applicant. It does so the basis of the fines reports and the (draft) Guidelines on Data Subject Rights – Right of Access.
Right of access
The GDPR offers data subjects the right of access to their personal data (Article 15 GDPR). That right is aimed not so much at the provision of entire documents but mainly at enabling data subjects to check – based on an overview of their personal data, whether or not contained in entire documents – whether the processing of the data is or was lawful.
The right of access is made up of three components:
- confirmation of whether personal data of the applicant is indeed being processed;
- if so, access to the personal data being processed, for example by providing the documents or a system printout containing the applicant’s personal data; and
- information about the processing activities that take place. Information must, for example, be provided on, inter alia, the purposes and duration of the processing, the recipients of the personal data, and the countries where those recipients are located.
A request for access may basically only be refused if access would adversely affect the rights and freedoms of third parties. This concerns not only the privacy rights of third parties, but can also be invoked, for example, if access could impair the confidentiality of business secrets or other commercially confidential information.
In the (draft) Guidelines on Data Subject Rights – Right of Access, the European Data Protection Board (EDPB) adds that refusal is also appropriate when it is clear that the request does not stem from privacy law, but serves a different purpose. The EDPB would seem to be referring to an abuse of rights in the Netherlands, several examples of which can be found in the case law of the lower courts (for example here and here).
The identity of the applicant
It is important, of course, to check whether the person requesting access is entitled to do so. Basically, a data subjects’ rights under the GDPR are – logically – available only to the data subjects themselves. This is only different if the data subject is represented by a third party, for example in the case of children younger than 16 or persons on whose behalf an administration or mentoring arrangement has been established.
It follows from Article 12 GDPR that if there is any doubt as to the identity of the applicant, the data controller may request additional information before proceeding to deal with the access request. This provision protects the interests not only of data subjects but also those of the controller itself. After all, if personal data is provided to an unauthorised third party, then one is quickly dealing with a data breach, which makes the controller guilty of (other) violations of the GDPR.
The question is, however, how far the above obligation extends: what data may reasonably be requested in order to process the request?
What additional information is permitted?
The answer to this question is to be found in the principle of data minimisation, on the one hand, and the protection of personal data on the other:
- Data minimisation: when verifying the identity of the applicant, personal data requested by a controller must be adequate, relevant, and limited to what is necessary for the purposes for which it is processed.
- Protection: as already noted, a controller must ensure appropriate protection of the personal data it processes, including against unauthorised or unlawful processing.
The principle of necessity plays a clear role here: the data requested for the purpose of verifying the identity of the applicant must be in proportion to the purpose of the processing (proportionality), and that objective must not be achievable in a less detrimental, less intrusive way (subsidiarity).
According to the DPA, this amounts to the following steps:
- There must be a policy in place such that data subjects have to identify themselves in the least intrusive way.
- This might mean, for example, being able to submit a request for access from an online account that the data subject already has or by providing personal data that the controller already processes.
- Only if the data controller still has reason – despite having the personal data requested in the first instance and provided by the data subject – to doubt the identity of the applicant, may additional information be requested, but only in such a situation.
- According to the DPA, the additional information must demonstrably contribute to identification of the data subject. This should also be recorded, for example in a register of data subjects’ rights.
Both DPG and Michael Page were found not to offer data subjects an easy and straightforward way of exercising their rights. In both cases, it was standard practice for even data subjects who had an account to be required to send a copy of their ID in order to be given access. That was despite both parties already having information about the data subjects.
According to the two data protection authorities, it was therefore disproportionate to require a copy of an identity document when the identity of the data subject could reasonably be verified by other means. Both parties had therefore dealt too casually with the possibility of requiring – by way of exception – additional information. Moreover, the processing of copies of identity documents can potentially pose a major risk to the security of personal data if the copies are not handled in an appropriate manner.
The DPA also noted that the controller cannot be certain that the copy is authentic and that the owner of the identity document is actually the applicant, for example because of (unauthorised) access to identity documents by housemates and the forging of copies of such documents. Although that is theoretically a correct assumption, it can also be raised as an argument in many other cases (for example in the case of e-mail addresses or log-in data) and can therefore specifically lead to caution on the part of organisations. To an extent, therefore, this seems to contradict what the DPA advocates in the rest of the fines report, namely that in most cases a limited set of data is sufficient to identify a person (remotely).
DPG was fined EUR 525,000 and Michael Page EUR 300,000.
Is requesting a copy of the ID never permissible?
The above does not mean that requiring a copy of an ID document is never permissible when the rights of the controller are exercised. At least, that is the line that seems to have previously been followed in rulings by the (higher) courts. See this ruling by the Council of State:
“The basic premise of requesting a copy of an identity document when access is requested is not considered unreasonable. This ensures proper confirmation of identity without infringing the right of data subjects to freely address the Municipal Executive.”
However, the Council of State too expresses a degree of caution by ruling that providing a copy of the ID does not always need to be decisive:
“In this case, the Municipal Executive noticed that the signature on the request and on the passport did not match the signature on requests that had been submitted previously under the Government Information (Public Access) Act by a person with the same name living at the same address. It could therefore reasonably adopt the position that there was consequently doubt as to the identity of the applicant, and that in this case a mere copy of the passport was not sufficient.”
However, the DPA’s website now states very distinctly that a full copy of a person’s full identity document may “never” be requested – only when there is no other option. In February 2022, the text read that such was “almost never” permissible. Despite this rather rigid basic premise, now is probably a good time for organisations to review their internal policy in this regard.
Don’t hesitate to contact Sophie Hendriks if you require assistance.