The implementation of the GDPR continues to cause problems, particularly with regard to data subjects‘ rights. For example, companies often do not yet have a proper process for complying with requests for information in line with data protection requirements.
For example, it must be clarified whether the person making the request is really the person concerned.
Meeting deadlines is not everything
Imagine you are asked to process a request for information. You need to determine whether your company processes personal data relating to the person making the request. If this is the case, you clarify what data this is and for what purpose your company processes it. You now prepare a copy of the personal data that is the subject of the processing in order to provide this information.
In doing so, you cannot take as much time as you like. This is because the information must be provided without delay, i.e. without culpable hesitation, but at the latest within one month of receipt of the request for information. Now, however, it must not happen that you send the data copy as quickly as possible – otherwise the data disclosure could turn into a data mishap.
The identity of the applicant must be clarified
The data protection supervisory authorities have repeatedly made it clear that it must be ensured that the data to be disclosed is not made available to unauthorized third parties. This must also be ensured in particular when information is provided verbally or electronically. This therefore means that you must ensure that the person requesting the information actually has the right to do so, i.e. is actually the data subject or a person authorized by the data subject. Every company should ensure this through a process. For many companies, however, this is not yet the case, even though the GDPR has already been applied for three years.
Do not rely on the false verification of identity
Now, there are various ways to verify the identity of a requesting person. On the one hand, this method must comply with data protection requirements, for example, it must not request any unnecessary data. On the other hand, the chosen method must also be secure enough. If you are not yet familiar with the procedure in your company, please find out before you process a request for information. It is also important that you know the limitations of the procedures that are readily used in practice.
For example, whether identification via a user account (i.e., user name and password) is secure depends very much on the password that the user has assigned. If it is too easy to crack, attackers can take over user accounts and use them to spy on further data – possibly via a request for information with a forged identity.
So if a requesting person knows the data subject’s password that exists for one of your company’s online services and is able to log in, this does not mean that it is really the data subject who is making the request. So be careful, because identity theft on the Internet is rampant. For example, the highly widespread phishing attacks are based precisely on a fake digital identity designed to inspire trust and elicit confidential data. The request for information by mail can therefore also be a fake.
Is it really the person concerned? Take the test!
Question: If a person requests information about a known e-mail address, it can be assumed that the request is genuine and legitimate. Is this true?
- no, because the sender information can be faked.
- yes, but only if it is an encrypted, signed email from the sender.
Solution: Answers 1 and 2 are correct. Sender information in e-mails can be falsified, and you don’t even need to have the e-mail password of the person concerned to do this; it is sufficient to edit the sender information in the mail program of the (criminal) sender. However, if attackers were able to steal the email password, the email may even be genuine. But the identity is a stolen one and is not true. The Federal Data Protection Commissioner writes about the right to information: „It is advisable to request information in writing or in a secure electronic form (for example, by De-Mail or by encrypted e-mail using the Pretty Good Privacy (PGP) or GnuPG program).
Question: The copy of an identity card may not contain any blackened parts if a person requesting information is to use it to prove his or her identity in the information procedure. Is this correct?
- yes, the copy must be complete and easy to read.
- no, the copy must be legible, but it may contain certain passages that have been blacked out because they are not necessary for identity verification.
Solution: Answer 2 is correct. On the subject of „copy of ID card“, the data protection supervisory authorities have pointed out that data subjects should black out personal data that is not required on the copy of the ID card (such as eye color, height, ID number, signature). Other data, such as the surname and first name, must of course not be made unrecognizable. Information on identity verification for electronic requests for information pursuant to Art. 15 GDPR can also be found at: https://www.baden-wuerttemberg.datenschutz.de/identitaetspruefung-bei-elektronischen-auskunftsersuchen-nach-art-15-ds-gvo/