info@winheller.com+49 (0)69 76 75 77 80Mon. - Fri. from 8am to 8pm, Sat. from 8am to 5pm

Request for Information in Germany: This is How Companies Can Identify Data Subjects

Mar 29, 19 • Privacy LawNo Comments
Request for Information in Germany: This is How Companies Can Identify Data Subjects

How can a company make sure that no unauthorized third parties pretend to be data subjects in order to get their valuable data?

Since the General Data Protection Regulation entered into force, data subjects have a right to obtain information from companies about which of their personal data are being processed by a company. Individuals, who wish to exercise their right of access can request a copy of all data that have undergone processing. There are various ways of making requests.

How can I make a request for information?

Most requests are still being made in writing. According to advice provided e.g. by the Federal Commissioner for Data Protection and Freedom of Information (BfDI), a request should better be made in writing. At the same time, people also have the option to request information by telephone or e-mail. In some cases, information may even be requested through the website of the company concerned, for example, on a user’s account.

Correct identification is crucial

Problems in treating requests for information can arise especially when it comes to checking the data subject’s identity. How can a company make sure that no unauthorized third parties pretend to be data subjects in order to get their valuable data?

Possibilities of checking the identity

In particular, when people make use of their right of access to information by telephone, companies will need easy authentication processes. Asking for additional information over the telephone, like the date of birth, the postal code, residential address of the data subject can make things difficult for fraudsters. But difficult does not mean impossible – because members of the family or friends often also know the data requested by the company. Although checking a data subject’s identity over the telephone may be especially convenient, it provides only a limited level of security.

Providing an identity document or a copy thereof seems to be a better alternative here. For this purpose, the controller must provide a secure access path allowing for the transmission by e-mail. Sending the documents by mail, in contrast, does not give rise to any concerns under data protection law.

In addition, the data subject may choose identity checking procedures at the post office or via video chat. In these cases, the data subject’s identity is checked by an employee of a post office or, by way of a video chat, by an employee of a provider of identity checking services.

The more secure, the more complex

However, one thing is true for all methods: The more secure an identity checking method, the more efforts will be required. The balancing act between an identity checking procedure that provides the highest possible level of security while requiring a minimum of effort on the part of the person requesting the information will remain a challenge.

The quality of the data concerned should also be taken into account. More sensitive data require a higher level of security in order to reduce the risk of an unauthorized data transfer and thereby protect the data subject.

Advice from German privacy law experts

In case of doubt, it will be more important to data subjects and controllers that the data do not fall into the hands of a third party. Our privacy law experts will be pleased to provide advice on requests for information from data subjects and on how to avoid data breaches.

Continue reading:
Brexit: Contingency measures for data protection in Germany
Data Protection Compliance in Germany in Three Steps

Olga Stepanova

Olga Stepanova

Attorney Olga Stepanova works for Winheller in the areas of IT law, intellectual property and data protection. Her main fields of expertise include trademark law, copyright law, and competition law.

>> show profile

Leave a Comment

Your email address will not be published. Required fields are marked *

WINHELLER Blog via Newsletter

Subscribe to our free newsletter and receive regular updates on German business law by e-mail. (Mandatory fields are marked with *)

German Business Law News (4 times a year)
I would like to subscribe to the selected newsletter and for that purpose give my consent to WINHELLER to process my above mentioned data. I have read the "Information for Data Processing in the Newsletter Subscription". I understand that I can revoke my consent at any time with effect for the future by clicking the unsubscribe button within the newsletter. *