How can a company make sure that no unauthorized third parties pretend to be data subjects in order to get their valuable data?
Since the General Data Protection Regulation entered into force, data subjects have a right to obtain information from companies about which of their personal data are being processed by a company. Individuals, who wish to exercise their right of access can request a copy of all data that have undergone processing. There are various ways of making requests.
How can I make a request for information?
Most requests are still being made in writing. According to advice provided e.g. by the Federal Commissioner for Data Protection and Freedom of Information (BfDI), a request should better be made in writing. At the same time, people also have the option to request information by telephone or e-mail. In some cases, information may even be requested through the website of the company concerned, for example, on a user’s account.
Correct identification is crucial
Problems in treating requests for information can arise especially when it comes to checking the data subject’s identity. How can a company make sure that no unauthorized third parties pretend to be data subjects in order to get their valuable data?
Possibilities of checking the identity
In particular, when people make use of their right of access to information by telephone, companies will need easy authentication processes. Asking for additional information over the telephone, like the date of birth, the postal code, residential address of the data subject can make things difficult for fraudsters. But difficult does not mean impossible – because members of the family or friends often also know the data requested by the company. Although checking a data subject’s identity over the telephone may be especially convenient, it provides only a limited level of security.
Providing an identity document or a copy thereof seems to be a better alternative here. For this purpose, the controller must provide a secure access path allowing for the transmission by e-mail. Sending the documents by mail, in contrast, does not give rise to any concerns under data protection law.
In addition, the data subject may choose identity checking procedures at the post office or via video chat. In these cases, the data subject’s identity is checked by an employee of a post office or, by way of a video chat, by an employee of a provider of identity checking services.
The more secure, the more complex
However, one thing is true for all methods: The more secure an identity checking method, the more efforts will be required. The balancing act between an identity checking procedure that provides the highest possible level of security while requiring a minimum of effort on the part of the person requesting the information will remain a challenge.
The quality of the data concerned should also be taken into account. More sensitive data require a higher level of security in order to reduce the risk of an unauthorized data transfer and thereby protect the data subject.
Advice from German privacy law experts
In case of doubt, it will be more important to data subjects and controllers that the data do not fall into the hands of a third party. Our privacy law experts will be pleased to provide advice on requests for information from data subjects and on how to avoid data breaches.
Continue reading:
Brexit: Contingency measures for data protection in Germany
Data Protection Compliance in Germany in Three Steps
