DO I NEED TO REQUEST A COPY OF AN IDENTIFICATION DOCUMENT IN ORDER TO PROCESS A DATA PROTECTION RIGHT?
More and more people are becoming aware of and exercising their data protection rights. The exercise of these rights -access, rectification, opposition, etc. – involves taking into account a number of considerations regarding the processing of these rights. Today, we are going to talk about the initial part of the process of exercising rights, specifically, the moment when we must identify the user.
When should I identify the person exercising the right?
This is one of the questions we must ask ourselves when processing a data protection right. And we must distinguish between two different cases:
Does not require identification
In this case, when the data processing does not require identification of the person, or no longer requires it, we cannot request additional data to identify the person in order to comply with the regulations.
We may only request additional data when we can prove that we have doubts about the person who is exercising the right. We must always bear in mind that, as these are very personal rights, we must know that the person exercising the right is who he/she should be.
In this case, the law enables us to request certain information that allows us to prove the identity of the person. However, some questions may arise in this regard:
Do we need to request a copy of an identifying document -such as an ID card or passport- in order to be able to follow up on the request submitted to us?
Prior to the entry into force of the Regulation, when a data protection right was exercised, a photocopy of the ID or similar document identifying the person exercising the right -among other documentation- had to be attached to the name and surname of the interested party. The instruction that enables this request can be considered valid as long as it does not contradict the regulations in force. For this reason we can consider appropriate to request information that allows us to prove the identity of the person for this type of processing.
The GDPR establishes that we must use all reasonable measures to verify the identity of the person making the request, taking into account that we will first use the means already available to us and that we will only request additional data when we have doubts about the identity of the person making the request in a reasoned manner.
As a general rule, it should be clarified that we cannot understand that it is a requirement for processing the exercise of a right to require an identification document. It is not advisable to request without justification more information than we already have in order to proceed with the processing of the exercise of the right.
In order for us to request more data to allow the correct identification of the user, we must have an adequate and reasoned argument that allows us to do so.
In short, it is not a “yes or no” answer. The supervisory authority has sometimes ruled that requesting additional information has been excessive and in other cases, it has considered it appropriate. Determining the appropriateness of requesting additional information to identify the user exercising the right requires a thorough assessment, taking into account the different principles and criteria established by the applicable regulations. It is necessary to have a proper assessment and expert advice.