DPG Media fined for unnecessary ID requests Summary Our remarks DPG produced magazines that subscribers could • When data controllers are unsure about the receive by taking out a subscription. In order to send identity of a data subject making a request, they the magazines to subscribers, DPG collected personal can request additional information to confirm data, including the subscribers’ names, addresses, and the identity of the data subject in question, as financial information such as bank data. stated in GDPR, Article 12(6). However, this does not entitle the data controller to automatically When individuals requested access to or erasure request more information when receiving requests of personal data, DPG consistently required the from data subjects who are exercising their rights. individual making the request to prove their identity. The assessment of uncertainty regarding identity If the request was submitted through the online form, should be done on a case-by-case basis. DPG immediately prompted the requester to provide an identity document. For requests submitted via • If there is any doubt about the identity of the person email, DPG sent a corresponding email requesting the making a request, data controllers should only submission of proof of identity. DPG maintained that request necessary information, and refrain from a request for proof of identity was necessary before collecting more sensitive personal data. Asking for processing any request. copies of identification documents should only be done when strictly necessary due to the sensitive DPG claimed that, in accordance with GDPR, Article nature of the personal data contained in identity 12(6), it had the right to confirm the identity of cards. individuals involved by obtaining a copy of their identification documents before granting access to or • One way to confirm the identity of a data subject deleting their personal data. could be to look at the subscriber/customer number in combination with the name and address The decision of the Dutch DPA of the requester or by e-mail verification. The Dutch DPA imposed an administrative fine of • Data controllers are obliged to make it as easy as 525,000 EUR on DPG Media Magazines BV (DPG) for possible for data subjects to exercise their rights. hindering the right to access and erasure (GDPR, Article Therefore, data controllers should not implement 12). measures that make it harder for data subjects to request access or exercise their rights. Published: 14-01-2022, Journal number: N/A Tags: 03 Right to erasure and rectification 24