The EDPB Guidelines 01/2022 on the “privacy” right of access contain indications that can be also applied generally with regard to the exercise of other GDPR rights. In this roundup, for example, we will discuss two aspects that are common to the exercise of any right under the regulation: the matter of the controllership of such rights and the identification of the data subject.
The guidelines are currently under public consultation until March 11, 2022.On this topic see also the Bulletin of February 10, 2022.
The right-holder is the data subject
The rights enshrined in the Regulation (Articles 15-22) apply only to the data subject, i.e. the individual to whom the personal data relate. Data subjects and personal data represent the scope of application of these rights, under the subjective and objective profile. As mentioned above, only data subjects are legitimately entitled to exercise these rights (subjective scope), and these rights can only be exercised in relation to the personal data of the data subject (objective scope).
The identification of the applicative perimeter based on the dichotomy “data subject / personal data” provides an important interpretative key both to distinguish “privacy” rights from other similar rights (e.g. right of access or portability) and to correctly assess the legal scope of the same.
Identification of the data subject
Since privacy rights are vested only in the data subject, the data controller must verify that the requester is the data subject or a third party delegated by him. The purpose of verifying that the requester is actually entitled to do so is to avoid the risk of personal data being disclosed to unauthorized parties, resulting in a personal data breach.
The verification must also comply with
- the requirement that “[t]he controller shall facilitate the exercise of data subject rights” (Art. 12.2, GDPR)
- the principle of data minimisation and non-excessiveness.
In other words, in implementing the procedure, the controller must not make difficult the exercise of rights and, in choosing the identification method, he must prefer one that allows him to collect only the personal data than are strictly necessary to enable the identification.
Conclusions regarding the identification of the data subject
In conclusion, the following highlights can be traced with regard to the obligation to identify the data subject:
- The controller who receives a request to exercise GDPR rights has an obligation to ensure that the requester is entitled to do so
- This obligation does not imply that the exercise of privacy rights is automatically conditioned on the exhibition or the issue of a copy of the requester’s identity document
- GDPR allows the controller to request additional information from the requester for identification purposes, only when there are “reasonable doubts” about the identity of the requester.
- In order to fill these doubts, the controller must resort to the least invasive methods and avoid collecting unnecessary personal data: among these, are preferred those of double check, such as the request for confirmation by e-mail, sent by the controller to the address known of the requester
- The exhibition or the issue of copy of the identity document is justified only in cases of exposure to higher levels of risk (e.g. vulnerability of the subjects, special categories of data or data concerning criminal convictions and offences, potential higher risks for the interested parties); the adequacy of this method must be preliminarily assessed by the controller who will also document the outcome, in compliance with the principle of accountability.