this post was submitted on 24 Nov 2023
9 points (90.9% liked)

Privacy

833 readers
1 users here now

Privacy is the ability for an individual or group to seclude themselves or information about themselves, and thereby express themselves selectively.

Rules

  1. Don't do unto others what you don't want done unto you.
  2. No Porn, Gore, or NSFW content. Instant Ban.
  3. No Spamming, Trolling or Unsolicited Ads. Instant Ban.
  4. Stay on topic in a community. Please reach out to an admin to create a new community.

founded 2 years ago
MODERATORS
 

A data controller responded to a #GDPR request under art.15 & 17 (thus, an access request coupled with erasure request). They responded with a refusal, demanding ID card. They probably demanded it be in color, but I responded with a black and white copy of my ID. They refused again, affirming that the ID card must be in color. So then I sent them a color copy, but I used black boxes to redact my facial image and all personal text except my name. They again refused to honor my request, saying “zonder vlekken en met een goede resolutie om te worden geaccepteerd”. That translates into “without spots or stains”, correct? I don’t think that means without redactions.

Anyway, I would like a GDPR expert to confirm or deny whether the controller’s refusal and demands are lawful.

The relevant GDPR text is:

My request (via post) included my residential address and also mentioned a unique email address that only that controller knows me by (though they would not necessarily know it’s unique). Shouldn’t that be sufficient?

I ultimately need to know whether a DPA should get involved.

top 2 comments
sorted by: hot top controversial new old
[–] [email protected] 4 points 11 months ago (1 children)

Demanding ID was the standard procedure under the 95/46 directive, with GDPR any way of proving your identity is enough.

It can range to log in the service to actually demanding an ID if sensible data are handled.

In your case, the Guidelines 01/2022 from the EDPB, especially points 63 to 65, tend to say that you authenticated yourself properly.

=> involve the DPA (dutch or belgian, according the language of the response, but you can anyway check in the Privacy Notice)

[–] [email protected] 2 points 11 months ago

Thanks for the info! Paragraph 75 of that document is also quite interesting.. it confirms that data subjects can redact everything on their ID card apart from their name and the issuing date or expiry date.