able to identify the advertising profile associated with Mr. X. In this case, the additional information will be the cookie identifier stored in the terminal equipment of Mr. X. 68.
In case of demonstrated impossibility to identify the data subject, the controller needs to inform the data subject accordingly, if possible, since the controller should generally be obliged to respond to requests from the data subject without undue delay and to give reasons where it does not intend to comply with such requests (Recital 59). This information needs to be provided only “if possible”, as the controller may not be in a position to inform the data subjects if their identification is impossible.
3.3 Proportionality assessment regarding identification of the requesting person 69.
As indicated above, if the controller has reasonable grounds for doubting the identity of the requesting person, it may request additional information to confirm the data subject’s identity. However, the controller must at the same time ensure that it does not collect more personal data than is necessary to enable identification of the requesting person. Therefore, the controller shall carry out a proportionality assessment, which must take into account the type of personal data being processed (e.g. special categories of data or not), the nature of the request, the context within which the request is being made, as well as any damage that could result from improper disclosure. When assessing proportionality, it should be remembered to avoid excessive data collection while ensuring an adequate level of processing security.
70.
The controller should implement an authentication (verification of the data subject’s identity) procedure in order to be certain of the identity of the persons requesting access to their data28 ,and ensure security of the processing throughout the process of handling an access requests in accordance with Art. 32, including for instance a secure channel for the data subjects to provide additional information. The method used for authentication should be relevant, appropriate, proportionate and respect the data minimisation principle. If the controller imposes measures aimed at identifying the data subject which are burdensome, it needs to adequately justify this and ensure compliance with all fundamental principles, including data minimisation and the obligation to facilitate the exercise of data subjects’ rights (Art. 12(2) GDPR).
71.
In accordance with Recital 57, identification should include the digital identification of a data subject . For example through authentication mechanism such as the same credentials, used by the data subject to log-in to the online service offered by the controller29 .
72.
In practice, authentication procedures often exist and controllers do not need to introduce additional safeguards to prevent unauthorised access to services. In order to enable individuals to access the data contained in their accounts (such as an e-mail account, an account on social networks or online shops), controllers are most likely to request the logging through the login and password of the user to authenticate, which in such cases should be sufficient to identify a data subject 30 . Consequently, it is disproportionate to require a copy of an identity document in the event where the data subject making their requests are already authenticated by the controller.
73.
It should be emphasised that using a copy of an identity document as a part of the authentication process creates a risk for the security of personal data and may lead to unauthorised or unlawful 28
WP29 Guidelines on the right to data portability - endorsed by the EDPB, p. 14. See further guidance regarding authentication methods in the EDPB Guidelines 01/2021 on Examples regarding Data Breach Notification, adopted on 14 January 2021, p. 30-31., and in the EDPBGuidelines 02/2021 on virtual voice assistants , Version 2.0, Adopted on 7 July 2021, s ection 3.7. 30 WP29 Guidelines on the right to data portability - endorsed by the EDPB, p. 14. 29
25 Adopted - version for public consultation
