creditworthiness. To verify the data subject’s identity, the consultant asks for notarised certification of his identity to be able to provide him with the required information. The controller should not require notarised confirmation of identity, unless it is strictly necessary, suitable and in line with the national law (for example, where a person is temporarily not in possession of any identity document and proof of the data subject’s identity is required by the national law for the performance of a legal act). Such practice exposes the requesting personsto additional costs and imposes an excessive burden on the data subjects, hampering the exercise of their right of access. 77.
Without prejudice to the above general principles, under certain circumstances, verification on the basis of an ID may be a justified and proportionate measure, for example for entities processing special categories of personal data or undertaking data processing which may pose a risk for data subject (e.g. medical or health information). However, at the same time, it should be borne in mind that certain national provisions provide for restrictions on the processing of data contained in public documents, including documents confirming the identity of a person (also on the basis of Art. 87 GDPR). Restrictions on the processing of data from these documents may relate in particular to the scanning or photocopying of ID cards or processing of official personal identification numbers32 .
78.
Taking the above into account, where an ID is requested (and this is both in line with national law and justified and proportionate under the GDPR), the controller must implement safeguards to prevent unlawful processing of the ID. Notwithstanding any applicable national provisions regarding ID verification, this may include not making a copy or deletion of a copy of an ID immediately after the successful verification of the identity of the data subject. This is because further storage of a copy of an ID is likely to amount to an infringement, in light of the principles of purpose limitation and storage limitation (Art. 5(1)(b) and (e) GDPR) and any possible national legislation with regards to processing of the national identification number (Art. 87). The EDPB recommends, as good practice, that the controller, after checking the ID card, makes a note e.g. " ID card was checked " to avoid unnecessary copying or storage of copies of ID cards.
3.4 Requests made via third parties / proxies 79.
Although the right of access is generally exercised by the data subjects as it pertains to them, it is possible for a third party to make a request on behalf of the data subject. This may apply to, among others, acting through a proxy or legal guardians on behalf of minors, as well as acting through other entities via online portals. In some circumstances, the identity of the person authorised to exercise the right of access as well as authorisation to act on behalf of the data subject may require verification, where it is suitable and proportionate (see section 3.3 above). It should be recalled that making personal data available to someone who is not entitled to access it can amount to a personal data breach33 .
80.
In doing so, national laws governing legal representation (e.g. powers of attorney), which may impose specific requirements for demonstrating authorization to make a request on behalf of the data subject, should be taken into account, since the GDPR does not regulate this issue. In accordance with the principle of accountability, as well as of the other data protection principles, the controllers shall be able to demonstrate the existence of the relevant authorization to make a request on behalf of the data subject, except if national law foresees differently (e.g. specific rules regarding the
32
Several member states introduced such restriction in their national provisions in this regard stating, for example, that making copies of ID cards is lawful only if it results directly from the provisions of a legal act. 33 Art. 4(12) GDPR.
27 Adopted - version for public consultation
