The Austrian data protection authority (DPA) has decided (DSB-D122.970/0004-DSB/2019 of 8.11.2019).that it is the Facilitation requirement of Art. 12(2) GDPR violated if a data controller requires unnecessary additional information during the identity check for data subject requests.
The data subject was a user of an online classifieds portal where she had created a pseudonym and only entered her first name and e‑mail address, but not her last name. Upon the deletion request of the data subject, the responsible party also requested the last name, among other things, for identification purposes.
In doing so, the controller violated the facilitation requirement of the GDPR when exercising data subject rights. The Further information requested was not necessary for identificationbecause the profile data stored would have been sufficient, nor were they suitable for this purpose, since the responsible party had not stored any comparative data whose identity it could have verified with the identification data. The DPO therefore set the responsible party a deadline of two weeks to delete the profile.
On the basis of the FADP – with a strict interpretation – the same result would be possible based on Art. 12 (2) (b), Art. 15 and Art. 4 (2) FADP (claim for deletion after objection to further processing combined with the principle of proportionality).