DPO AT: Faci­li­ta­ti­on requi­re­ment of Art. 12 (2) GDPR violated

The Austri­an data pro­tec­tion aut­ho­ri­ty (DPA) has deci­ded (DSB-D122.970/0004-DSB/2019 of 8.11.2019).that it is the Faci­li­ta­ti­on requi­re­ment of Art. 12(2) GDPR vio­la­ted if a data con­trol­ler requi­res unneces­sa­ry addi­tio­nal infor­ma­ti­on during the iden­ti­ty check for data sub­ject requests.

The data sub­ject was a user of an online clas­si­fi­eds por­tal whe­re she had crea­ted a pseud­onym and only ente­red her first name and e‑mail address, but not her last name. Upon the dele­ti­on request of the data sub­ject, the respon­si­ble par­ty also reque­sted the last name, among other things, for iden­ti­fi­ca­ti­on purposes.

In doing so, the con­trol­ler vio­la­ted the faci­li­ta­ti­on requi­re­ment of the GDPR when exer­cis­ing data sub­ject rights. The Fur­ther infor­ma­ti­on reque­sted was not neces­sa­ry for iden­ti­fi­ca­ti­onbecau­se the pro­fi­le data stored would have been suf­fi­ci­ent, nor were they sui­ta­ble for this pur­po­se, sin­ce the respon­si­ble par­ty had not stored any com­pa­ra­ti­ve data who­se iden­ti­ty it could have veri­fi­ed with the iden­ti­fi­ca­ti­on data. The DPO the­r­e­fo­re set the respon­si­ble par­ty a dead­line of two weeks to dele­te the profile.

On the basis of the FADP – with a strict inter­pre­ta­ti­on – the same result would be pos­si­ble based on Art. 12 (2) (b), Art. 15 and Art. 4 (2) FADP (cla­im for dele­ti­on after objec­tion to fur­ther pro­ce­s­sing com­bi­ned with the prin­ci­ple of proportionality).