gerryMy GDPR request to the Belgian gov was refused because the ID card copy that was included with the request was not printed in *color*. Can anyone confirm whether that’s a legit #GDPR requirement? Color prints are like €1/page these days, which would add up and make all my GDPR requests a bit costly. #askFedi #lawFedi #Belgium
My understanding of the #GDPR: the proof of ID must be the same instrument that was used when giving consent. If consent was digital (#beID), is color imagery even involved to begin with?
Olm-e
aeris@gerry Request for ID card to answer to an article 15 access request is unlawfull by default. The controller can only ask for ID card if identity doubt.
@gerry The controller MUST request only the minimum information to confirm the data subject identity.
And CAN'T ask for more information than the requested information.
Usually email/phone validation is largely enough to ensure the data subject identity.
And CAN'T ask for more information than the requested information.
Usually email/phone validation is largely enough to ensure the data subject identity.
@aeris it was an art.15 req combined with an art.17 right to erasure. I thought they could demand whatever was used for ID when consent was originally given. So I was assuming the requirement for ID card copy was compliant but thought the demand of a /color/ copy was excessive. Jerry Levine says they can demand color. But iiuc you’re saying they can’t even demand ID card whatsoever.
@gerry They can only ask for ID if there is identity doubt AND no less intrusive way to proof your identity
@gerry If you already exchange with your administration through internal "secure messaging" (lol), you're already authenticated and so no doubt. If you ask for information not related to an ID card, no reason to provide ID card.
You don't have to provide more information or more sensible than the one you ask for.
You don't have to provide more information or more sensible than the one you ask for.
@aeris My gdpr req is sent on paper because their server & my browser are no longer talking.
@gerry In such case, I guess a simple phone call or email validation from what they already know is largely enough to check identity.
@aeris well my paper request included my email and postal address, and black & white id card. Their instructions only give 2 ways: by logging in (which i can no longer do), and on paper.
@gerry You can invoke article 12(6) and recital 64
Additional information only allowed if identity doubt (no doubt, no additional) and additional information must be reasonable
https://gdpr-text.com/read/article-12/#para_gdpr-a-12_6
https://gdpr-text.com/read/recital-64/
Additional information only allowed if identity doubt (no doubt, no additional) and additional information must be reasonable
https://gdpr-text.com/read/article-12/#para_gdpr-a-12_6
https://gdpr-text.com/read/recital-64/