HBDI (Hesse) - 90.20.77:0245

From GDPRhub
HBDI (Hesse) - 90.20.77:0245
LogoDE-HE.png
Authority: HBDI (Hesse)
Jurisdiction: Germany
Relevant Law: Article 12(6) GDPR
Type: Complaint
Outcome: Upheld
Started:
Decided: 20.11.2020
Published: 19.12.2020
Fine: None
Parties: ABIS GmbH
National Case Number/Name: 90.20.77:0245
European Case Law Identifier: n/a
Appeal: Not appealed
Original Language(s): German
Original Source: Datenanfragen.de (in DE)
Initial Contributor: Benjamin Altpeter

The Hessian DPA (HBDI) held that a controller may not require a signature as identification for access requests pursuant to Article 12(6) GDPR, and has to respond to access requests via other transport mediums than postal mail.

English Summary[edit | edit source]

Facts[edit | edit source]

Controller is ABIS, a German address management company that is a subsidiary of Deutsche Post Adress GmbH & Co. KG. It checks the addresses of their customers for accuracy, and updates them if needed. Data subject wanted to know what data was stored about them by ABIS, and submitted an access request. The controller responded by saying that the data subject had to provide a handwritten signature to authenticate their request, claiming they wouldn't be able to identify the data subject otherwise. Moreover, they notified the data subject that they would only respond via postal mail. The data subject filed a complaint with the Hessian DPA, pursuant to Article 77 GDPR.

Holding[edit | edit source]

The DPA upheld the complaint.

First, it noted that the GDPR does not impose any formal requirements on data subject requests and definitely does not allow the controller to require a signature for identification. Notably, the DPA stated that a signature cannot even be used to uniquely identify a data subject. Secondly, the DPA found that a controller violates Article 12(6) GDPR if their standard response to an access request, is for the data subject to provide additional data to identify themselves. This provision allows the controller only to request such information in the case of reasonable doubt concerning the identify of the data subject. Finally, the DPA considered that controllers have to respond to access request using different communication channels, and cannot respond exclusively via postal mail.

Comment[edit | edit source]

Share your comments here!

Further Resources[edit | edit source]

Share blogs or news articles here!

English Machine Translation of the Decision[edit | edit source]

The decision below is a machine translation of the German original. Please refer to the German original for more details.



No signature required for DSGVO requests: Successful complaint against ABIS GmbH.

It pays to complain: ABIS GmbH, an address management subsidiary of Deutsche Post and Bertelsmann, had previously required a signed request for self-disclosures under the GDPR and only sent the answers by post. After a successful complaint to the data protection supervisory authorities, this unlawful behaviour has now been stopped.
Photo of a sheet of paper on which a person is signing. Above it the text: "Complaint against ABIS: Signature not required for GDPR requests".

ABIS GmbH, a subsidiary of Deutsche Post Adress GmbH & Co. KG, offers so-called address management. It checks the addresses of companies' customers for accuracy and updates them, for example, in the event of relocations. For consumers, it is important to know what data ABIS stores about them.

Up to now, ABIS has required a handwritten signature from the person concerned for information requests, because this would be necessary for identification: "We cannot answer requests [...] that are not signed by hand, as it is not possible to clearly identify you", was the reply otherwise. Consumers should send the signed request to ABIS by post, fax or email attachment. ABIS would then answer the request by post.

This behaviour was not legal. The GDPR does not impose any formal requirements for requests about your data protection rights. A company cannot therefore force you to send requests by a specific method, such as registered mail, letter or fax. A simple e-mail is sufficient. This means that a company is not allowed to demand a signed request.
Furthermore, a signature is of course not a suitable identification feature, especially since ABIS GmbH, as an address management company, does not even have signature samples of the people on whom it processes data.

If a company processes your data unlawfully, you can defend yourself with a complaint to the data protection supervisory authorities. This is exactly what @rugk, one of our users, did after we discussed the issue in our issue tracker. He filed a complaint with the Hessian Commissioner for Data Protection and Freedom of Information.

The authority agrees with our legal opinion. It responded to the complaint as follows:

    "The data subject rights do not require a specific form, in particular no signature of the data subject. A clear identification of the data subject is not even possible with a signature. According to Article 12(6) of the GDPR, the controller may only request additional information that is necessary to confirm the identity of the data subject if he has reasonable doubts about the identity of the natural person. An unconditional request for further data is not compatible with this. A signature of the data subject will no longer be required by ABIS GmbH in the future."

She goes on to explain that information may also not only be provided by post:

    "The granting of information requests must also take place via various communication channels. Accordingly, the provision of information by ABIS GmbH will in future no longer take place only by letter post."

The process shows: Complaints are a valuable tool for the enforcement of data protection rights. The positive outcome of @rugk's complaint not only benefits him, but has improved the situation for everyone who makes enquiries about data protection to ABIS GmbH.
Although requiring a signature may sound harmless at first, it is a significant additional hurdle to making requests that has probably deterred some consumers from exercising their rights.

Does a company also deny you the exercise of your data protection rights or process your data unlawfully? Then take a look at our article on data protection supervisory authorities, where we explain exactly how you can complain. The process is simple and free of charge for you. If you have made the relevant request via Datenanfragen.de, you can even create the complaint via the "My Requests" function in our generator.
written by Benjamin Altpeter
on 2020-12-19 at 18:37
published under: Creative Commons Attribution 4.0 International License

Cover photo adapted from: "person writing on white paper" by Cytonn Photography (Unsplash licence)