HBDI (Hesse) - 90.20.77:0245: Difference between revisions

From GDPRhub
(Created page with "{{DPAdecisionBOX |Jurisdiction=Germany |DPA-BG-Color=background-color:#ffffff; |DPAlogo=LogoDE-HE.png |DPA_Abbrevation=HBDI (Hesse) |DPA_With_Country=HBDI (Hesse) |Case_Numb...")
 
Line 53: Line 53:


=== Facts ===
=== Facts ===
A data subject made an access request with ABIS, a German address management company. The company responded saying that the data subject had to provide a handwritten signature to authenticate their request, claiming they wouldn't be able to identify the data subject otherwise.
Controller is ABIS, a German address management company that is a subsidiary of Deutsche Post Adress GmbH & Co. KG. It checks the addresses of their customers for accuracy, and updates them if needed. Data subject wanted to know what data was stored about them by ABIS, and submitted an access request. The controller responded by saying that the data subject had to provide a handwritten signature to authenticate their request, claiming they wouldn't be able to identify the data subject otherwise. Moreover, they notified the data subject that they would only respond via postal mail.  


They further said they would only respond via postal mail.
The data subject filed a complaint with the Hessian DPA, pursuant to [[Article 77 GDPR]].


=== Holding ===
=== Holding ===
The DPA held that the GDPR imposes no formal requirements on data subject requests and especially doesn't allow the controller to require a signature. The DPA said that a signature cannot even be used to uniquely identify a data subject.
The DPA upheld the complaint and ordered the controller to no longer ask data subjects for a signature for identification, and reply solely via postal mail.  


The DPA further held that always requesting additional identification data from data subjects in response to requests violates [[Article 12 GDPR#6|Article 12(6) GDPR]], which only allows this in the case of reasonable doubts concerning the identity of the data subject.
First, it noted that the GDPR does not impose any formal requirements on data subject requests and definitely does not allow the controller to require a signature for identification. Notably, the DPA stated that a signature cannot even be used to uniquely identify a data subject.  


Finally, the DPA held that controllers have to respond to access request using different transport mediums, not only postal mail.
Moreover, the DPA found that a controller violates [[Article 12 GDPR#6|Article 12(6) GDPR]] if their standard response to an access request, is for the data subject to provide additional data to identify themselves. This provision allows the controller only to request such information in the case of reasonable doubt concerning the identify of the data subject. Finally, the DPA considered that controllers have to respond to access request using different communication channels, and cannot respond exclusively via postal mail.
 
ABIS GmbH accepted the holding and confirmed to the DPA that they would cease both practices.


== Comment ==
== Comment ==

Revision as of 12:23, 20 December 2021

HBDI (Hesse) - 90.20.77:0245
LogoDE-HE.png
Authority: HBDI (Hesse)
Jurisdiction: Germany
Relevant Law: Article 12(6) GDPR
Type: Complaint
Outcome: Upheld
Started:
Decided: 20.11.2020
Published: 19.12.2020
Fine: None
Parties: ABIS GmbH
National Case Number/Name: 90.20.77:0245
European Case Law Identifier: n/a
Appeal: Not appealed
Original Language(s): German
Original Source: Datenanfragen.de (in DE)
Initial Contributor: Benjamin Altpeter

The DPA of Hesse (the HBDI) held that ABIS GmbH, an address management company, may not require a signature as identification for access requests as per Art. 12(6) GDPR and has to also respond to access requests via other transport mediums than postal mail.

English Summary

Facts

Controller is ABIS, a German address management company that is a subsidiary of Deutsche Post Adress GmbH & Co. KG. It checks the addresses of their customers for accuracy, and updates them if needed. Data subject wanted to know what data was stored about them by ABIS, and submitted an access request. The controller responded by saying that the data subject had to provide a handwritten signature to authenticate their request, claiming they wouldn't be able to identify the data subject otherwise. Moreover, they notified the data subject that they would only respond via postal mail.

The data subject filed a complaint with the Hessian DPA, pursuant to Article 77 GDPR.

Holding

The DPA upheld the complaint and ordered the controller to no longer ask data subjects for a signature for identification, and reply solely via postal mail.

First, it noted that the GDPR does not impose any formal requirements on data subject requests and definitely does not allow the controller to require a signature for identification. Notably, the DPA stated that a signature cannot even be used to uniquely identify a data subject.

Moreover, the DPA found that a controller violates Article 12(6) GDPR if their standard response to an access request, is for the data subject to provide additional data to identify themselves. This provision allows the controller only to request such information in the case of reasonable doubt concerning the identify of the data subject. Finally, the DPA considered that controllers have to respond to access request using different communication channels, and cannot respond exclusively via postal mail.

Comment

Share your comments here!

Further Resources

Share blogs or news articles here!

English Machine Translation of the Decision

The decision below is a machine translation of the German original. Please refer to the German original for more details.