HBDI (Hesse) - 90.20.77:0245

From GDPRhub
Revision as of 12:23, 20 December 2021 by Gr (talk | contribs) (→‎Facts)
HBDI (Hesse) - 90.20.77:0245
LogoDE-HE.png
Authority: HBDI (Hesse)
Jurisdiction: Germany
Relevant Law: Article 12(6) GDPR
Type: Complaint
Outcome: Upheld
Started:
Decided: 20.11.2020
Published: 19.12.2020
Fine: None
Parties: ABIS GmbH
National Case Number/Name: 90.20.77:0245
European Case Law Identifier: n/a
Appeal: Not appealed
Original Language(s): German
Original Source: Datenanfragen.de (in DE)
Initial Contributor: Benjamin Altpeter

The DPA of Hesse (the HBDI) held that ABIS GmbH, an address management company, may not require a signature as identification for access requests as per Art. 12(6) GDPR and has to also respond to access requests via other transport mediums than postal mail.

English Summary

Facts

Controller is ABIS, a German address management company that is a subsidiary of Deutsche Post Adress GmbH & Co. KG. It checks the addresses of their customers for accuracy, and updates them if needed. Data subject wanted to know what data was stored about them by ABIS, and submitted an access request. The controller responded by saying that the data subject had to provide a handwritten signature to authenticate their request, claiming they wouldn't be able to identify the data subject otherwise. Moreover, they notified the data subject that they would only respond via postal mail.

The data subject filed a complaint with the Hessian DPA, pursuant to Article 77 GDPR.

Holding

The DPA upheld the complaint and ordered the controller to no longer ask data subjects for a signature for identification, and reply solely via postal mail.

First, it noted that the GDPR does not impose any formal requirements on data subject requests and definitely does not allow the controller to require a signature for identification. Notably, the DPA stated that a signature cannot even be used to uniquely identify a data subject.

Moreover, the DPA found that a controller violates Article 12(6) GDPR if their standard response to an access request, is for the data subject to provide additional data to identify themselves. This provision allows the controller only to request such information in the case of reasonable doubt concerning the identify of the data subject. Finally, the DPA considered that controllers have to respond to access request using different communication channels, and cannot respond exclusively via postal mail.

Comment

Share your comments here!

Further Resources

Share blogs or news articles here!

English Machine Translation of the Decision

The decision below is a machine translation of the German original. Please refer to the German original for more details.