One of the requirements for controllers in the General Data Protection Regulation (GDPR) when a data subject exercise his or her rights, is the authentication of the data subject. In this article, we will provide some thoughts on what is required for controllers for authentication of data subjects, with the right to data portability (article 20) as an example.
No prescriptive requirements
There are no prescriptive requirements in the Regulation on how to authenticate the data subjects. However, there is a general principle providing that the personal data is kept in a form which permits identification of the individual. Additionally, Article 12 (2) states that the controller “shall not refuse to act on the request of the data subject” exercising his or her right to data portability, unless the controller process personal data for a purpose that does not require identification of the data subject and “demonstrates that it is not in a position to identify the data subject”. If the controller is not able to identify the data subject, the controller must inform the data subject accordingly if possible. There may also be circumstances where the data controller has reasonable doubts concerning the identity of the natural person requesting data portability. Where there is such a concern, the data controller may request the provision of “additional information necessary to confirm the identity of the data subject” before any data transfer has been made.
May the data subject provide additional information for identification?
The data subject will be able to exercise his or her right if they can provide additional information which will enable his or her identification. Providing the additional information for identification will be up to the data subject, as the data controller in these circumstances does not have an obligation to acquire additional information themselves to identify the data subject, if the processing of personal data does not permit the controller to identify a natural person. However, if the data subject provides additional information to support the exercise of the right to data portability, the controller should not refuse this information for the authentication.
According to Recital (57) of the Regulation, identification includes digital identification of a data subject, such as an authentication mechanism with credentials used by the data subject to log into the service offered by the data controller. As the Working Party states, “the data subjects are often already authenticated by the data controller before entering into a contract or collecting his or her consent to the processing”. When a data subject registers for online services, email accounts or on social networks, the data subject will most likely be required to provide a username and password connected to the service, where the data processing and the personal data are linked to that user account. This will according to WP29 be sufficient to authenticate the data subject.
The controller cannot make excessive demands of information from the data subject
The data controller cannot require additional information which will lead to “excessive demands and to the collection of personal data which are not relevant or necessary to strengthen the link between the individual and the personal data requested”.
 Also stated by the WP29, Guidelines v2, 13.
 The principle of storage limitation, cf. Article 5 (1) (e).
 Article 12 (2) cf. 11 (1).
 Article 11 (2).
 Article 12 (6).
 Article 11 (2).
 Recital (57).
 Recital (57).
 WP29, Guidelines v2, 14.
This article is based on the author's master thesis "The Right to Data Portability in Article 20 of the General Data Protection Regulation: An analysis of the legal obligations for data controllers when data subjects requests the right to data portability."