Austrian supervisory authority specifies conditions for proof of identity in case of a request for deletion

Kanzlei Dr. Bahr describes a case in which a person wants to have deleted in an online portal. The identification is made by the first name „Roland“ and the mail address. However, the first name associated with the mail address in the portal is „Petra“, not Roland. The company rejects the deletion request.

The person concerned contacts the information authority. This determines:

15 Since the respondent had no intention of identifying the complainant when processing the complainant’s data, i.e. the existence and legally relevant identity (conformity) of the complainant as a natural person (cf. 4 no. 5 DPA also speaks of a „specific data subject“) with the „online person“ represented in the created user profile and to store corresponding data (such as full name data, date of birth or a verifiable home address), pseudonymised data pursuant to Article 4 no. 5 DPA were available from the outset in the view of the respondent.

Although it would have been conceivable to identify the complainant by collecting additional data, the respondent has, however, what is decisive from the point of view of the data protection authority, expressly made it possible for its users, as the persons affected by the processing, to create pseudonymous user profiles by not requiring any proof of identity when registering. From the outset, the respondent thus refrained from identifying the complainant as a specific data subject within the meaning of Article 11.1 of the DPA. Until the time of the request for cancellation, the complainant was, as it were, only a pseudonym, first name and e-mail address in its user database.

16 Under Article 12(2) of the DSGVO, the complainant has an express duty to facilitate the exercise of the right of cancellation by the person concerned. The data subject may only be identified to the extent that this is necessary in order to check the entitlement to exercise the right of cancellation. In the present case, the stored profile data will be used for the requested deletion of a pseudonymous user profile. A pseudonymous user can identify himself by knowing the login data (user ID, password), by giving details of the stored data content of the profile or by proving his power of disposal over the mailbox whose e-mail address was given during registration. No new data (such as first name, surname, residential address, a copy of an identity card or the graphic image of a handwritten signature) need be collected on this occasion (cf. Art. 11 para. 1 DSGVO).

Moreover, these would not be at all suitable for the intended purpose of identity verification, since no comparative data are stored at the respondent’s premises whose identity (conformity) could be verified with the newly collected data. The complainant has rightly pointed this out.

17 In the case of an appeal, the complainant could have been requested by the respondent to provide both parts of the „unique identifier“, i.e. first name and registered e-mail address, which the respondent so designated.

18 By not contenting itself with this, but insisting on the completion of an extensive form (which is based on the normal case of processing the data of identified, non-pseudonymous natural persons), the respondent infringed the complainant’s right to deletion under Article 12.2 in conjunction with Article 17.1 of the DPA. This was to be established in accordance with § 24.5 sentence 1 of the Data Protection Act [editor’s note: in the original, due to an editorial mistake, „§ 25.1 sentence 1 of the Data Protection Act“].

In accordance with Article 58.2 lit. c DSGVO in conjunction with Article 24.5, second sentence, DSG, the respondent was also to be instructed to delete the user profile with the complainant’s data. In doing so, it had to be taken into account that the complainant had already proved in the course of the proceedings that he knew both parts of the „unique identifier“, so that no corresponding condition had to be set. A period of two weeks seems reasonable and sufficient to carry out a simple data processing operation such as the deletion of a user profile".