Establishing identity

The controller should use all reasonable measures to verify the identity of a data subject who makes a request, particularly in the context of online services.

Where the data controller has reasonable doubts about the individual’s identity, it can ask for additional information in order to confirm his or her identity. If the data controller cannot confirm the individual’s identity, it does not have to provide the information.

The right to obtain a copy of the data must not adversely affect the rights and freedoms of others. This includes trade secrets or intellectual property including copyright protecting the software, but this should not result in a refusal to provide the information. The data controller should find a way of providing the information in a way that does not infringe those rights.