Is it necessary and lawful to request the DNI when exercising data subject’s rights?

The Spanish Data Protection Agency (SDPA) has sanctioned several companies for making this request when it is not fully necessary or proportionate, considering its impact on the personal information of the individual concerned, as it is a measure that presents a very significant risk.

It is important to underline that the GDPR allows the request of information necessary to confirm the identity of the applicant only in cases where there is doubt about the identity of the data subject and there is no other less harmful or risky measure or way to identify the data subject.

In practice, it is very common to request the ID card when exercising rights, as it serves as a guarantee of compliance with the obligations of diligence and a highly secure method of identification. However, multiple resolutions by the SDPA indicate that requesting the ID by default and as a rule, could constitute conduct contrary to the law and may lead to the imposition of a sanction, as has occurred on a number of occasions following a complaint by an applicant for such a request. The rationale behind the sanctions is the fact that there are other more effective and less intrusive methods to verify the identity of the applicant, such as electronic identification, email, or cellular phone. In this way, the processing and requesting of dispensable and unnecessary information contained in the ID would be avoided, and the information that would be requested for identification would comply with the minimization criterion. 

It is vitally important to note the data minimization in Articles 5 and 39 of the GDPR, which state that the need to request personal data must be "adequate, relevant and limited" to the need for which it is requested. Furthermore, as mentioned above, it must be in line with the necessity of the request for the achievement of the purpose for which such documentation is requested. The data controller must strictly limit the collection of data to information that is directly related to the specific purpose sought and must justify its request by complying with the requirements of the GDPR. 

It is for these reasons that the request for the ID should be avoided, as far as possible, and the provision of the ID should be requested when there are reasonable doubts as to the identity of the applicant. There is no rule in the regulation on the exercise of data subject’s rights that requires verification of identity by means of documentation; however, it does regulate the possibility for the data controller to use "reasonable measures" to verify the identity of data subjects, and it is up to the data controller to determine which measures are reasonable in each case. In addition, there are other ways to verify the identity of the applicant, which are less intrusive and do not increase the risk to the protection of the applicant's personal data.

In view of the above, it is advisable for entities requesting identification through documentation to justify this act on the grounds of reasonable doubt as to the identity of the applicant, as it is up to these entities to demonstrate that this is a proportional and necessary measure and that it complies with the regulations on data minimization. 

The SDPA has reaffirmed this recommendation and requirement in various resolutions, giving it great importance and basing it on the need to minimize the data, limiting it to its purpose and the requirement of proportionality between the request for data and its purpose.

In conclusion, the request for the ID is not a prohibited conduct and does not always result in the imposition of a sanction on the entity requesting it, but it is advisable to avoid this measure if exist other alternatives that do not affect data protection principles or provide sensitive information about the data subject. This is a decision for the data controller, who will have to justify the request for such information.