| I'm genuinely curious: if you were them, what would you do to resolve this without asking the subject to provide any additional data for verification? There obviously needs to be something confirmed to verify the identity, but by definition personal data is data about an identifiable subject, so there must be something that can be checked. If a big data hoarder has personal contact details, attempting to reach someone using those in response to a subject request isn't unreasonable. The hoarder will also have obligations under the GDPR regarding keeping data correct and up-to-date, so they should be in a position to do this in most cases or they're probably in violation already. Some contact details might be checkable against an external reference to confirm they really are still up-to-date before relying on them, in which case a single attempt using that method might be sufficient. Otherwise, if you can reach someone via two different and reasonably secure methods associated with their profile then it's probably reasonable to assume they are who they say they are. If the hoarder doesn't have contact details they can use, then apparently there is some other identifying characteristic of the data subjects that makes it personal data, and in that case presumably you'd have to look at that and see how it could be used for verification. |