1. Is having the data subject respond to an e-mail address on file with the Controller considered acceptable?
2. Has there been any further guidance as to the recommended methods to prove the identity of the data subject who is submitting a DSAR?
Assign topic to the user
EU GDPR DOCUMENTATION TOOLKIT
Step-by-step implementation for smaller companies.
Find out more 
EU GDPR DOCUMENTATION TOOLKIT
Step-by-step implementation for smaller companies.
Find out more
EU GDPR DOCUMENTATION TOOLKIT
Step-by-step implementation for smaller companies.
Find out more
1. Is having the data subject respond to an e-mail address on file with the Controller considered acceptable?
The data subject can choose whatever means they want to file a request email, post, etc. as long as these are received by the controller.
2. Has there been any further guidance as to the recommended methods to prove the identity of the data subject who is submitting a DSAR?
There is some guidance on the subject issued by the ICO (https://ico.org.uk/media/for-organisations/documents/2259722/subject-access-code-of-practice.pdf). You can also find some additional info in this free webinar Data Subject Rights under the EU GDPR (https://advisera.com/eugdpracademy/webinar/data-subject-rights-under-the-eu-gdpr-free-webinar-on-demand/).
Sorry, I wasn't clear on my first question. Can the Controller send an e-mail that they have on file to the Requestor so that they can respond to it to prove their identity?
Note that the controller is entitled to identify the data subject (requestor) and thus, he/she can ask for additional information to be able to validate the identity of the data subject.
Comment as guest or Sign in
Dec 19, 2019