by Avi Gesser, Daniel Forester, Will Schildknecht, Jennifer Leather, and Dr. Carolin Raspé (Hengeler Mueller)
Both the General Data Protection Regulation (“GDPR”) and the California Consumer Privacy Act (“CCPA”) require companies to respond to customer data access requests. But how do you know that the person making the request is actually who they say they are? As we have previously noted on Davis Polk’s Cyber Blog, significant amounts of personal information are publicly available as a result of major data breaches, and that stolen data can be used to make fraudulent access requests. So, how can a company avoid turning a good-faith effort to comply with its GDPR or CCPA access rights obligations into a privacy violation by unknowingly providing the personal information of customer X to someone pretending to be customer X? A recent GDPR enforcement action in Germany, as well as guidance from German and California regulators, shows that companies must exercise diligence in making sure that they have properly authenticated the data subject who is making the access request. Continue reading