Absolutely! I remember asking to export my data from one of the services and the support pretty much ignored me (they replied in general but “forgot” to mention anything related to that question).
I wanted to get my data out of ask.fm because I answered quite a lot of questions there back when it was fun. The GDPR export option was nowhere to be found. Opened a support ticket, they asked me for a EU ID... Well, yeah, I don't have one, I'm not a EU resident, I wanted to piggyback on the laws of countries that actually care about their people. But it just struck me that they hate their users this much. Even Facebook didn't go this low.
On an absolutely unrelated note, I reverse engineered ask.fm's client API back when I was actually using it.
In my experience, many large companies ask for ID. I am not quite sure which is correct since, on the one hand, they should verify that a request comes from the legitimate account holder, but on the other hand, they should practice data minimization.
> You should also not request formal identification documents unless necessary. First you should think about other reasonable and proportionate ways you can verify an individual’s identity. You may already have verification measures in place which you can use, for example a username and password.
The GDPR doesn't state explicitly how to do identification for subject access requests, only that “The controller should use all reasonable measures to verify the identity of a data subject who requests access, in particular in the context of online services and online identifiers.” In the case of ask.fm it seems like if the person's identity can be verified by the fact that they can access their account, it's not reasonable to require an official ID.
Not identifying a data subject without beyond reasonable doubt before sending out highly personal data is itself a GDPR violation - even a data breach which they would have to report to their GDPR officer.
Sure, but on a website log-in info, email confirmation or 2FA is enough for that. Unless you already gave them your ID-card, they shouldn't have to use that to identify you.
I'm not sure about that. Information that is saved about a user might be more security-relevant than what someone - they or someone who hacked their account - might see in their account.
It clearly is something I would not want to have hours of meetings with legal council about, so I can see why some organisations may err on the safer side.
If someone has access to your password and 2FA method, they can impersonate you and destroy your reputation, buy things in your name, consult all your old photos and learn everything about you, etc, and no platform will ever ask them a EU id at any point in the process.
The idea that a platform asks for a EU id for any reason other than making the GDPR request process more painful is laughable.
there is a possible reason, the gdpr applies to EU citizens, EU residents, and people within the EU, so it is reasonable they ask you to prove you are one of these categories.
Yeah, no kidding. Of course they want you to prove you're a EU citizen, because they want to make as little effort as possible.
I don't consider that reasonable. Data portability should be a right. You shouldn't have to jump through hoops to exercise that right, and companies shouldn't be asking you "can you prove beyond a doubt that we're legally obligated to give you your data" before doing so.
I agree, I would like them to offer this service to everyone, but the reason they ask for an EU ID is not "emails are to easy, have them suffer" but more likely "we really have not set up a process for this so we will not do this unless forced by the law"
The solution to this is to have their own government impement a GDPR-like policy.
What do they mean with an EU id? Passport, licens? Those have my CPR number (think SSN, but different). There no way I showing that to export a playlist. It’s suppose to be kept secret. If your company can’t respect the GDPR how am I to expect that you’ll safely handle the single most import personal information I have?
Companies think that the data that is portable is your email address, profile picture, address, IP addresses - but other things like posts, comments are not. It is actually not well defined in GDPR and if portability means transferring your profile (e.g. username, email and some details about you only), then GDPR is pretty much useless in that regard.
