> You should also not request formal identification documents unless necessary. First you should think about other reasonable and proportionate ways you can verify an individual’s identity. You may already have verification measures in place which you can use, for example a username and password.
The GDPR doesn't state explicitly how to do identification for subject access requests, only that “The controller should use all reasonable measures to verify the identity of a data subject who requests access, in particular in the context of online services and online identifiers.” In the case of ask.fm it seems like if the person's identity can be verified by the fact that they can access their account, it's not reasonable to require an official ID.
> You should also not request formal identification documents unless necessary. First you should think about other reasonable and proportionate ways you can verify an individual’s identity. You may already have verification measures in place which you can use, for example a username and password.
The GDPR doesn't state explicitly how to do identification for subject access requests, only that “The controller should use all reasonable measures to verify the identity of a data subject who requests access, in particular in the context of online services and online identifiers.” In the case of ask.fm it seems like if the person's identity can be verified by the fact that they can access their account, it's not reasonable to require an official ID.