Is it permissible to ask for identification when processing a Subject Access Request?

In the context of processing a Subject Access Request (SAR) under the General Data Protection Regulation (GDPR), it is indeed permissible to ask for identification to verify the identity of the requester. This is crucial for several reasons.

First, SARs allow individuals to request access to their personal data held by an organization, and it's important to ensure that this sensitive data is not disclosed to unauthorized individuals. By verifying the identity of the requester, organizations protect the personal information of data subjects and comply with their obligations under the GDPR to safeguard personal data.

Second, GDPR encourages data controllers to take appropriate measures to identify the person making the request, especially when dealing with requests that contain sensitive personal information. While organizations may have to take extra steps to verify identity when a request seems to be made by an individual not known to them or if the request is made through a third party, it remains within their rights to require identification in any case to ensure the security of the data process.

This practice aligns with the principles of data protection, reinforcing the organization's commitment to protecting personal data and maintaining trust with individuals regarding their sensitive information.