Skip to Main content Skip to Navigation
Conference papers

Security Analysis of Subject Access Request Procedures How to authenticate data subjects safely when they request for their data

Coline Boniface 1 Imane Fouad 2 Nataliia Bielova 2 Cédric Lauradoux 1 Cristiana Santos 3
1 PRIVATICS - Privacy Models, Architectures and Tools for the Information Society
Inria Grenoble - Rhône-Alpes, CITI - CITI Centre of Innovation in Telecommunications and Integration of services
2 INDES - Secure Diffuse Programming
CRISAM - Inria Sophia Antipolis - Méditerranée
Abstract : With the GDPR in force in the EU since May 2018, companies and administrations need to be vigilant about the personal data they process. The new regulation de nes rights for data subjects and obligations for data controllers but it is unclear how subjects and controllers interact concretely. This paper tries to answer two critical questions: is it safe for a data subject to exercise the right of access of her own data? When does a data controller have enough information to authenticate a data subject? To answer these questions, we have analyzed recommendations of Data Protection Authorities and authentication practices implemented in popular websites and third-party tracking services. We observed that some data controllers use unsafe or doubtful procedures to authenticate data subjects. The most common flaw is the use of authentication based on a copy of the subject's national identity card transmitted over an insecure channel. We define how a data controller should react to a subject's request to determine the appropriate procedures to identify the subject and her data. We provide compliance guidelines on data access response procedures.
Document type :
Conference papers
Complete list of metadatas

Cited literature [74 references]  Display  Hide  Download

https://hal.inria.fr/hal-02072302
Contributor : Cédric Lauradoux <>
Submitted on : Tuesday, March 19, 2019 - 9:24:08 AM
Last modification on : Wednesday, July 8, 2020 - 12:43:28 PM
Long-term archiving on: : Thursday, June 20, 2019 - 12:54:21 PM

File

right.pdf
Files produced by the author(s)

Identifiers

  • HAL Id : hal-02072302, version 1

Citation

Coline Boniface, Imane Fouad, Nataliia Bielova, Cédric Lauradoux, Cristiana Santos. Security Analysis of Subject Access Request Procedures How to authenticate data subjects safely when they request for their data. APF 2019 - Annual Privacy Forum, Jun 2019, Rome, Italy. pp.1-20. ⟨hal-02072302⟩

Share

Metrics

Record views

2059

Files downloads

3271