Skip to Main content Skip to Navigation
New interface
Conference papers

Security Analysis of Subject Access Request Procedures How to authenticate data subjects safely when they request for their data

Coline Boniface 1 Imane Fouad 2 Nataliia Bielova 2 Cédric Lauradoux 1 Cristiana Santos 3 
1 PRIVATICS - Privacy Models, Architectures and Tools for the Information Society
Inria Grenoble - Rhône-Alpes, CITI - CITI Centre of Innovation in Telecommunications and Integration of services, Inria Lyon
2 INDES - Secure Diffuse Programming
CRISAM - Inria Sophia Antipolis - Méditerranée
Abstract : With the GDPR in force in the EU since May 2018, companies and administrations need to be vigilant about the personal data they process. The new regulation de nes rights for data subjects and obligations for data controllers but it is unclear how subjects and controllers interact concretely. This paper tries to answer two critical questions: is it safe for a data subject to exercise the right of access of her own data? When does a data controller have enough information to authenticate a data subject? To answer these questions, we have analyzed recommendations of Data Protection Authorities and authentication practices implemented in popular websites and third-party tracking services. We observed that some data controllers use unsafe or doubtful procedures to authenticate data subjects. The most common flaw is the use of authentication based on a copy of the subject's national identity card transmitted over an insecure channel. We define how a data controller should react to a subject's request to determine the appropriate procedures to identify the subject and her data. We provide compliance guidelines on data access response procedures.
Document type :
Conference papers
Complete list of metadata

Cited literature [74 references]  Display  Hide  Download
Contributor : Cédric Lauradoux Connect in order to contact the contributor
Submitted on : Tuesday, March 19, 2019 - 9:24:08 AM
Last modification on : Thursday, August 4, 2022 - 5:18:37 PM
Long-term archiving on: : Thursday, June 20, 2019 - 12:54:21 PM


Files produced by the author(s)


  • HAL Id : hal-02072302, version 1


Coline Boniface, Imane Fouad, Nataliia Bielova, Cédric Lauradoux, Cristiana Santos. Security Analysis of Subject Access Request Procedures How to authenticate data subjects safely when they request for their data. APF 2019 - Annual Privacy Forum, Jun 2019, Rome, Italy. pp.1-20. ⟨hal-02072302⟩



Record views


Files downloads