Why we ask for your ID and address

If you ask to exercise your Data Subject Access rights under the GDPR, we are obliged to establish your identity before we reply. This is to protect your data from falling into the wrong hands. To reliably establish identity, we use a two-factor approach:

  1. You prove that you have access to an official ID card (passport, driver's licence, etc). We only require the copy to state your full name, ID card number and validity period. All other data may be blacked out.
  2. You prove that you have access to a recent proof of address (utility bill, bank statement, etc). We only require the copy to state your full name, your address and the issuing data of the statement. All other data may be blacked out.

Establishing your identity is considered 'data processing' and thus is also subject to the GDPR. We therefore would like to inform you of the following:

  1. We do not need all data present on these copies. We encourage you to black out any unnecessary data and to clearly add the word "Copy". Dutch speakers may find the (free) app and tips at "Kopie ID" useful.
  2. After we establish your identity, we destroy the documents directly after registering (a) the fact that a positive proof of ID and proof of address was supplied, (b) the type of ID used, (c) the ID card number, (d) the type of proof of address used and (e) the issuing date of the proof of address.
  3. We will only use the provided copies of the ID card and proof of address to establish your identity, in order to respond to your Data Subject Access rights request, and to provide proof to authorities that we correctly established your identity. We will not keep or use the information for any other purpose.
  4. The legal basis for processing this data is our legal obligation to establish your identity before we share, modify or delete your data.

If you are unable or unwilling to provide these copies to us, you are free to provide us with alternative proof of identity, or to visit our offices and show your ID to our staff. We will always register the type and identifying details of the proof of ID for our compliance records. If we cannot reliably establish your identity, we will deny your Subject Data Access right request.