Skip to main content

30. How would a data holder be able to verify a legitimate user?

Article 4(5) of the Data Act states that, for the purpose of verifying a person as a possible user, ‘a data holder shall not require that person to provide any information beyond what is necessary’. Recital 29 explains that ‘Data holders may require appropriate user identification to verify a user’s entitlement to access the data.’ The ‘information’ that a user may be requested to provide must therefore conclusively demonstrate that a person is a user (i.e. someone who ‘owns a connected product or to whom temporary rights to use that connected product have been contractually transferred, or that receives related services’ (Article 2(12) of the Data Act). Given users’ vested interest in accessing the data, it is reasonable to expect that they will try to properly identify themselves. Recital 21 provides guidance on how a data holder can verify users. According to this recital, access should be granted to the user: on the basis of simple request mechanism granting automatic execution and not requiring examination or clearance by the manufacturer or data holder. (…) Where automated execution of the data access request is not possible, for example via a user account or accompanying mobile application provided with the connected product or related service, the manufacturer should inform the user as to how the data may be accessed. Data holders are therefore free to set up the specific process to identify users but must still comply with Article 4(4) and (5) of the Data Act. Data holders can assess, for instance, (i) what best fits the type of product; (ii) the type of user (consumer vs industrial); (iii) the number of likely users (single owner of an elevator vs multiple users in car rental); (iv) the expected frequency of data access requests; (v) presence of specific mechanisms of demonstrating ownership (e.g. car holder registration); (vi) the cost of setting up differentiated user accounts; and (vii) the ease of use of such accounts for the actual consumers. Where applicable, solutions such as the EU Digital Identity Wallet could be envisaged. With respect to personal data, Recital 34 of the Data Act explains that ‘Personal data may only be requested by a controller or a data subject (…) Where the user is not the data subject but an enterprise, including a sole trader, and not in cases of shared household use of the connected product, the user is considered to be a controller.’ Recital 34 recalls that users that are data subjects can always access personal data concerning themselves. It also clarifies that users who are not data subjects are controllers under the GDPR and must comply with their obligations under the GDPR when requesting personal data from IoT devices.