Hacker Newsnew | past | comments | ask | show | jobs | submitlogin

The email used during registration is sufficient. If you don't have email then username+password.

If they don't have that they don't get access to data. They need to be able to prove who they are and reasonably that is the same information that is used during registration.

If password is lost then tough luck.



> If password is lost then tough luck

This is your personal opinion of how it should work, not GDPR.


I doubt that a black-hat attacker is going to file a lawsuit to obtain someone else's personal information.


But what if the request is genuine?


Then the user will be authenticated by the court, and you will have to make your case that without the court's intervention, you could not be certain of the requester's identity.

This isn't black and white. It is legally ok to question the validity of GDPR data subject requests.


> I doubt that a black-hat attacker is going to file a lawsuit

If you tell someone requesting their own data under GDPR “tough luck, you lost your password,” that could invite remedies under the law.


What are they going to sue for? "I can’t identify myself but still want the data of some random person I claim to be"?


GDPR requires the user to identify themselves to request data.

If a password and username is the only possible way of identification then that is enough. And if one can not provide that then tough luck it is.




Guidelines | FAQ | Lists | API | Security | Legal | Apply to YC | Contact

Search: