(57) If the personal data processed by the controller does not allow it to identify an individual, the controller should not be required to obtain additional information to identify the data subject solely to comply with this Regulation. However, the controller should not refuse to accept additional information from the data subject to facilitate the exercise of his or her rights. Identity verification should include digital identification of the data subject, for example through an authentication mechanism such as the same credentials the data subject uses to log in to online services offered by the controller.
„We are aware of all the risks to our personal data"
Are you sure about that?

