Can the data controller additionally verify the data subject before fulfilling a request for erasure of data?

ANSWER

Under Article 12(2) GDPR, the controller is obliged to facilitate the data subject exercising their rights under Articles 15–22 GDPR, including the right under Article 17 GDPR to be forgotten.

In the situation described, after receiving a request to delete an account, the controller should first, on the basis of Article 12(6) GDPR, verify whether the request actually comes from the person concerned if there are reasonable doubts. If so, it should then be established whether it also concerns exercising the right under Article 17 GDPR, i.e. the right to erasure. A request to delete an account, equivalent to a request to erase personal data, may not explicitly invoke the right to erasure; nevertheless, under Article 12(2) GDPR, the controller must not make erasure more difficult even if the person did not expressly state such a request. Furthermore, there are no uniform forms that must be used in such cases — the controller's obligation is to communicate with the data subject to establish which right they wish to exercise.