The GDPR explicitly allows companies to verify the identity of the requestor for the purposes of fulfilling a data access/erasure request.
The problem with the GDPR is that it was written with the assumption that companies are willing to abide by the regulation, and thus any data provided during the course of identity verification will not be used for any other purpose and so there aren't any problems with companies requesting more PII for the purpose of deleting PII.
Of course in reality certain companies are not willing to abide by the regulation, and entire industries are built on top of not abiding by the regulation, so much so that they're better off operating in breach and lasting for as long as possible (until investigations & fines shut down the entire business) than complying early. We're already seeing this with Google & Facebook that claim to comply with the regulation despite being in breach in various ways (the recent Google GDPR consent prompt is absolutely not compliant) and they are betting on the fact that 1) enforcement will not happen for a long time and 2) when enforcement does happen, the consequences will be less than the profit they made in the meantime.
The same thing applies with for example Facebook (or similar) analytics and pixel tracking. They claim they respect the GDPR and will erase any data upon request (in this case the request will need to come from the data controller, ie the entity that runs the app which embeds the tracking SDK), but does anyone actually believe that they will delete anything and that data is not also used for other purposes (shadow profiles) in way that's hard/impossible to detect from the outside?
The GDPR does not allow the processing of personal data at all without out a legal basis, and the prevention of unlawful data processing does not require that you submit any identifying details at all!
A company may verify the identify of a person making a deletion request for data processed under a valid legal basis, which seems unlikely to be the case here.
why do requestors need to be validated at all? if a request comes in to delete some data, just delete it. it's not the harvester's data in the first place. in what circumstance is it the harvester's right to gatekeep on others' data?
There can be a legitimate need to validate requests, for example let's assume I don't like you and email the HN mods pretending to be you and asking to delete "my" account.
I agree when it comes to bullshit like advertising/marketing where fraudulent requests cause no harm to the real data subject.
> Without prejudice to Article 11, where the controller has reasonable doubts concerning the identity of the natural person making the request referred to in Articles 15 to 21, the controller may request the provision of additional information necessary to confirm the identity of the data subject.
Article 17 deals with requesting the deletion of data and article 21 deals with objecting to the processing of your data.
In fact, not verifying the identity of individuals could be legally dangerous because you are in effect allowing an individual to tamper with another individual's data.
thats gold. EU sic 'em!