News Ticker

DSAR’s – Part 3

November 7, 2025 UKR Editor COMMENTARY 0

An update with a response from Lidl and my commentary on and suggestions how to reply to the same

CONSCIENTIOUS CURRENCY

Continuing on the theme of DSAR’s I wanted to let you see a reply that my friend has had from Lidl, requesting further identification to process her request for facial recognition data. I have analysed the same and suggested to her what to say in a follow up email. It is all contained below in case it is of help to you in your DSAR requests.

Before we jump in, if you want to read more about the DSAR campaign please do so in part 1 here (there is a part 2 as well which you might also want to read)

Why Mass DSAR Campaigns Could Disrupt Digital ID and Facial Recognition in the UK

CONSCIENTIOUS CURRENCY * 16 OCT

Under the UK GDPR, any individual can submit a Data Subject Access Request (DSAR) to an organisation that holds their personal data — including biometric data through digitial ID and facial recognition scans. Companies must respond within one month, free of charge, unless the request is “manifestly unfounded or excessive.”

Read full story

Moving on to the Lidl emails please see the below.

Email received from Lidl

Dear [name redacted]

To process your CCTV request please provide the following:

  • Photo ID for verification purposes
  • Please provide a copy of the till receipt (if available) or the long number at the bottom of the till receipt as this will greatly help us locate your footage.
  • Please let us know exactly what footage you want us to download and send to you? Was there an incident that occurred, which aisle were you in etc?

You have requested ‘All Data’ I am happy to also provide you with a copy of all personal data we hold for you, please can you answer the below questions?

If you hold a Lidl Plus loyalty account with us you will be able to log in and see all your customer data within the app, if you need any help with this please let me know.

If you are happy to, please answer the below questions and I will follow up with our internal teams to obtain any other personal data we may hold for you.

Have you had an accident on Lidl GB Premises?

· Have you made an insurance claim against Lidl GB?

· Have you ever had a motor accident on Lidl GB land? (e.g. In car park)

· Are you signed up to our newsletter?

· Are you a part of our online community?

· Have you ever participated in a competition run by Lidl GB?

· Have you applied for a job at Lidl GB within the last 6 months?

· Have you ever worked for / been an employee of Lidl GB?

· Have you signed up to Lidl Plus? (if yes, please provide your LP

We will look forward to your response and have an outcome for you within one calendar month.

Yours sincerely,

[Name redacted]

Analysis of Lidl’s DSAR Response for CCTV Footage

Under the UK GDPR, which applies to Lidl GB as a UK-based data controller, the data minimisation principle in Article 5(1)(c) requires that personal data processed must be:

“adequate, relevant and limited to what is necessary in relation to the purposes for which they are processed.”

Identity Verification and Proportionality

Lidl’s request for photo ID (e.g., passport or driving licence) to verify identity for a Data Subject Access Request (DSAR)—particularly when releasing CCTV footage or other store-held data—raises concerns under this principle. Photo ID typically contains highly sensitive personal data, including:

  • Biometric facial image
  • Nationality
  • Date of birth
  • Signature

Processing this data for identity verification will be excessive if Lidl already holds sufficient identifiers from your interaction with the store (e.g., transaction records, loyalty account, till receipt, or self-described appearance on CCTV).

Legal Grounds for Challenging Excessive Verification

A legal basis for challenging their request (unnecessary barriers) is:

  • Recital 39 of the UK GDPR (retained from the EU GDPR) emphasises that personal data should be processed transparently and securely, and that individuals should be able to exercise their rights easily.
  • Article 12(2) UK General Data Protection Regulation: Requires controllers to facilitate the exercise of data subject rights and prohibits refusal unless the controller can demonstrate it is not in a position to identify the data subject.

Lidl’s own response acknowledges that till receipts, transaction times, and CCTV images may be available—yet it still requests photo ID without first attempting verification via less intrusive means.

ICO Guidance on DSAR Verification

The Information Commissioner’s Office (ICO) explicitly advises that controllers should:

  • Avoid requesting excessive identification
  • Consider alternatives such as:
    • Statutory declarations
    • Existing account login (e.g., Lidl Plus app)
    • Partial payment card details
    • Recent transaction references

If these suffice to locate and match the data subject, demanding photo ID is disproportionate.

CCTV-Specific Considerations

For CCTV requests, you as the data subject are already visible in the footage. Reasonable verification can be achieved by cross-referencing:

  • Self-described clothing
  • Time of visit
  • Till receipt or transaction ID

This avoids introducing new biometric data and aligns with the data minimisation and transparency principles.

Recommended Tiered Verification Approach

Lidl should implement a risk-based, tiered approach to identity verification:

Till Receipt / Transaction ID – Links individuals to specific event and already logged in Lidl’s systems

Date, Time & Location Details – Narrows footage to unique segment. Matches till rolls and CCTV timestamps

Description of Appearance – Matches individuals to footage and avoids new biometric processing

Lidl Plus Account Login – Verifies identity via existing account. No new data collected

Partial Loyalty or Payment Data – Confirms identity via known data. Uses controller-held identifiers

Suggested Response to Lidl

Dear [Name],

Thank you for your response. I note your request for photo ID to process my DSAR for CCTV footage. However, under Article 5(1)(c) UK GDPR (data minimisation) and Recital 39, this appears excessive given that you already hold transaction and CCTV data that can reasonably verify my identity.

In line with Article 12(2) and ICO guidance, I propose the following verification:

  • Till receipt number: [XXXX]
  • Date/time: [DD/MM/YYYY, HH:MM] at [store branch]
  • Description: I was wearing [distinctive clothing] in aisle [X], purchasing [items]

Please confirm whether this suffices to locate and verify my identity in the footage. If not, kindly explain why less intrusive methods are inadequate and how the requested ID meets the necessity and proportionality requirements under UK GDPR.

Yours sincerely

[Your Name]

Thank you for reading this article. If you have enjoyed it please consider subscribing to my Substack – it’s free. If you have received value from this article or any of my work at all, you can, if you wish to and can afford it, buy me a coffee to support my work. The link is buy me a coffee or you can access direct by copying the following https://buymeacoffee.com/claredwillb

This article (DSAR’s – Part 3) was created and published by Clare Wills Harrison and is republished here under “Fair Use”

Be the first to comment

Leave a Reply

Your email address will not be published.


*


Copyright © 2012 - 2025 | TLB Project™ LLC