Indeed. But as a technical guy I wonder which kind of "shared secret" one could provide to a (call center) service-agent to prove the legitimate ownership of an account without doubt?
Companies circumvent this complexity by simply asking you to login before you can request anything. If someone has full access to your account, all information accessible should be considered as insufficient to validate you...
In the end such a GDPR-request without login would probably again be a case-by-case topic which needs to cross the desk of some legal department to approve the action. But yeah, at least there are strict guidelines for response-times and other obligations for the company.
Companies circumvent this complexity by simply asking you to login before you can request anything. If someone has full access to your account, all information accessible should be considered as insufficient to validate you...
In the end such a GDPR-request without login would probably again be a case-by-case topic which needs to cross the desk of some legal department to approve the action. But yeah, at least there are strict guidelines for response-times and other obligations for the company.