I am in the EU.

I asked a company in which I had an account to delete my account. They told me they would do that as long as I sent them an ID and a postal address. This is to ensure that "I am the right person".

I never gave them an ID and a postal address in the first place so how would that verify anything, and I'm using the email that I used to sign-up with them to ask for the deletion.

Am I in the wrong to believe that this should be easier? Are they misinterpreting the GDPR or am I?

What are my options if I do not want to send my ID and postal address?

--

Their arguments are:

Article 5(1)(f) of the GDPR requires us to meet security obligations in data processing. Since data deletion is permanent, we need to ensure that the request is indeed from the person concerned.

Furthermore, Article 12(6) of the GDPR states: "…when the data controller has reasonable doubts concerning the identity of the natural person making the request referred to in Articles 15 to 21, he may request the provision of additional information necessary to confirm the identity of the data subject."