Enhancing the Right of Access: Findings from the 2024 Coordinated Enforcement Action

As data protection professionals and privacy experts, it is paramount to understand the recent developments surrounding the implementation of the right of access under GDPR. The European Data Protection Board (EDPB) has undertaken a Coordinated Enforcement Framework (CEF) initiative to assess compliance among data controllers regarding access requests, with conclusions expected to shape future best practices in data management.

Key Findings:

– Compliance Levels: The 2024 CEF action engaged 30 supervisory authorities across the European Economic Area (EEA), resulting in findings that approximately two-thirds of participating authorities rated compliance levels of responding controllers as between average and high. Increased access request volumes correlated with higher compliance and awareness of the Guidelines 01/2022, reflecting the importance of robust procedures in handling requests effectively.

– Awareness Gaps: Despite positive indicators, the research unveiled significant gaps in awareness regarding the Guidelines 01/2022. Controllers exhibited a lack of knowledge about their obligations, notably regarding the information required to fulfill access requests. Many responses from controllers suggest an underestimation of their responsibilities, with a significant number issuing responses that fail to meet the specificity required under the GDPR.

– Challenges Identified: Several challenges emerged during the enforcement action. Many controllers did not adequately understand the scope of information necessary for a lawful response to access requests. Furthermore, the retention of access request communications appeared inconsistent, with some controllers unsure about how long to retain such data, often storing it indefinitely without compliance to data minimization principles.

Recommendations for Improvement:

– Training and Documentation: It is critical for controllers to establish documented internal procedures that clearly delineate how to manage access requests. Training staff to recognize access requests across all communication channels will enhance compliance and facilitate more efficient processing.

– Proactive Use of Guidelines: Controllers are encouraged to familiarize themselves with Guidelines 01/2022, which detail how to respond to access requests effectively. Steps should be taken to ensure that responses are tailored to the specific needs of the data subject while sharing relevant details about personal data processed.

– Engaging with Supervisory Authorities: Regular engagement with supervisory authorities is vital. By involving authorities in training and awareness initiatives, both data subjects and controllers can gain a clearer understanding of their respective rights and obligations.

The findings and recommendations from this ongoing initiative highlight the necessity for continuous improvement in data protection practices, especially concerning the capacity for individuals to access their data.

For further insight into the EDPB’s CEF actions, refer to the full report available at
Original source link: https://www.edpb.europa.eu/system/files/2025-01/edpb_cef-report-2024_20250116_rightofaccess_en.pdf