Brussels, 20 January – The European Data Protection Board (EDPB) has adopted a report on the implementation of the right of access by controllers. The report summarises the outcome of a series of coordinated national actions carried out in 2024 under the Coordinated Enforcement Framework (CEF). It lists the issues that were observed for some controllers, along with a series of recommendations to help them implement the right of access. A central element is controllers’ awareness of the EDPB Guidelines 01/2022 on data subjects rights – Right of access and whether these guidelines were followed in practice.
EDPB Deputy Chair Zdravko Vukíc said: “The CEF is a valuable initiative that helps strengthen the cooperation among Data Protection Authorities (DPAs): by tackling selected topics in a coordinated fashion, they achieve greater efficiency and more consistency. How controllers implement the right of access lies at the heart of data protection and it is one of the most frequently exercised data subject rights.”
Throughout 2024, 30 DPAs across Europe launched coordinated investigations into the compliance of controllers with the right of access, by opening formal investigations, assessing whether a formal investigation was warranted and/or carrying out fact-finding exercises. A total of 1,185 controllers, consisting of small and medium-sized enterprises (SMEs) and big companies active in different industries and fields, as well as various types of public entities, responded to the action.
Areas of improvement and main challenges
The results suggest that more awareness raising about Guidelines 01/2022 is necessary, both at national and EU level, as the guidelines help controllers implement the right of access, explain how exercising this right can be made easier, and list the exceptions and limitations of the right to access.
As a result of the 2024 CEF action, seven challenges were identified. One of them is the lack of documented internal procedures to handle access requests. In addition, inconsistent and excessive interpretations of the limits to the right of access were also observed, such as overly relying on certain exceptions to automatically refuse access requests. Another example is the barriers that individuals could encounter when exercising their right of access, such as formal requirements or being requested to provide excessive identification documents. For each challenge identified, the report provides a list of non-binding recommendations to be taken into account by controllers and DPAs.
Positive findings
Despite the existing challenges, two thirds of participating DPAs evaluated the level of compliance of responding controllers with respect to the right of access from ‘average’ to ‘high’. One important factor identified as having an impact on the level of compliance was the volume of access requests received by controllers, as well as the size of the organisation. More specifically, large-sized controllers or controllers receiving more requests were more likely to reach a higher level of compliance than small organisations with less resources.
Positive findings were observed across Europe. These include the implementation of best practices by controllers, such as user-friendly online forms enabling individuals to submit an access request easily as well as self-service systems to allow individuals to autonomously download their personal data in a few clicks and at any time.
Background and next steps
The CEF is a key action of the EDPB under its 2024-2027 Strategy, aimed at streamlining enforcement and cooperation among DPAs. In the past three years, two previous CEF actions were carried out.
The results of these national actions are aggregated and analysed together to generate deeper insight into the topic and allowing for targeted follow-up on both national and EU level.
In 2023, the EDPB published the report on its first coordinated action on the use of cloud-based services by the public sector.In 2024, the EDPB also published the report on the outcome of the second coordinated action on the designation and position of Data Protection Officers.
The CEF 2025 action will be on the implementation of the right to erasure.
