EDPB report on the right of access: best practices for companies

The right to information is not always implemented in compliance with the GDPR.
Categories:

The European Data Protection Board (EDPB) recently published a report on the implementation of the right of access under the General Data Protection Regulation (GDPR) has been published. The report highlights the challenges and provides "best practices" that companies should observe when complying with the right to information.

Implementation of the right to information must be improved

The Right to information according to Article 15 GDPR guarantees data subjects access to information about the Processing of their personal data. This enables them to check the lawfulness of the data processing and, if necessary, assert further data protection rights.

Against this background, the EDPB has published a report on the implementation of the right of access by the authorities responsible for the Processing responsible persons. The report summarizes the results of a series of coordinated national actions carried out in 2024 as part of the Coordinated Enforcement Framework (CEF). This involved 30 national data protection authorities. The aim was to review and improve the implementation of the right of access by data controllers.

For the investigation Responsible persons from public and private institutions of different sizes and sectors were surveyed. The results showed that around two thirds of the participating data protection authorities rated the implementation of the right of access as "medium to high".

However, according to the EDPB, the low number of reported requests for information poses a particular challenge. This indicates that many Responsible persons not correctly identify such requests or that affected people rarely exercise their rights.

The EDPB Guidelines 01/2022 provide comprehensive information on the correct implementation of the right to information. However, the current report shows that many Responsible persons these Guidelines cannot be fully implemented.

Challenges in connection with the Right to information

  1. Insufficient awareness of the Right to information
    Many Responsible persons are not sufficiently informed about the requirements of the GDPR and the EDPB Guideline 01/2022. This leads to inadequate implementation. Better training and the regular updating of internal procedural instructions could remedy this.

  1. Retention periods
    The investigation has shown that the retention periods for requests for information vary greatly. Responsible persons should establish specific and objective criteria for the storage of such data in order to comply with the requirements of storage limitation (Art. 5 para. 1 lit. e GDPR).

  1. Lack of documented procedures
    Smaller companies in particular often do not have clearly defined processes for handling requests for information, which increases the risk of delays or errors. The introduction of standardized procedures and training could help to ensure compliance with the GDPR ensure.

  1. Access barriers for affected People
    Some organizations use disproportionate authentication measures or only require the use of online forms, which makes it difficult for Affected parties made more difficult. Those responsible should ensure that inquiries are processed appropriately regardless of the communication channel.

  1. Incomplete or general information
    Frequently receive Affected parties prefabricated information that is not tailored to their specific case. The responses to requests for information often do not contain all the information required by law, such as the exact recipients of the data. The information required for the Processing Those responsible must ensure that the information provided is accurate and tailored to the specific request.

  1. Abuse of restrictions
    Companies define the exceptions to the Right to information sometimes go too far, which leads to unjustified rejections.

Best practices for companies in the Right to information

Despite the existing challenges, "best practices" were also identified:

  • Technical solutions: Some Responsible persons have implemented digital tools such as ticket systems to manage requests efficiently.
  • Facilitate access: The use of user-friendly online forms and self-service systems makes it much easier to access personal data.
  • Establish clear processes: Responsible persons with well-documented procedures and trained staff were able to process requests for information more quickly and comprehensively.
  • Careful handling of restrictions: Rejections of requests must be well justified and documented in order to Transparency and legal compliance.
  • Improve data management: An up-to-date list of processing activities facilitates the identification of relevant data and recipients.


Reading tip: Right to information in the GDPR - Current ECJ case law and EDPB guidelines

Customized solution supports compliance with the right to information

Compliance with the right to information is not only a legal obligation, but also strengthens customer confidence in your company. The EDPB report shows that by implementing clear processes and regular training, companies can ensure that they meet the requirements of the GDPR and protect their reputation at the same time.

For further information or support in optimizing your data protection processes, please do not hesitate to contact us. Contact us, we will develop customized solutions for you in the following areas Data protection and Compliance.

Please feel free to contact us:
Phone: +1 (954) 852-1633
E-Mail:info@2b-advice.com

Source: Report on the implementation of the right of access by the authorities responsible for the Processing Responsible

Contact us
Tags:
Share this post :

Popular categories

Newsletter

Subscribe to our data protection newsletter to receive the latest updates, tips and insights straight to your inbox.
Subscribe

Latest posts