The European Data Protection Board (EDPB) recently published a report on the implementation of the right of access under the General Data Protection Regulation (GDPR). The report highlights the challenges and provides best practices that companies should consider when complying with the right of access.
Implementation of the right to information must be improved
The right of access under Article 15 GDPR guarantees data subjects access to information about the processing of their personal data. This enables them to check the lawfulness of the data processing and, if necessary, assert further data protection rights.
Against this background, the EDPB has prepared a report on the implementation of the right of access by data controllers. The report summarizes the results of a series of coordinated national actions carried out in 2024 under the Coordinated Enforcement Framework (CEF). This involved 30 national data protection authorities. The aim was to review and improve the implementation of the right of access by data controllers.
For the study, data controllers from public and private institutions of different sizes and sectors were surveyed. The results showed that around two thirds of the participating data protection authorities rated the implementation of the right of access as "medium to high".
However, according to the EDPB, the low number of reported requests for information poses a particular challenge. This indicates that many data controllers do not correctly identify such requests or that data subjects rarely exercise their rights.
The EDPB Guidelines 01/2022 provide comprehensive information on the correct implementation of the right to information. However, the current report shows that many controllers do not fully implement these guidelines.
Challenges in connection with the right to information
- Insufficient awareness of the right to information
Many data controllers are not sufficiently informed about the requirements of the GDPR and EDPB Guideline 01/2022. This leads to inadequate implementation. Better training and the regular updating of internal procedural instructions could remedy this.
- Retention periods
The investigation has shown that the retention periods for requests for information vary greatly. Data controllers should define specific and objective criteria for the storage of such data in order to meet the requirements of storage limitation (Art. 5 para. 1 lit. e GDPR).
- Lack of documented procedures
Smaller companies in particular often do not have clearly defined processes for handling requests for information, which increases the risk of delays or errors. The introduction of standardized procedures and training could help to ensure compliance with the GDPR.
- Barriers to access for affected persons
Some organizations use disproportionate authentication measures or only require the use of online forms, which makes access more difficult for data subjects. Those responsible should ensure that requests are processed appropriately regardless of the communication channel.
- Incomplete or general information
Data subjects often receive prefabricated information that is not tailored to their specific case. Responses to requests for information often do not contain all the information required by law, such as the exact recipients of the data. Controllers must ensure that the information provided is accurate and tailored to the specific request.
- Abuse of restrictions
Companies sometimes interpret the exceptions to the right to information too broadly, which leads to unjustified refusals.
Best practices for companies regarding the right to information
Despite the existing challenges, "best practices" were also identified:
- Technical solutions: Some managers have implemented digital tools such as ticket systems to manage requests efficiently.
- Facilitate access: The use of user-friendly online forms and self-service systems makes it much easier to access personal data.
- Establish clear processes: Those responsible with well-documented procedures and trained staff were able to process requests for information more quickly and comprehensively.
- Careful handling of restrictions: Rejections of requests must be well justified and documented to ensure transparency and legal compliance.
- Improve data management: An up-to-date list of processing activities facilitates the identification of relevant data and recipients.
Reading tip: Right of access in the GDPR - current ECJ case law and EDPB guidelines
Customized solution supports compliance with the right to information
Complying with the right to information is not only a legal obligation, but also strengthens customer trust in your company. The EDPB report shows that by implementing clear processes and regular training, companies can ensure that they meet the requirements of the GDPR and protect their reputation at the same time.
We will be happy to provide you with further information or support in optimizing your data protection processes. Contact us and we will develop tailor-made data protection and compliance solutions for you.
Please feel free to contact us:
Phone: +1 (954) 852-1633
Mail: info@2b-advice.com
Source: Report on the implementation of the right of access by data controllers