EDPB 2024 Coordinated Enforcement Action on the Implementation of the Right of Access by Data Controllers

by | Oct 19, 2023

The European Data Protection Board (“EDPB”) has chosen the topic for its third coordinated enforcement action. Throughout the year, 26 Data Protection Authorities (“DPAs”) across the European Economic Area (“EEA”) including the European Data Protection Supervisor (“EDPS”) will participate in the Coordinated Enforcement Framework 2024 (“CEF”) on the implementation of the right of access by controllers. This initiative is important because to date many companies still struggle when they receive a data subject access request.

The right of access of data subjects has been a part of the European data protection legal framework since its beginning and it is now further developed by more specified and precise rules in Article 15 General Data Protection Regulation (“GDPR”).

Data subjects have the right to obtain from the controller confirmation as to whether or not personal data concerning them are being processed. If this is the case, they can access to the personal data and the other relevant information:

  • the purposes of the processing;
  • the categories of personal data concerned;
  • the recipients or categories of recipients of the data subject personal data;
  • the storage period or the criteria used to determine that period;
  • the existence of the right to request from the controller rectification or erasure of personal data or restriction of processing of personal data concerning the data subject or to object to such processing;
  • the right to lodge a complaint with a supervisory authority;
  • where the personal data are not collected from the data subject, any available information as to their source;
  • the existence of automated decision-making, including profiling.

So how to manage Data Subject Access Requests Efficiently and Effectively

Despite GDPR’s provisions on the data subjects’ right of access, in 2022 the EDPB noted that the GDPR itself is not very prescriptive as to how the controllers have to provide access. The EDPB guidelines 01/2022 on data subject right of access shed some light stating that data controllers:

  • should find a balance between appropriate ways to inform the data subject and the privacy of others (i.e. the controller’s employees) when retrieving the requested data;
  • must document their approach to be able to demonstrate how the means chosen to provide the necessary information are appropriate;
  • can provide access to the data subject through other ways than providing a copy;
  • in case of a processing activity that involves a large amount of personal data, can use a layered approach (i.e. a data controller that analyses big data sets to place customers in different segments depending on their online behaviour). This layered approach, however, should not create an extra burden for the data subject;
  • must carefully decide upon the format in which the copy of the personal data and the information should be provided;
  • can extend the time to respond in certain cases.

In order to be ready to properly manage data subject access request, controllers should then draft in advance a data subject rights (DSR) request policy and procedure. This documentation allows the data controller to maintain procedures to respond to access requests and timely and effectively managed them. Moreover, through a DSR request policy and procedure it would also be possible to maintain the following procedures to:

  • address complaints;
  • respond to requests to rectify personal data;
  • erase personal data;
  • restrict the processing of personal data;
  • respond to requests to opt-out;
  • use the right to data portability;
  • object to the processing of personal data;
  • not be subjected to automated individual decision-making, including profiling.

In addition, it would also be possible to implement:

  • customer Frequently Asked Questions;
  • escalation procedures for serious complaints or complex access requests;
  • procedures to investigate root causes of data protection complaints;
  • metrics for data protection complaints (e.g. number, root cause).

What can DPO Consultancy do for you

Does your organization require assistance in handling data subject requests? Does your organization have already in place a DSR request policy and procedure? Contact us, the Experts in Data Privacy at info@dpoconsultancy.nl, for assistance.