During its March plenary, the European Data Protection Board (“EDPB”) adopted the final versions of three Guidelines.

The EDPB has finalized the “Guidelines on data subject rights – Right of access” after a public consultation, which provides more precise guidance on the implementation of the right of access in different situations. The Guidelines cover various aspects such as  

    • the scope of the right of access,  
    • the information to be provided to data subjects,  
    • the format of access requests,  
    • the main modalities for providing access,  
    • the notion of manifestly unfounded or excessive requests, and  
    • the limitations of the right of access. 


The EDPB also adopted final versions of the targeted updates of “Guidelines for identifying a controller or processor’s lead supervisory authority” and the “Guidelines on data breach notification”. These updates concern the Article 29 Working Party Guidelines on the same subject.  

Regarding data breach notification, the new version clarifies that the responsibility of notification lies with the controller. However, stakeholders raised concerns about operational issues when notifying multiple DPAs. While the targeted update aligns with the GDPR, which does not provide for a one-stop-shop mechanism for controllers established outside EEA, the EDPB considered stakeholders’ feedback. Accordingly, the EDPB will publish a contact list for data breach notification with relevant links and accepted languages for all EEA DPAs on its website. This will facilitate controllers in identifying contact points and requirements per DPA. 


Do you have any questions about developments within privacy and data protection? Contact us, the Experts in Data Privacy, at info@dpoconsultancy.nl for more information.