News

European data protection authorities start coordinated investigation into right of access

11.03.2024

Coordinated by the European Data Protection Board (EDPB), the European data protection authorities recently initiated a broad-based initiative looking into the right of access under the General Data Protection Regulation (GDPR). In Germany, data protection supervisory authorities from Bavaria (BayLDA), Brandenburg, Mecklenburg-Western Pomerania, Lower Saxony, Rhineland-Palatinate, Saarland and Schleswig-Holstein as well as the Federal Commissioner for Data Protection and Freedom of Information (BfDI) are taking part in the action.

During the coordinated investigation, the data protection authorities primarily wish to identify whether and how organisations ensure the right of access in practice. To do so, the authorities will first of all send questionnaires to organisations. On the basis of the responses, further formal investigations by the authorities are to be commenced where necessary. The European data protection authorities intend to jointly agree on additional national regulatory and enforcement measures. Breaches of statutory requirements under the GDPR will be liable for steep fines.

The recently launched action regarding the right of access is the third coordinated enforcement action by the European data protection authorities under their Coordinated Enforcement Framework (CEF) following their investigations into the use of cloud-based services (2022) and the designation and position of data protection officers (2023).

Background: extensive duties to provide access under the GDPR – strict requirements under case law and by the data protection authorities

The GDPR requires that companies provide individuals with access to the personal data relating to them without undue delay and generally within one month upon request. This initially includes confirmation as to whether or not personal data concerning the person requesting access are actually processed in the company. If this is the case, then information about these data is to be provided in the form of a copy of the personal data. Apart from this, certain additional information on the processing of the data and on the rights of the data subject is to be communicated.

The European Court of Justice (ECJ) has sharpened the right of access to personal data under Article 15 GDPR, going beyond the provision’s actual wording. In addition to this, the European data protection authorities formulate strict requirements for the provision of information under data protection law in the EDPB’s guidelines on the right of access, which were updated in 2023.

Reviewing internal procedures and documentation on the right of access at companies – data protection governance

To be able to provide proper access without undue delay and generally within one month at the latest, companies have to be proactively ready to handle requests for access and implement appropriate internal procedures for these purposes where necessary, as stated by the EDPB in its Guidelines.

The handling of requests to exercise the right of access to personal data and any other data protection rights of data subjects is one of the most important core processes of a robust and effective data protection governance within a company. When designing the organisational structures and procedures for data protection in a company, the challenge in practice is to guarantee that data protection requests are handled effectively, while at the same time ensuring maximum efficiency and economical use of resources.

In the light of the coordinated inspection actions by the supervisory authorities, companies should therefore also carefully review their internal procedures and documentation relating to data protection and be quick to initiate any necessary organisational improvements. Above all, companies should review their guidelines for handling requests for access and other data protection requests and their templates for requests for access to make sure that they are prepared both for requests for access by data subjects and for official investigations.