News

European Data Protection Board: New guidelines on the right of access

21.02.2022

New guidelines from the European Data Protection Board on the right of access require companies to review internal processes and documentation on data protection in order to avoid fines and claims for damages due to insufficient access.

Strict requirements for the provision of access

The European Data Protection Board (EDPB) has recently published new guidelines on the right of access under the General Data Protection Regulation (GDPR) for public consultation.

In their new guidelines, the supervisory authorities formulate strict requirements for the provision of access under data protection law. Above all, the guidelines reaffirm the strict line already taken by the majority of supervisory authorities, which requires companies to provide a copy of all personal data, even if this entails an enormous effort for the company concerned. Selective and individually justified restrictions on such a copy are admissible only in exceptional cases. In addition to names, addresses and contact details, the right of access covers a wide range of other data, such as medical findings, purchase histories, credit scores or activity logs. Copies of data that are not comprehensible in themselves (such as code or “raw data”) also have to be explained to the person requesting access in a comprehensible manner.

In order to be in a position to properly provide information without delay and usually within one month at the latest, companies must proactively prepare for requests for information and, if necessary, create appropriate internal processes, according to the EDPB.

Private enforcement – Claims for damages by data subjects

Breaches of the duty to provide access are subject to official measures and severe fines. For example, according to its Activity Report for 2020 (available in German only), the Hesse Data Protection Authority has punished breaches of these duties with fines in the mid five-digit range.

The strict requirements of the supervisory authorities are also likely to further encourage the current trends in private enforcement in data protection law. Due to the strict official requirements for the provision of access, it seems likely companies will be confronted with more and more claims for damages for breaches of the duty to provide access, including mass proceedings.

Recent court decisions indicate that Germany is increasingly becoming a claimant-friendly jurisdiction when it comes to alleged data protection breaches. For example, Hamm Regional Labour Court (Landesarbeitsgericht) recently awarded non-material damages of €1,000 for breaches of the duty to provide access. Dusseldorf Labour Court (Arbeitsgericht) even awarded non-material damages of €5,000 for late provision of access. This trend is likely to encourage more and more people to also file claims for damages for breaches of the duty to provide access.

Reviewing internal processes and documentation on data protection in the company

In light of the new EDPB guidelines, we recommend that businesses carefully review and, if necessary, adapt their internal processes and documentation for data protection. In particular, in order to be prepared for access requests, companies are advised to check their guidelines for handling data protection requests and templates for providing access.

The EDPB is currently seeking feedback on its new guidelines in the public consultation process until 11 March 2022. Whilst it cannot be ruled out that based on the feedback received the EDPB might still make certain changes to its guidelines, experience shows that such changes are likely to be mere clarifications rather than fundamental modifications. We therefore recommend that companies already now observe the requirements formulated by the EDPB, especially since the published version of the guidelines reflects the joint position of the European supervisory authorities.

Data protection litigation

Current developments also make it increasingly important for companies to deal with the challenges, opportunities and risks of data protection litigation at an early stage and in a strategic manner. Data protection law represents both the focus and the crucial link to other areas of law, in particular the relevant procedural and litigation laws. Seamless coordination of data protection and litigation expertise is essential when it comes to defending against mass actions under civil law. With our outstanding experience in handling mass litigation, our well-coordinated teams of recognised data protection and litigation experts are able to support you from a single point of contact.