News

European Data Protection Board: Updated guidelines on the right of access

24.04.2023

The updated Guidelines of the European Data Protection Board (EDPB) on the right of access make it necessary for companies to review their internal processes and documentation on data protection in order to avoid fines and claims for damages for failing to provide sufficient access.

Background: Extensive obligation to provide access under the GDPR

The European General Data Protection Regulation (GDPR) requires companies to provide data subjects with information on personal data relating to them without delay upon request – usually within one month at the latest. Firstly, this includes confirming whether the company processes personal data of the person requesting information at all. If this is the case, information on these data must be provided in the form of a copy of the personal data. In addition, certain information about the processing of the data and about the rights of the data subject must be provided.

Strict requirements for the provision of access

In February 2022, the European Data Protection Board published new guidelines on the right of access under the GDPR for public consultation. In these guidelines, the supervisory authorities imposed strict requirements for the provision of access under data protection law.

Following the conclusion of the consultation process, the EDPB recently published an updated version of its guidelines. As expected, the new version does not contain any groundbreaking changes compared to the consultation version. Apart from some editorial corrections, the adjustments focus essentially on clarifying selected points and provide a few additional case examples. Thus, the supervisory authorities are adhering to their strict approach.

Unsurprisingly, in the updated version of its guidelines, the EDPB also addresses in particular the judgment of the European Court of Justice (ECJ) of 12 January 2023. The judgment confirms the strict view already taken by the supervisory authorities in the consultation version of their guidelines that data controllers must, in principle, name all specific data recipients when providing access.

Review of internal processes and documentation of data protection in companies

According to the view of the EDPB expressed in its guidelines, companies must proactively prepare for access requests and, if necessary, create appropriate internal processes for this purpose so that they are able to properly provide access and do so without delay and, as a rule, within one month at most.

In light of the updated EDPB guidelines, companies should therefore carefully review and, if necessary, optimise their internal processes and documentation on data protection. In particular, internal policies for handling requests under data privacy law (data subject access requests) and templates for responding to access requests should be revised in order to be prepared for such requests.

Private enforcement ‒ damages claims by data subjects

Violations of the obligation to provide access can lead to the exercise of a range of powers by the supervisory authorities or the imposition of major fines. For example, the Hessian Data Protection Authority has imposed fines in the mid ten-thousands for breaches of the obligation to provide access.

The strict requirements of the supervisory authorities, however, also further encourage private enforcement in data protection law. Companies are increasingly confronted with claims for non-material damages due to breaches of access obligations. It is worth noting in this context that there is an increasing tendency among German courts to render plaintiff-friendly rulings. For example, the Oldenburg Labour Court recently awarded non-material damages in the amount of €10,000 for violations of the right of access. The Düsseldorf Labour Court awarded non-material damages in the amount of €5,000 for a delay in providing access, while the Hamm Regional Labour Court awarded non-material damages in the amount of €1,000.

You can find a detailed overview of the case law of German courts on damages for data protection breaches in our Noerr GDPR Damages Tracker.