Skip to main content

EDPB's 2024 Coordinated Enforcement Action on the Right of Access

Share this page

On 20 January 2025, the European Data Protection Board (EDPB) released its report on the 2024 Coordinated Enforcement Framework (CEF) action, which focused on the implementation of the right of access by controllers.

The EDPB established the CEF to streamline enforcement and cooperation among supervisory authorities (SAs) across the European Economic Area (EEA). The 2024 CEF action focused on the right of access, given that it is a fundamental right under the GDPR, enabling individuals to be aware of and verify the lawfulness of the processing of their personal data. This action builds on the EDPB Guidelines 01/2022 on data subjects' rights, which provide comprehensive guidance on implementing the right of access.

Methodology and Participation

Throughout 2024, thirty (30) SAs conducted coordinated investigations into the compliance of various controllers with the right of access. These investigations included fact-finding exercises, assessments to determine the need for formal investigations and the commencement of formal enforcement actions. A standardised questionnaire was used to gather data from 1,185 controllers, encompassing both private entities and public bodies across diverse sectors.

Key Findings

  1. Compliance levels – Eleven (11) SAs assessed the compliance level of responding controllers with GDPR provisions on the right of access as “high”, with one SA even deeming it “very high”. In contrast, seven (7) SAs assessed the level as “average”. Higher compliance was observed among larger organisations and those receiving a significant volume of access requests.

  2. Awareness and implementation – Despite the overall positive compliance levels, there was a notable lack of awareness about the content of the EDPB Guidelines 01/2022. This gap in awareness led to inconsistent implementation of certain aspects of the right of access. However, participating SAs also reported positive findings across the EEA, including the adoption of best practices outlined in the EDPB Guidelines 01/2022, as well as additional proactive measures implemented by controllers (e.g., use of data protection software to efficiently manage and track access requests, appointment of data protection champions, use of optional online forms).

  3. Challenges identified

    • Scope of access – Controllers often interpreted the scope of personal data to be provided too narrowly, excluding certain types of data such as metadata or internal communications or never including extracts of documents containing the personal data.

  • Suggested recommendations from the EDPB/SAs – Controllers should conduct pre-assessments to identify which type of information may contain personal data and where that data is stored (i.e., which databases). To facilitate this, controllers should maintain up-to-date records of processing activities.

    • Retention periods – There were inconsistencies in the retention periods for access request communications, with some controllers retaining data indefinitely or applying statutory retention periods inappropriately.

  • Suggested recommendations from the EDPB/SAs – Controllers should set retention periods based on objective criteria for access request communications and document their reasoning. In addition, controllers should ensure that communications related to access requests are stored separately from other information about the data subject, which may be subject to different retention periods and access controls within the organisation. Further guidance from SAs on uniform criteria for retention periods would be beneficial.

    • Internal procedures – Many controllers lacked detailed documented internal procedures for handling access requests, leading to potential delays and non-compliance. In particular, several SAs noted that responding controllers struggle to identify access requests effectively, especially when submitted through communication channels not typically used or expected by controllers.

  • Suggested recommendations from the EDPB/SAs – Controllers should train employees to recognise access requests and ensure that all staff are aware of the appropriate channels for handling such requests. Awareness-raising activities and guidance from SAs can help improve compliance.

    • Facilitation barriers – Some controllers imposed unnecessary barriers, such as requiring specific forms or additional identification, which hindered the exercise of the right of access.

  • Suggested recommendations from the EDPB/Sas– Controllers should facilitate access requests through various channels and assess each request on a case-by-case basis to determine the need for additional identification. SAs could issue further guidance on best practices for accessibility.

    • Limits to access – Controllers often misinterpreted the limits and restrictions to the right of access. In that respect, SAs noted that some controllers interpret the restrictions under articles 12 (5) ("manifestly unfounded or excessive" ) and 15 (4) of the GDPR (“rights and freedoms of others”) too broadly. For example, some controllers refused access requests for reasons such as lack of precision or only provided partial copies of the personal data for reasons of time or cost efficiency.

  • Suggested recommendations from the EDPB/SAs – Controllers should ensure that any restriction on a data subject’s right of access is justified and that they can clearly explain and demonstrate the reasoning behind their decision. The EDPB and SAs should develop guidance with examples of correct refusal practices and communicate recent case-law to increase awareness among controllers.

Conclusion

The EDPB's 2024 CEF action highlights the importance of the right of access and the need for controllers to enhance their compliance efforts. By following the recommendations described above, which include targeted awareness-raising actions focused on the lesser known or implemented parts of the EDPB Guidelines 01/2022, controllers can ensure that data subjects can effectively exercise their rights. With several SAs planning to launch formal investigations into identified areas of concern, controllers are encouraged to review their current practices and implement the necessary changes to align with the requirements on the right of access under the GDPR.

Lydian’s Information Governance & Data Protection (Privacy) Team is at your service for any further questions you may have regarding the right of access and ready to help you deal with data subject (access) requests. 

Authors

  • Ines Nibakuze
    Associate

    Ines Nibakuze

    Download VCARD