EDPB Releases 2024 Findings on Access Rights
The European Data Protection Board (EDPB) has released a report on the implementation of the right of access by data controllers, following a series of coordinated national actions under the Coordinated Enforcement Framework (CEF) in 2024. This report highlights issues faced by some controllers and provides recommendations to improve the implementation of the right of access. A key focus is on whether controllers are aware of and adhere to the EDPB Guidelines 01/2022 regarding data subjects’ rights.
Throughout 2024, 30 Data Protection Authorities (DPAs) in Europe conducted coordinated investigations into how controllers comply with the right of access. These investigations involved formal inquiries and fact-finding exercises, with 1,185 controllers from various sectors participating. The findings indicate a need for increased awareness of the Guidelines 01/2022, as they assist controllers in implementing the right of access and clarify exceptions and limitations.
The report identifies seven challenges, including the absence of documented internal procedures for handling access requests and inconsistent interpretations of access limitations. Barriers such as excessive identification requirements also hinder individuals from exercising their rights. For each challenge, the report offers non-binding recommendations for controllers and DPAs to consider.
Despite these challenges, two-thirds of the DPAs rated the compliance level of controllers as average to high. Larger organizations or those receiving more access requests demonstrated higher compliance levels. Positive practices include user-friendly online forms and self-service systems for accessing personal data. The CEF 2025 action will focus on implementing the right to erasure.
