On 28 February, the European Data Protection Board (EDPB) launched its Coordinated Enforcement Framework (CEF) action for 2024. This year, the Luxembourg data protection authority (Commission nationale pour la protection des données, (CNPD)), as well as 30 other data protection authorities (DPAs), will focus their attention on the implementation of the right of access by public and private organisations.
For its third CEF action, the EDPB decided to prioritise the right of access because it is one of the most commonly exercised data protection rights and is the subject of many complaints to DPAs.
In this context, it is important to understand (i) what CEF actions consist of, (ii) what the right of access encompasses and (iii) how organisations should implement this right in practice.
1. Coordinated Enforcement Framework
The CEF is one of the key actions by the EDPB and consists of coordinated investigations into a specific topic conducted by DPAs. These investigations aim to streamline enforcement and cooperation between the authorities.
To determine how organisations are complying with the right of access, DPAs will implement the CEF in the following ways:
- sending questionnaires to organisations to help carry out fact-finding exercises and identify if a formal investigation is needed;
- launching a formal investigation; and/or
- following up ongoing formal investigations.
The results of the CEF will be analysed to gain a deeper understanding of the topic and to help DPAs develop further supervision and enforcement actions at EU level. Once the CEF is finalised, the EDPB will publish a report on its findings.
2. Scope of the right of access
The right of access is enshrined in Article 8 of the EU Charter of Fundamental Rights and further developed and defined in Article 15 of the General Data Protection Regulation (GDPR).
According to the right of access, individuals have the right to obtain from the controller confirmation as to whether or not personal data concerning them is being processed, and, where that is the case, the right to access their personal data, as well as additional information in relation thereto (e.g. the purposes of the processing, the categories of personal data, etc.). Individuals also have the right to obtain a copy of the personal data in a commonly used electronic form.
In addition, the information provided should be complete and up to date. However, limiting access to part of the information can be considered in cases where, for example, the data subject has explicitly limited the request to a subset or where exceptions or restrictions to the right of access apply.
Furthermore, it is important to note that the right of access is not absolute as it should not infringe the rights and freedoms of others (e.g. the right of data protection of others and intellectual property rights). In the event of a clash between the rights of two parties, the controller must balance these and, if necessary, appropriate measures mitigating the risks should be implemented (e.g. redacting information). In addition, where requests from a data subject are manifestly unfounded or excessive, the controller may either charge a reasonable fee that reflects the administrative costs of providing the information or refuse to act on the request.
Finally, the requested information should be provided without undue delay and in any event within one month of receiving the request. However, this deadline can be extended by a maximum of two months as required by the complexity of the request.
3. How to properly implement the right of access?
Failure to respond to an access request, a late or incomplete response, or accepting the access right of a data subject whose identity has not been properly verified may lead to sanctions by the competent DPA.
It is therefore vital that all controllers (i.e. companies and public bodies processing personal data):
- define the roles and responsibilities of each employee in a dedicated policy and create a procedure setting out the steps to be followed internally in the event of receipt of an access request (i.e. receipt of the request, transferring the request to the relevant function, verifying the identity of the person making the request, assessing the validity of the request and acknowledgement of receipt, processing the request);
- provide data subjects with a channel through which they can exercise their right of access (e.g. an e-mail address or a dedicated IT application);
- train employees to react appropriately in the event of a request;
- keep a data subject access request register up to date, thus facilitating compliance with the principle of accountability and preventing disputes.