The European Data Protection Board ("EDPB") has formally launched its third Coordinated Enforcement Framework ("CEF"). The focus of this year's action is on data subject's access rights enshrined in Article 15 of the GDPR.
The CEFs seek to streamline enforcement and cooperation amongst Data Protection Authorities ("DPAs") in Europe, with previous years focusing on the public sector's use of cloud services and data protection officers. This year, thirty-one participating DPAs will circulate fact-finding questionnaires to organisations in their territory, with the aim of identifying the need for formal investigations and launching such investigations where appropriate.
At the conclusion of the CEF, results will be aggregated to offer a pan-European overview and to facilitate targeted follow-up at the EU level. The EDPB will publish a report of these outcomes once the actions are concluded.
On 19 March 2024, Ireland's Data Protection Commission (the "DPC") announced that it will be participating in this year's CEF.
Comment
The right of access is one of the most frequently exercised data protection rights and often leads to the exercise of other data protection rights, such as the right to rectification and the right of erasure. The DPC noted in its Annual Report for 2022 that complaints in relation to the exercise of access rights are the most common complaints, with over 1,000 such complaints received. This has been a consistent theme for DPC Annual Reports over the last number of years, and it is therefore not surprising that the DPC is participating in the CEF.
In order to prepare for the CEF, organisations should review their transparency notices to ensure that data subjects are informed of their right of access and how to exercise this right. In addition, organisations should ensure that they have appropriate policies and procedures in place to ensure that they can respond to access requests in accordance with their obligations under the GDPR. In this regard, organisations should review the EDPB's Guidelines on Data Subject Rights - Right of Access published in 2023 to ensure compliance.
The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.
We operate a free-to-view policy, asking only that you register in order to read all of our content. Please login or register to view the rest of this article.