EDPB CEF 2024 & 2025: Data Subject Rights (& Wrongs)

Challenge

EDPB Recommendations

Lack of awareness about the scope of access

• Controllers should pre-assess which types of information may contain personal data and where this is held. The EDPB Report recommends referring to the controller's record of processing activities (often referred to as a ROPA) to identify possible storage locations of personal data.
• The EDPB Report finds that searches are often too narrow with controllers only searching commonly used databases and not verifying whether they hold additional personal data that falls within the scope of the requestor's access request.
• For repeated access requests, the EDPB Report finds it concerning that many controllers merely inform the requestor of changes to their personal data since their last request, and do not provide full access to their personal data, even though the requestor has not limited their request in that manner.

Retention periods

• The EDPB Report finds that controllers often have inconsistent and unclear practices with regard to how long they retain data related to access requests, with some storing the access request and related communications indefinitely. The EDPB suspects that this may be because controllers are unaware that the data minimisation principle also applies to data and communications related to access requests.
• The EDPB Report recommends that controllers fix a retention period for access request data and communications based on objective criteria and document their reasoning. Therefore, controllers should revisit their retention policy.
• It is also recommended to store access request data and communications separately from other information about the data subject.
• The EDPB Report notes that further guidance from DPAs on deciding retention periods may be helpful for controllers.

Lack of documented internal procedures

• The EDPB Report finds that controllers often have insufficient internal policies and procedures addressing how access requests are to be handled, which can heighten the risk of infringing a data subject's rights. It notes that the EDPB could issue further guidance on the topic.
• Controllers should ensure that they are actively reviewing and (where necessary) improving their data protection practices on an ongoing basis. In particular, the EDPB report suggests that the reviews should consider and take account of the Guidelines on Access Requests.
• Controllers should ensure that all employees are trained to recognise an access request regardless of the submission channel (e.g. channel for customer complaints) and are aware of the appropriate channel to transfer the access request to.
• When a controller is in doubt as to whether an individual's request is in fact an access request, the controller should verify this with the requestor.

Barriers to facilitating the right of access

• The EDPB Report observes that DPAs identified various barriers which prevent data subjects from exercising their right of access, including:
  • Controllers requiring data subjects to use a specific channel for submitting access requests¹ or to make the request in writing. The EDPB Report notes that controllers should ensure that they are prepared to handle an access request even if the request is not submitted through their dedicated channel or in the controller's preferred form.
  • Controllers requesting further information to verify the identity of the data subject. The EDPB Report recommends that each access request, when received, should be assessed on a case-by-case basis to determine if further identification or authentication of the data subject is required. The EDPB comments that asking for further identification documents for all access requests may constitute excessive processing and may create an unnecessary barrier to the data subjects' right of access.
  • Controllers do not always consider the accessibility needs of data subjects when fulfilling an access request (e.g. a verbal response may be more appropriate for a visually impaired data subject).

Inconsistent and excessive interpretations of the limits to the right of access

• The EDPB Report observes that DPAs noticed that controllers often rely too broadly on the exemptions for 'manifestly unfounded or excessive' requests and for 'protecting the rights and freedoms of others'. Examples given include:
  • Some controllers consider requests to be 'manifestly unfounded or excessive' due to their lack of precision, the suspected intentions of the data subject or the associated cost.
  • With respect to the exemption for 'protecting the rights and freedoms of others', some controllers rely on this too broadly where they refuse to provide video footage in its entirety on the basis that other individuals appear in the footage, however, the controller ignores that they could blur or pixilate those individuals or they decide not to for cost reasons.
• The EDPB acknowledges that access requests can be both costly and time-consuming for controllers to handle properly, and that controllers may fear that granting access could expose their organisation to abuse or misuse. However, the EDPB reaffirms that the GDPR provides for very few limits to the right of access and that, importantly, the right of access is not subject to a proportionality assessment with respect to the efforts that the controller is to take. In particular, the concepts of "manifestly unfounded or excessive" should be interpreted narrowly, as "the principles of transparency and cost free data subjects rights must not be undermined".
• The EDPB Report notes that controllers should be aware that where they restrict a data subject's right of access (e.g. reliance on an exemption), they must be able to demonstrate and explain their reasoning for doing so.
• The EDPB suggests that DPAs and the EDPB could develop guidance with examples of correct refusal practices and scenarios to help controllers understand the boundaries within which access requests can be fully or partially rejected.
• The EDPB suggests that the Guidelines on Access Requests be updated to reflect recent caselaw developments from the Court of Justice of the EU on the right of access.

Specification of access requests

• The EDPB Report notes that several DPAs have found controllers, as their default position, asking requestors to further specify or narrow their access request. Some controllers do this without checking whether they actually process a large amount of personal data relating to the requestor or whether the scope of the particular request is unclear.
• The EDPB recommends that controllers assess each access request on a case-by-case basis to verify whether further specification is in fact needed.
• The EDPB Report recommends that controllers provide data subjects with self-service tools or possibilities to preselect one, several or all processing activities which they would like to receive information on.

Additional information on the processing is not tailored to the access request

• As well as providing individuals with access to their personal data, Article 15 of the GDPR also requires the controller to provide additional information about the processing of their personal data including the purposes of the processing, who the data is shared with and how long it is retained for. To satisfy this requirement, many controllers provide the data subject with their standard data protection notice as means for providing the additional information.
• The EDPB Report found that controllers are not tailoring the additional information to the particular access request received and suggests that the practice of providing a data protection notice may be problematic at times. The EDPB Report states: "In particular, pre-existing documents should only be referred to after careful assessment of the specific access request. This is because, on the one hand, these documents often do not contain all information required under Art. 15 (1) and (2) GDPR. On the other hand, not all information provided in these documents may apply to the specific data subject, leaving them to guess which information applies to them specifically (e.g. how long exactly their data will be retained)."(emphasis added)
• The EDPB Report recommends that controllers handle access requests on a case-by-case basis and inform the specific data subject which personal data is processed for which purposes, as well as include information as listed in Art. 15 (1) and (2) GDPR which is tailored to the specific data subject and access request.