EDPB CEF 2024 & 2025: Data Subject Rights (& Wrongs)
The European Data Protection Board ("EDPB") has launched its Coordinated Enforcement Framework ("CEF") action for 2025, which will centre on the right to erasure under Article 17 of the General Data Protection Regulation ("GDPR")
Ireland
Privacy
The European Data Protection Board
("EDPB") has launched its Coordinated
Enforcement Framework ("CEF") action for
2025, which will centre on the right to erasure under Article 17 of
the General Data Protection Regulation
("GDPR"). This marks a thematic
continuation of the EDPB's focus on the implementation of data
subject rights, following last year's CEF action on the right
of access.
The EDPB is composed of representatives from the various EU Data
Protection Authorities ("DPAs") and its
goal is to ensure a consistent application and enforcement of the
GDPR across EU Member States. The CEF is an action of the EDPB
under its 2024-2027 strategy, which seeks to streamline enforcement
and cooperation among DPAs. The reports that the EDPB produces with
its findings from a CEF action usually contain key learnings which
ought to be implemented by controllers seeking to ensure compliance
with the GDPR.
CEF 2025 – The Right to Erasure
According to the EDPB, the right of erasure was chosen as the
CEF action for 2025 because it represents one of the most commonly
exercised rights under the GDPR and is a frequent source of
complaints received by DPAs. Thirty DPAs across Europe, as well as
the European Data Protection Supervisor, will take part in this
initiative.
CEF 2024 – The Right of Access
Earlier this year, the EDPB adopted a report on the
implementation of the right of access by controllers, arising from
the 2024 CEF action (the "EDPB Report").
The 2024 CEF action involved 1,185 controllers of varying size,
industry and sectors. The EDPB Report provides useful
recommendations for controllers on how to comply with the right of
access. In particular, it recommends that controllers assess access
requests on a case-by-case basis. The EDPB Report further observed
that controllers were less aware of the content of the 'EDPB
Guidelines 01/2022 on data subject rights – Right of
access' (the "Guidelines on Access
Requests") which provide extensive guidance to
controllers on implementing right of access and the various
exemptions available.
Around two-thirds of DPAs rated the compliance level of
responding controllers as 'average' to 'high'.
Higher compliance was observed among controllers receiving a larger
volume of access requests and larger organisations. While a number
of positive practices are included in the EDPB Report, there are
also challenges identified, for which the EDPB has included
non-binding recommendations:
Challenge
|
EDPB Recommendations
|
Lack of awareness about the scope of access
|
- Controllers should pre-assess which types of information may
contain personal data and where this is held. The EDPB Report
recommends referring to the controller's record of processing
activities (often referred to as a ROPA) to identify possible
storage locations of personal data.
- The EDPB Report finds that searches are often too narrow with
controllers only searching commonly used databases and not
verifying whether they hold additional personal data that falls
within the scope of the requestor's access request.
- For repeated access requests, the EDPB Report finds it
concerning that many controllers merely inform the requestor of
changes to their personal data since their last request, and do not
provide full access to their personal data, even though the
requestor has not limited their request in that manner.
|
Retention periods
|
- The EDPB Report finds that controllers often have inconsistent
and unclear practices with regard to how long they retain data
related to access requests, with some storing the access request
and related communications indefinitely. The EDPB suspects that
this may be because controllers are unaware that the data
minimisation principle also applies to data and communications
related to access requests.
- The EDPB Report recommends that controllers fix a retention
period for access request data and communications based on
objective criteria and document their reasoning. Therefore,
controllers should revisit their retention policy.
- It is also recommended to store access request data and
communications separately from other information about the data
subject.
- The EDPB Report notes that further guidance from DPAs on
deciding retention periods may be helpful for controllers.
|
Lack of documented internal procedures
|
- The EDPB Report finds that controllers often have insufficient
internal policies and procedures addressing how access requests are
to be handled, which can heighten the risk of infringing a data
subject's rights. It notes that the EDPB could issue further
guidance on the topic.
- Controllers should ensure that they are actively reviewing and
(where necessary) improving their data protection practices on an
ongoing basis. In particular, the EDPB report suggests that the
reviews should consider and take account of the Guidelines on
Access Requests.
- Controllers should ensure that all employees are trained to
recognise an access request regardless of the submission channel
(e.g. channel for customer complaints) and are aware of the
appropriate channel to transfer the access request to.
- When a controller is in doubt as to whether an individual's
request is in fact an access request, the controller should verify
this with the requestor.
|
Barriers to facilitating the right of access
|
- The EDPB Report observes that DPAs identified various barriers
which prevent data subjects from exercising their right of access,
including:
- Controllers requiring data subjects to use a specific channel
for submitting access requests1 or to make the request
in writing. The EDPB Report notes that controllers should ensure
that they are prepared to handle an access request even if the
request is not submitted through their dedicated channel or in the
controller's preferred form.
- Controllers requesting further information to verify the
identity of the data subject. The EDPB Report recommends that each
access request, when received, should be assessed on a case-by-case
basis to determine if further identification or authentication of
the data subject is required. The EDPB comments that asking for
further identification documents for all access requests may
constitute excessive processing and may create an unnecessary
barrier to the data subjects' right of access.
- Controllers do not always consider the accessibility needs of
data subjects when fulfilling an access request (e.g. a verbal
response may be more appropriate for a visually impaired data
subject).
|
Inconsistent and excessive interpretations of the limits to the
right of access
|
- The EDPB Report observes that DPAs noticed that controllers
often rely too broadly on the exemptions for 'manifestly
unfounded or excessive' requests and for 'protecting the
rights and freedoms of others'. Examples given include:
- Some controllers consider requests to be 'manifestly
unfounded or excessive' due to their lack of precision, the
suspected intentions of the data subject or the associated
cost.
- With respect to the exemption for 'protecting the rights
and freedoms of others', some controllers rely on this too
broadly where they refuse to provide video footage in its entirety
on the basis that other individuals appear in the footage, however,
the controller ignores that they could blur or pixilate those
individuals or they decide not to for cost reasons.
- The EDPB acknowledges that access requests can be both costly
and time-consuming for controllers to handle properly, and that
controllers may fear that granting access could expose their
organisation to abuse or misuse. However, the EDPB reaffirms that
the GDPR provides for very few limits to the right of access and
that, importantly, the right of access is not subject to a
proportionality assessment with respect to the efforts that the
controller is to take. In particular, the concepts of
"manifestly unfounded or excessive" should be
interpreted narrowly, as "the principles of transparency
and cost free data subjects rights must not be
undermined".
- The EDPB Report notes that controllers should be aware that
where they restrict a data subject's right of access (e.g.
reliance on an exemption), they must be able to demonstrate and
explain their reasoning for doing so.
- The EDPB suggests that DPAs and the EDPB could develop guidance
with examples of correct refusal practices and scenarios to help
controllers understand the boundaries within which access requests
can be fully or partially rejected.
- The EDPB suggests that the Guidelines on Access Requests be
updated to reflect recent caselaw developments from the Court of
Justice of the EU on the right of access.
|
Specification of access requests
|
- The EDPB Report notes that several DPAs have found controllers,
as their default position, asking requestors to further specify or
narrow their access request. Some controllers do this without
checking whether they actually process a large amount of personal
data relating to the requestor or whether the scope of the
particular request is unclear.
- The EDPB recommends that controllers assess each access request
on a case-by-case basis to verify whether further specification is
in fact needed.
- The EDPB Report recommends that controllers provide data
subjects with self-service tools or possibilities to preselect one,
several or all processing activities which they would like to
receive information on.
|
Additional information on the processing is not tailored to the
access request
|
- As well as providing individuals with access to their personal
data, Article 15 of the GDPR also requires the controller to
provide additional information about the processing of their
personal data including the purposes of the processing, who the
data is shared with and how long it is retained for. To satisfy
this requirement, many controllers provide the data subject with
their standard data protection notice as means for providing the
additional information.
- The EDPB Report found that controllers are not tailoring the
additional information to the particular access request received
and suggests that the practice of providing a data protection
notice may be problematic at times. The EDPB Report states:
"In particular, pre-existing documents
should only be referred to after careful assessment of the specific
access request. This is because, on the one hand, these documents
often do not contain all information required
under Art. 15 (1) and (2) GDPR. On the other hand, not all
information provided in these documents may
apply to the specific data subject, leaving them to guess
which information applies to them specifically (e.g. how long
exactly their data will be retained)."(emphasis
added)
- The EDPB Report recommends that controllers handle access
requests on a case-by-case basis and inform the specific data
subject which personal data is processed for which purposes, as
well as include information as listed in Art. 15 (1) and (2) GDPR
which is tailored to the specific data subject and access
request.
|
What does this mean for controllers?
The EDPB Report on the right of access contains a plethora of
recommendations for controllers on the handling of access requests.
Controllers would be well advised to review their practices and
policies related to access requests and to consider updating these
to take account of the EDPB's recommendations. The EDPB Report
also recommends various updates to its Guidelines on Access
Requests, for which controllers should keep an eye out.
Given the EDPB's continued focus on compliance with data
subject rights, particularly the right to erasure, into this year,
we encourage clients to carefully assess their practices against
rights related obligations more generally.
Also contributed to by Isobel
Murphy.
Footnote
1. Cf. Guidelines 01/2022, para 54. : "It should be
noted that the controller is not obliged to act on a request sent
to a random or incorrect e-mail (or postal) address, not directly
provided by the controller, or to any communication channel that is
clearly not intended to receive requests regarding data
subject's rights if the controller has provided an appropriate
communication channel, that can be used by the data
subject."
The content of this article is intended to provide a general
guide to the subject matter. Specialist advice should be sought
about your specific circumstances.