The European Data Protection Board (EDPB) has adopted a Report on the implementation of the right of access of data subjects. The report summarises the outcome of a series of coordinated national measures implemented in 2024 under the Coordinated Enforcement Framework (CEF). It identifies issues that have been identified for some controllers, together with a number of recommendations to help them implement the right of access. A central element of this initiative is to assess the level of awareness of controllers of the EDPB Guidelines 01/2022 on data subjects’ rights – Right of access and whether they have applied these guidelines in practice.
Vice-Chair of the European Data Protection Board, Zdravko Vukíc, said: “The coordinated enforcement action is a valuable initiative that helps to strengthen cooperation between data protection authorities: by addressing selected topics in a coordinated manner, greater efficiency and consistency are achieved. The way in which controllers implement the right of access is at the heart of data protection and is one of the most frequently exercised rights of data subjects.”
The EDPB coordinated action also involved the Personal Data Protection Agency. Based on the insights gained from the research, the Agency will conduct an awareness and knowledge campaign among data controllers in 2025 on how to facilitate data subjects’ exercise of their key right. It is the foundation of transparency and enables individuals to obtain information about how their personal data is processed, by whom and for what purposes.
The Agency also notes that data subjects are often unaware of this right, namely that they have the right to request from any organization processing their personal data all the information referred to in Article 15(1) of the General Data Protection Regulation, as well as a copy of their personal data.
The agency invites all citizens to inform themselves about their rights: https://azop.hr/prava-ispitanika/ , https://azop.hr/wp-content/uploads/2021/11/Gradani-upoznajte-svoja-prava- 8.pdf because without citizens who know their rights and actively work to realize and protect them, the regulation of fundamental rights by itself will not ensure a free, safe and advanced society in moments when technology accelerates and initiates social changes in a completely new direction.
The Agency particularly calls on all data controllers to inform themselves about their obligations: https://arc-rec-project.eu/wp-content/uploads/2021/03/Pravo-ispitanika-na-pristup-osobnim-podacima.pdf ; https://www.edpb.europa.eu/system/files/2024-04/edpb_guidelines_202201_data_subject_rights_access_v2_hr.pdf.
It is important to note that, pursuant to Article 15, the data subject has the right to obtain from the controller confirmation as to whether personal data relating to him or her are being processed and, if such personal data are being processed, access to the personal data and the following information:
(a) the purpose of the processing;
(b) the categories of personal data concerned;
(c) the recipients or categories of recipients to whom the personal data have been or will be disclosed, in particular recipients in third countries or international organisations;
(d) if possible, the envisaged period for which the personal data will be stored or, if that is not possible, the criteria used to determine that period;
(e) the existence of the right to request from the controller the rectification or erasure of personal data or the restriction of the processing of personal data concerning the data subject or the right to object to such processing
(f) the right to lodge a complaint with a supervisory authority;
(g) if personal data is not collected from the data subject, any available information about its source;
(h) the existence of automated decision-making, which includes the creation of profiles referred to in Article 22(1) and (4) and, at least in those cases, meaningful information about the logic involved, as well as the significance and envisaged consequences of such processing for the data subject.
If the data subject requests a copy of his or her personal data from the controller, the controller shall provide the data subject with a copy of his or her personal data free of charge . For any additional copies requested by the data subject, the controller may charge a reasonable fee based on administrative costs. If the data subject submits the request electronically, and unless the data subject requests otherwise, the information shall be provided in a commonly used electronic format.
During 2024, 30 data protection authorities across Europe launched coordinated investigations into the compliance of controllers with the right of access by launching formal investigations, assessing the justification for a formal investigation and/or carrying out fact-finding procedures. A total of 1,185 controllers (SMEs, large companies active in different industries and sectors, and public authorities) participated in the coordinated enforcement action.
Areas for improvement and main challenges
The results suggest that controllers need to be more informed about the Guidelines 01/2022 on the right of access , both at national and EU level, as the guidelines assist controllers in implementing the right of access, explain how the exercise of this right can be facilitated, and list exceptions and limitations to the right of access.
As a result of the CEF’s work for 2024, seven challenges were identified. One of them is the lack of documented internal procedures for handling access requests. In addition, inconsistent and excessive interpretations of the limitations of the right of access were also observed, such as over-reliance on certain exceptions to automatically refuse access requests. Other examples are the obstacles that individuals might encounter in exercising their right of access, such as formal requests or the requirement to provide excessive personal data (e.g. copies of ID cards). For each challenge identified, the report provides a list of non-binding recommendations that controllers and data protection authorities should take into account.
Positive findings
Despite the challenges, two thirds of the data protection authorities involved rated the level of compliance of the responding controllers with regard to the right of access as ‘average’ to ‘high’. An important factor found to influence the level of compliance was the volume of access requests received by the controllers, as well as the size of the organisation. More specifically, large controllers or controllers receiving more requests are more likely to achieve a higher level of compliance than small organisations with fewer resources.
Positive results have been observed across Europe. This includes the implementation of best practices by data controllers, such as user-friendly online forms that allow individuals to easily submit access requests, as well as self-service systems that allow individuals to independently retrieve their personal data in a few clicks and at any time.
Context and next steps
The CEF is a key measure of the European Data Protection Board as part of its 2024-2027 strategy, which aims to streamline enforcement and cooperation between data protection authorities.
The results of these national measures are consolidated and analyzed together in order to gain a better insight into the topic and enable targeted monitoring at the national and EU level.
The European Data Protection Board published a report on its first coordinated action on the use of cloud services in the public sector
in 2023. In 2024, the EDPB also published a report on the outcome of a second coordinated action on the appointment and position of data protection officers.
The EDPB’s coordinated enforcement action for 2025 will focus on the implementation of the right to erasure.