As part of a coordinated action at European level, the CNIL carried out a series of checks on public and private bodies in 2024 to verify that the
right of access was being taken into account . It took repressive measures against bodies that only partially responded to the persons concerned.
For the third edition of the coordinated enforcement framework ( CEF) of the European Data Protection Board (EDPB) , the CNIL and several of its European counterparts have assessed the implementation of the right of access of individuals to their personal data by organizations.
As a reminder, data controllers are required to respond to requests for the right of access from individuals. This response must contain a certain amount of information (Article 15 of the GDPR).
Incomplete responses to access requests
As part of this action, the CNIL carried out on-site inspections at 11 public and private bodies, of various sizes and sectors of activity. These bodies were chosen in particular on the basis of complaints received by the CNIL.
These investigations show that these organisations have mostly implemented organisational measures to process the requests for access rights that they receive (for example the appointment of a data protection officer).
However, these measures are sometimes insufficient and unsatisfactory . For example, when data subjects exercise their right to access their entire data, some organisations provide only a partial or incomplete response:
- some organizations respond by providing only information relating to the processing of personal data implemented, without including a copy of the data processed;
- Conversely, other organisations only provide a copy of the data processed, without providing information on the processing carried out;
- Finally, other organizations systematically exclude certain processing or certain categories of personal data from their responses.
The guidelines on the right of access adopted by the EDPB in 2023 are little taken into account by the controlled organisations, or even unknown. However, these guidelines provide numerous tips and practical examples aimed at helping organisations to respond to requests for the right of access from data subjects in accordance with applicable law. This document illustrates, for example, the conditions under which data controllers may request clarification from the person exercising their right in order to satisfy their request.
The CNIL has also published a practical sheet reminding professionals of their obligations and the information to be transmitted when a person requests it.
The CNIL’s repressive measures
As part of this coordinated action and following the checks carried out, the CNIL has already issued several reminders of legal obligations.
The CNIL is continuing to investigate the other checks it has carried out: depending on the case, it may either issue other corrective measures (reminder of legal obligations, formal notice or fine), or close the procedures in the absence of a breach of the applicable rules.