The European Data Protection Board (“EDPB”) has chosen data subject access rights as its topic for “coordinated enforcement action” in 2024 and announced the launch of its activities on 28 February 2024.
The EDPB is an independent body composed of the heads of the national data protection authorities of EEA countries, tasked with ensuring that the EU’s flagship data protection law – the GDPR - is applied consistently and ensuring cooperation, including on enforcement, in the EEA. Every year, it prioritises a certain topic for the data protection authorities to work on at a national level. The results of these national actions are then submitted and analysed, generating deeper insight into the topic and allowing for targeted follow-up at both the national and the EU level.
Under the GDPR, individuals have the right to access and receive a copy of their personal data, as well as other supplementary information (such as where the organisation holding their personal data got it from, what it’s being used for and who it’s being shared with). The right is available to all data subjects, from potential, current and former employees to potential, current and former customers. The EDPB has selected access rights as its 2024 topic as it is at the heart of data protection and is one of the most frequently exercised data protection rights - and one which data protection authorities receive many complaints about.
In 2023, the EDPB adopted Guidelines on data subject rights - Right of access. Organisations should keep in mind that the UK has a separate data protection regime and the UK Information Commissioner also published guidance on data subject access rights in the context of employment relationships last year. This is in addition to the UK Information Commissioner’s more general guidance on the right of access.
According to the EDPB, to gauge how organisations are complying with the right of access in practice, participating data protection authorities will implement the coordinated enforcement framework in a number of ways:
As such, organisations subject to the GDPR (particularly those who receive significant numbers of access requests) are advised to look at their access right procedures and training to ensure that they are delivering compliance in this area.