DATA PROTECTION
European Data Protection Board: the report on the CEF 2024 (Coordinated Enforcement Framework) on the state of implementation of the right of access by Data Controllers in the EU has been adopted.
The European Data Protection Board (EDPB) has adopted the report on the implementation of the right of access by controllers, which summarises the results of a series of coordinated national actions carried out in 2024 under the so-called CEF (Coordinated Enforcement Framework), a key action of the EDPB as part of its 2024-2027 strategy to streamline enforcement and cooperation between data protection authorities. During 2024, thirty data protection authorities across Europe launched coordinated investigations into controllers' compliance with the right of access, launching formal inquiries and requests for information from 1,185 controllers, consisting of small and medium-sized enterprises (SMEs), large companies active in different sectors and sectors, as well as various types of public bodies
The findings summarised in the report suggest that, while awareness of the importance of this right is widespread, there is a need for greater awareness of the Guidelines 1/2022 on the right of access that the EDPB has adopted. The EDPB has identified important areas of criticality regarding obstacles to the full implementation of the right of access: from the lack of documented internal procedures to manage access requests to inconsistent and excessive interpretations of the limits to the right of access; up to the obstacles often encountered by the data subjects due to formal requirements placed in the way by the holder (such as the request to provide an excessive number of identification documents). For each critical area, the report provides a list of non-binding recommendations to be taken into account by data controllers and data protection authorities.
Despite the existing challenges, two-thirds of the participating DPAs still assessed the level of compliance of the responding controllers with regard to the right of access from "medium" to "high". An important factor that impacted the level of compliance was the volume of access requests received by data controllers, as well as the size of the organization. More specifically, large controllers showed a higher level of compliance than small, low-resource organizations.
Positive results in terms of good practices have been observed in a number of EU states, such as the adoption of self-service systems that allow individuals to download their personal data themselves in just a few clicks and at any time.
The CEF 2025 (Coordinated Enforcement Framework) will cover the implementation of the right to erasure.
The findings summarised in the report suggest that, while awareness of the importance of this right is widespread, there is a need for greater awareness of the Guidelines 1/2022 on the right of access that the EDPB has adopted. The EDPB has identified important areas of criticality regarding obstacles to the full implementation of the right of access: from the lack of documented internal procedures to manage access requests to inconsistent and excessive interpretations of the limits to the right of access; up to the obstacles often encountered by the data subjects due to formal requirements placed in the way by the holder (such as the request to provide an excessive number of identification documents). For each critical area, the report provides a list of non-binding recommendations to be taken into account by data controllers and data protection authorities.
Despite the existing challenges, two-thirds of the participating DPAs still assessed the level of compliance of the responding controllers with regard to the right of access from "medium" to "high". An important factor that impacted the level of compliance was the volume of access requests received by data controllers, as well as the size of the organization. More specifically, large controllers showed a higher level of compliance than small, low-resource organizations.
Positive results in terms of good practices have been observed in a number of EU states, such as the adoption of self-service systems that allow individuals to download their personal data themselves in just a few clicks and at any time.
The CEF 2025 (Coordinated Enforcement Framework) will cover the implementation of the right to erasure.
