EDPB Adopts Report on GDPR Proper of Entry Following 2024 Coordinated Enforcement Motion

On January 20, 2025, the European Knowledge Safety Board (EDPB) adopted a report on the implementation of the fitting of entry by controllers beneath the GDPR (the Report). The correct of entry was the topic of the EDPB’s third coordinated enforcement motion (CEF) in 2024 which concerned 1,185 controllers of various measurement, trade, and sectors. The Report gives helpful suggestions for controllers on the right way to adjust to entry requests, together with steering on how lengthy entry request documentation must be retained, the significance of sustaining inner documentation, and the right way to keep away from a ‘one measurement suits all’ method. The Report emphasizes that entry requests must be dealt with on a case-by-case foundation, contemplating the broad scope of the fitting and the restricted exemptions.

What’s a CEF?

A CEF is a precedence matter which EU knowledge safety authorities (DPAs) work on at a nationwide stage over the course of a 12 months. They ship questionnaires to a pattern of corporations and compile the outcomes into an EU-wide report, which identifies traits, challenges, and finest practices within the space. The report can then inform additional actions by the DPAs at each nationwide and EU ranges.

Key Findings and Suggestions for Controllers

The Report assesses compliance with the GDPR’s proper of entry (Article 15 GDPR), particularly how nicely controllers align with the EDPB’s Pointers 01/2022 on knowledge topic rights – proper of entry (the Pointers) and highlights seven key “challenges” that controllers ought to deal with when reviewing their entry rights procedures. Key factors embrace:

1. Scope of Entry

• Findings: the Report reaffirms that the fitting of entry can cowl a variety of data and codecs and finds that controllers usually restrict their search and disclosure too narrowly, e.g., by excluding pseudonymised knowledge or inner communications, and by looking out solely sure databases or file varieties.
• Suggestions: the Experiences recommends controllers pre-assess which varieties of data comprise private knowledge the place private knowledge is saved. The EDPB suggests documenting this within the Article 30 Report of Processing Actions (ROPA).

2. Retention Durations

• Findings: the Report notes that controllers have inconsistent and unclear practices on how lengthy they hold knowledge associated to entry requests, and that some hold them indefinitely or together with different knowledge topic to completely different retention intervals (e.g., in a buyer file).
• Suggestions: the EDPB reminds controllers that the GDPR doesn’t specify retention intervals, and that they need to stability knowledge minimization rules and the fitting of entry (e.g., in case of audits or disputes). The EDPB signifies controllers ought to set and justify a retention interval for entry request knowledge and retailer them individually from different knowledge.

3. Inner Procedures

• Findings: the Report observes that controllers usually lack inner documentation on the right way to deal with entry requests, which might enhance the danger of infringing knowledge topic rights.
• Suggestions: the Report suggests, for instance, coaching workers and the energetic/ongoing evaluation and enchancment of procedures.

4. Boundaries to the facilitation of the fitting of entry

• Findings: the Report identifies some boundaries that may stop knowledge topics from exercising their proper, resembling requiring a particular mechanism (e.g., an internet kind) to make a request, routinely asking for added data (i.e., to confirm identification), and never contemplating accessibility wants (e.g., verbal responses).
• Suggestions: the Report reminds controllers there is no such thing as a right or normal manner to reply to an entry request, and that they need to adapt to every case. The EDPB signifies controllers must be ready to reply to requests from any channel, and clarify the necessity to ask for extra data to confirm identification.

5. Deciphering the bounds to the fitting of entry

• Findings: the Report finds that controllers usually rely too broadly on the exemptions for “manifestly unfounded or extreme” requests and for shielding the “rights and freedoms of others.” For instance, controllers could think about requests unfounded or extreme primarily based on their lack of precision, value, or (suspected) motives, or they might refuse or disclose all third-party knowledge with out contemplating the necessity for redaction or consent.
• Suggestions: the EDPB reiterates that the fitting of entry has only a few limits beneath the GDPR. The EDPB acknowledges the burden of entry requests on controllers however suggests different methods to ease this, resembling having well-structured procedures, knowledge maps and ROPAs, coaching workers, and utilizing instruments the place potential. The Report reminds controllers to elucidate their reasoning when counting on an exemption.

6. Specification of entry requests

• Findings: controllers usually (by default) ask knowledge topics to specify or slim their request, with out assembly the standards to take action (e.g., as a result of they course of a considerable amount of private knowledge or as a result of they’re unclear in regards to the request).
• Suggestions: the Report emphasizes that every entry request must be handled on a case-by-case foundation and controllers ought to confirm when additional specification is required.

7. Provision of data to knowledge topics

• Findings: controllers usually don’t tailor to the precise request the extra data that they need to present together with the non-public knowledge, and as a substitute consult with their privateness coverage or a pre-defined record of data. The Report additionally notes that controllers often solely present classes of recipients and never particular person recipients, until requested, and that retention intervals are sometimes too normal and don’t distinguish between processing actions or knowledge classes.
• Suggestions: the EDPB Report serves as a reminder to tailor responses on a case-by-case foundation.

Importantly, the Report additionally highlights many constructive findings, with two thirds of collaborating DPAs ranking the extent of compliance by controllers as ‘common’ to ‘excessive’. The Report additionally acknowledges that measurement and useful resource have an effect on compliance.

Updates to the EDPB’s Pointers and Different DPA Steering

The Report makes a number of options for elevating consciousness and updating the Pointers, in addition to suggestions for nationwide DPAs to replace their very own steering. For instance, the Report suggests nationwide DPAs ought to present steering on “uniform and significant” standards for figuring out retention intervals. It additionally recommends the EDPB replace its Pointers to handle finest follow for documenting compliance, together with detailed inner procedures, or the adoption of a Code of Conduct promoted by EU DPAs.

Subsequent Steps

Most controllers have expertise with responding to entry requests, and the Report ought to present useful steering together with to operationalize the Pointers. The Report additionally alerts that the fitting of entry is now a precedence for EU DPAs. Following the 2024 CEF’s give attention to knowledge topic rights, the EDPB has confirmed that the fourth CEF for 2025 will give attention to the fitting to erasure.