EDPB: Controllers Need Better Awareness of Data Access Request Guidelines
Data controllers need more awareness of European Data Protection Board (EDPB) guidelines on data subjects' right of access to their personal data, the board said Monday in a report.
Sign up for a free preview to unlock the rest of this article
It summarized several national investigations carried out last year under the coordinated enforcement framework (CEF), which the board created to help streamline enforcement and cooperation among data protection authorities (DPAs). In addition to detailing right of access issues, it offers recommendations.
The CEF identified several challenges, among them the lack of documented internal procedures for handling access requests, and inconsistent interpretations of the limits on the right of access, the EDPB said. For each challenge, the report made nonbinding recommendations to controllers and national DPAs.
On the positive side, the EDPB said, two-thirds of participating DPAs evaluated the compliance level of around 1,185 responding controllers with regard to the right of access from "average" to "high." One key factor that affected the level of compliance was how many access requests controllers received, as well as the size of the organization receiving them. Controllers working with large amounts of data or receiving many requests were more likely to be compliant, the report said.
This year's CEF action will focus on how well DPAs are enforcing people's right to erase their data, the board said.
In connection with the EDPB report, the European Data Protection Supervisor Monday issued findings on how well EU institutions, bodies, agencies and offices (EUIs) are handling data access requests. The report noted that EUIs get a limited volume of requests, with most receiving between 0 and 25 requests annually, a situation that might be partly due to self-service tools that allow individuals, including EUI staffers, to download their personal data.
One challenge, the EDPS found, is that many EUIs lack centralized systems for managing access requests, leading to potential inconsistencies and difficulties in showing compliance during audits. In addition, some EUIs face obstacles in distinguishing access requests from other kinds of inquiries, such as for public access to documents or complaints.
Another concern, the EDPS said, is that the need to verify an access requester's identity sometimes results in excessive or unnecessary processing of personal data, including sensitive information. Last, the report said, challenges arise from having to provide copies of personal data while balancing that obligation with protecting others' rights.