Feb 182025

EDPB Adopts Report on GDPR Right of Access Following 2024 Coordinated Enforcement Action

Francesca Blythe and Eleanor Dodding
, ,

On January 20, 2025, the European Data Protection Board (EDPB) adopted a report on the implementation of the right of access by controllers under the GDPR (the Report). The right of access was the subject of the EDPB’s third coordinated enforcement action (CEF) in 2024 which involved 1,185 controllers of varying size, industry, and sectors. The Report provides useful recommendations for controllers on how to comply with access requests, including guidance on how long access request documentation should be retained, the importance of maintaining internal documentation, and how to avoid a ‘one size fits all’ approach. The Report emphasizes that access requests should be handled on a case-by-case basis, considering the broad scope of the right and the limited exemptions.

What is a CEF?

A CEF is a priority topic which EU data protection authorities (DPAs) work on at a national level over the course of a year. They send questionnaires to a sample of companies and compile the results into an EU-wide report, which identifies trends, challenges, and best practices in the area. The report can then inform further actions by the DPAs at both national and EU levels.

Key Findings and Recommendations for Controllers

The Report assesses compliance with the GDPR’s right of access (Article 15 GDPR), in particular how well controllers align with the EDPB’s Guidelines 01/2022 on data subject rights – right of access (the Guidelines) and highlights seven key “challenges” that controllers should address when reviewing their access rights procedures. Key points include:

  1. Scope of Access
  • Findings: the Report reaffirms that the right of access can cover a wide range of information and formats and finds that controllers often limit their search and disclosure too narrowly, e.g., by excluding pseudonymised data or internal communications, and by searching only certain databases or file types.
  • Recommendations: the Reports recommends controllers pre-assess which types of information contain personal data where personal data is stored. The EDPB suggests documenting this in the Article 30 Record of Processing Activities (ROPA).
  1. Retention Periods
  • Findings: the Report notes that controllers have inconsistent and unclear practices on how long they keep data related to access requests, and that some keep them indefinitely or along with other data subject to different retention periods (e.g., in a customer file).
  • Recommendations: the EDPB reminds controllers that the GDPR does not specify retention periods, and that they should balance data minimization principles and the right of access (e.g., in case of audits or disputes). The EDPB indicates controllers should set and justify a retention period for access request data and store them separately from other data.
  1. Internal Procedures
  • Findings: the Report observes that controllers often lack internal documentation on how to handle access requests, which can increase the risk of infringing data subject rights.
  • Recommendations: the Report suggests, for example, training employees and the active/ongoing review and improvement of procedures.
  1. Barriers to the facilitation of the right of access
  • Findings: the Report identifies some barriers that can prevent data subjects from exercising their right, such as requiring a specific mechanism (e.g., a web form) to make a request, routinely asking for additional information (i.e., to verify identity), and not considering accessibility needs (e.g., verbal responses).
  • Recommendations: the Report reminds controllers there is no correct or standard way to respond to an access request, and that they should adapt to each case. The EDPB indicates controllers should be prepared to respond to requests from any channel, and explain the need to ask for more information to verify identity.
  1. Interpreting the limits to the right of access
  • Findings: the Report finds that controllers often rely too broadly on the exemptions for “manifestly unfounded or excessive” requests and for protecting the “rights and freedoms of others.” For example, controllers may consider requests unfounded or excessive based on their lack of precision, cost, or (suspected) motives, or they may refuse or disclose all third-party data without considering the need for redaction or consent.
  • Recommendations: the EDPB reiterates that the right of access has very few limits under the GDPR. The EDPB acknowledges the burden of access requests on controllers but suggests other ways to ease this, such as having well-structured procedures, data maps and ROPAs, training staff, and using tools where possible. The Report reminds controllers to explain their reasoning when relying on an exemption.
  1. Specification of access requests
  • Findings: controllers often (by default) ask data subjects to specify or narrow their request, without meeting the criteria to do so (e.g., because they process a large amount of personal data or because they are unclear about the request).
  • Recommendations: the Report emphasizes that each access request should be dealt with on a case-by-case basis and controllers should verify when further specification is needed.
  1. Provision of information to data subjects
  • Findings: controllers often do not tailor to the specific request the additional information that they must provide along with the personal data, and instead refer to their privacy policy or a pre-defined list of information. The Report also notes that controllers usually only provide categories of recipients and not individual recipients, unless asked, and that retention periods are often too general and do not distinguish between processing activities or data categories.
  • Recommendations: the EDPB Report serves as a reminder to tailor responses on a case-by-case basis.

Importantly, the Report also highlights many positive findings, with two thirds of participating DPAs rating the level of compliance by controllers as ‘average’ to ‘high’. The Report also acknowledges that size and resource have an impact on compliance.

Updates to the EDPB’s Guidelines and Other DPA Guidance

The Report makes several suggestions for raising awareness and updating the Guidelines, as well as recommendations for national DPAs to update their own guidance. For example, the Report suggests national DPAs should provide guidance on “uniform and meaningful” criteria for determining retention periods. It also recommends the EDPB update its Guidelines to address best practice for documenting compliance, including detailed internal procedures, or the adoption of a Code of Conduct promoted by EU DPAs.

Next Steps

Most controllers have experience with responding to access requests, and the Report should provide helpful guidance including to operationalize the Guidelines. The Report also signals that the right of access is now a priority for EU DPAs. Following the 2024 CEF’s focus on data subject rights, the EDPB has confirmed that the fourth CEF for 2025 will focus on the right to erasure.

This post is as of the posting date stated above. Sidley Austin LLP assumes no duty to update this post or post about any subsequent developments having a bearing on this post.

Francesca Blythe

London

fblythe@sidley.com

Eleanor Dodding

London

edodding@sidley.com

You might also like
Artificial Intelligence: U.S. Securities and Commodities Guidelines for Responsible Use

Despite recent focus on artificial intelligence (AI) by U.S. financial regulators, the Securities and Exchange Commission (SEC), Commodity Futures Trading Commission (CFTC), and Financial Industry Regulatory Authority (FINRA) have not yet issued new regulations specifically addressing the use of AI. Nonetheless, during the Biden administration, guidance from these agencies emphasized the necessity of responsible use of AI within existing regulatory frameworks, urging market participants to exercise additional diligence to navigate compliance risks associated with AI usage.

U.S. Copyright Office Issues Report on Artificial Intelligence and Copyrightability

On January 29, 2025, the U.S. Copyright Office issued the second part of its Report on Copyright and Artificial Intelligence, following a Notice of Inquiry (NOI) the Office issued in 2023. The first part of the Office’s Report, released in July 2024, addressed digital replicas. This second part addresses copyrightability, an issue that attracted considerable interest from authors, artists, and the media and technology industries — approximately half of the more than 10,000 comments that the Office received in response to the NOI addressed copyrightability questions.

EU Commission Launches Cybersecurity Action Plan for Hospitals and Healthcare Providers

On January 15, 2025 the EU Commission published an action plan with an aim to support cybersecurity in hospitals and healthcare providers in the EU (the Action Plan). The Action Plan is another response by the EU to the increasing cybersecurity threats facing all industries, including the health sector. The Commission notes that this risk has increased due to, amongst other factors, the increased digitisation of healthcare, which has allowed attack surfaces to grow. It also comes following a number of high-profile incidents which have impacted healthcare providers in the EU. The Action Plan is intended to build on the new EU cybersecurity legislation, such as the NIS Directive 2 (NISD2) and the Cyber Resilience Act, and feed into the full deployment of the European Health Data Space Regulation which was adopted on January 21, 2025. See our blog post here.