The EDPB’s focus on GDPR data subject access rights in 2024

Written By

louise hutt Module
Louise Hutt

Associate
UK

I am an associate in our Privacy and Data Protection Group in London and advise clients in a variety of sectors on UK and EU data protection and marketing rules, particularly in the financial services sector.

sanjana sura module
Sanjana Sura

Legal Director
UK

I am a Legal Director in our Privacy & Data Protection Group in London with over 11 years' experience in the data protection and privacy space.

The European Data Protection Board (“EDPB”) has chosen data subject access rights as its topic for “coordinated enforcement action” in 2024 and announced the launch of its activities on 28 February 2024.

The EDPB is an independent body composed of the heads of the national data protection authorities of EEA countries, tasked with ensuring that the EU’s flagship data protection law – the GDPR - is applied consistently and ensuring cooperation, including on enforcement, in the EEA. Every year, it prioritises a certain topic for the data protection authorities to work on at a national level. The results of these national actions are then submitted and analysed, generating deeper insight into the topic and allowing for targeted follow-up at both the national and the EU level.

Under the GDPR, individuals have the right to access and receive a copy of their personal data, as well as other supplementary information (such as where the organisation holding their personal data got it from, what it’s being used for and who it’s being shared with). The right is available to all data subjects, from potential, current and former employees to potential, current and former customers. The EDPB has selected access rights as its 2024 topic as it is at the heart of data protection and is one of the most frequently exercised data protection rights - and one which data protection authorities receive many complaints about.

In 2023, the EDPB adopted Guidelines on data subject rights - Right of access. Organisations should keep in mind that the UK has a separate data protection regime and the UK Information Commissioner also published guidance on data subject access rights in the context of employment relationships last year. This is in addition to the UK Information Commissioner’s more general guidance on the right of access.

According to the EDPB, to gauge how organisations are complying with the right of access in practice, participating data protection authorities will implement the coordinated enforcement framework in a number of ways:

  • ·organisations will be sent questionnaires to aid fact-finding exercises or to identify if a formal investigation is warranted;
  • commencement of a formal investigation; and/or
  • follow-up of ongoing formal investigations.

As such, organisations subject to the GDPR (particularly those who receive significant numbers of access requests) are advised to look at their access right procedures and training to ensure that they are delivering compliance in this area. 

Latest insights

More Insights
Mouse and keyboard

Wrapping the DAO: Decentralised Autonomous Organisations under English Law

Dec 05 2024

Read More
Bank card propped up against laptop

PSR's New Directive: Publishing Fraud Enabler Data to Hold Tech Firms Accountable

Dec 04 2024

Read More

Ensuring Stability: UK's New Framework for Critical Third Party Providers

Dec 04 2024

Read More