News

European Data Protection Board: Updated guidelines on the right of access

24.04.2023

The updated Guidelines of the European Data Protection Board (EDPB) on the right of access make it necessary for companies to review their internal processes and documentation on data protection in order to avoid fines and claims for damages for failing to provide sufficient access.

Background: Extensive obligation to provide access under the GDPR

The European General Data Protection Regulation (GDPR) requires companies to provide data subjects with information on personal data relating to them without delay upon request – usually within one month at the latest. Firstly, this includes confirming whether the company processes personal data of the person requesting information at all. If this is the case, information on these data must be provided in the form of a copy of the personal data. In addition, certain information about the processing of the data and about the rights of the data subject must be provided.

Strict requirements for the provision of access

In February 2022, the European Data Protection Board published new guidelines on the right of access under the GDPR for public consultation. In these guidelines, the supervisory authorities imposed strict requirements for the provision of access under data protection law.

Following the conclusion of the consultation process, the EDPB recently published an updated version of its guidelines. As expected, the new version does not contain any groundbreaking changes compared to the consultation version. Apart from some editorial corrections, the adjustments focus essentially on clarifying selected points and provide a few additional case examples. Thus, the supervisory authorities are adhering to their strict approach.

Unsurprisingly, in the updated version of its guidelines, the EDPB also addresses in particular the judgment of the European Court of Justice (ECJ) of 12 January 2023. The judgment confirms the strict view already taken by the supervisory authorities in the consultation version of their guidelines that data controllers must, in principle, name all specific data recipients when providing access.

Review of internal processes and documentation of data protection in companies

According to the view of the EDPB expressed in its guidelines, companies must proactively prepare for access requests and, if necessary, create appropriate internal processes for this purpose so that they are able to properly provide access and do so without delay and, as a rule, within one month at most.

In light of the updated EDPB guidelines, companies should therefore carefully review and, if necessary, optimise their internal processes and documentation on data protection. In particular, internal policies for handling requests under data privacy law (data subject access requests) and templates for responding to access requests should be revised in order to be prepared for such requests.

Private enforcement ‒ damages claims by data subjects

Violations of the obligation to provide access can lead to the exercise of a range of powers by the supervisory authorities or the imposition of major fines. For example, the Hessian Data Protection Authority has imposed fines in the mid ten-thousands for breaches of the obligation to provide access.

The strict requirements of the supervisory authorities, however, also further encourage private enforcement in data protection law. Companies are increasingly confronted with claims for non-material damages due to breaches of access obligations. It is worth noting in this context that there is an increasing tendency among German courts to render plaintiff-friendly rulings. For example, the Oldenburg Labour Court recently awarded non-material damages in the amount of €10,000 for violations of the right of access. The Düsseldorf Labour Court awarded non-material damages in the amount of €5,000 for a delay in providing access, while the Hamm Regional Labour Court awarded non-material damages in the amount of €1,000.

You can find a detailed overview of the case law of German courts on damages for data protection breaches in our Noerr GDPR Damages Tracker.

Contact

Sebastian Dienst
Sebastian Dienst+49 89 28628457
Paul Vogel
Paul Vogel+49 89 28628542

Data Privacy

Share

Show all

Insights

hand touching led wall screen
News

Data Compliance Governance

16.04.2024
compass with pulse
News

Data Act – Scope, Impact, Implementation

16.04.2024
LED field Data Protection Litigation
News

Update on the Data Governance Act

12.03.2024
street view with pulse
News

European data protection authorities start coordinated investigation into right of access

11.03.2024
library
News

Judgment of the Cologne Administrative Court of 17 November 2023 – BNetzA Acted Unlawfully by Naming Company in Press Release

01.03.2024
compass with pulse
News

Data privacy pitfall: Cookie banners must allow a genuine choice

26.02.2024
coloured purple and yellow led screen
News

European Data Law

02.02.2024
Künstliche Intelligenz
News

Final text of the European AI Act – What companies and public institutions that want to use AI systems need to be prepared for

25.01.2024
hand touching led wall screen
News

Digital Markets Act

17.01.2024