News

European Data Protection Board: New guidelines on the right of access

21.02.2022

New guidelines from the European Data Protection Board on the right of access require companies to review internal processes and documentation on data protection in order to avoid fines and claims for damages due to insufficient access.

Strict requirements for the provision of access

The European Data Protection Board (EDPB) has recently published new guidelines on the right of access under the General Data Protection Regulation (GDPR) for public consultation.

In their new guidelines, the supervisory authorities formulate strict requirements for the provision of access under data protection law. Above all, the guidelines reaffirm the strict line already taken by the majority of supervisory authorities, which requires companies to provide a copy of all personal data, even if this entails an enormous effort for the company concerned. Selective and individually justified restrictions on such a copy are admissible only in exceptional cases. In addition to names, addresses and contact details, the right of access covers a wide range of other data, such as medical findings, purchase histories, credit scores or activity logs. Copies of data that are not comprehensible in themselves (such as code or “raw data”) also have to be explained to the person requesting access in a comprehensible manner.

In order to be in a position to properly provide information without delay and usually within one month at the latest, companies must proactively prepare for requests for information and, if necessary, create appropriate internal processes, according to the EDPB.

Private enforcement – Claims for damages by data subjects

Breaches of the duty to provide access are subject to official measures and severe fines. For example, according to its Activity Report for 2020 (available in German only), the Hesse Data Protection Authority has punished breaches of these duties with fines in the mid five-digit range.

The strict requirements of the supervisory authorities are also likely to further encourage the current trends in private enforcement in data protection law. Due to the strict official requirements for the provision of access, it seems likely companies will be confronted with more and more claims for damages for breaches of the duty to provide access, including mass proceedings.

Recent court decisions indicate that Germany is increasingly becoming a claimant-friendly jurisdiction when it comes to alleged data protection breaches. For example, Hamm Regional Labour Court (Landesarbeitsgericht) recently awarded non-material damages of €1,000 for breaches of the duty to provide access. Dusseldorf Labour Court (Arbeitsgericht) even awarded non-material damages of €5,000 for late provision of access. This trend is likely to encourage more and more people to also file claims for damages for breaches of the duty to provide access.

Reviewing internal processes and documentation on data protection in the company

In light of the new EDPB guidelines, we recommend that businesses carefully review and, if necessary, adapt their internal processes and documentation for data protection. In particular, in order to be prepared for access requests, companies are advised to check their guidelines for handling data protection requests and templates for providing access.

The EDPB is currently seeking feedback on its new guidelines in the public consultation process until 11 March 2022. Whilst it cannot be ruled out that based on the feedback received the EDPB might still make certain changes to its guidelines, experience shows that such changes are likely to be mere clarifications rather than fundamental modifications. We therefore recommend that companies already now observe the requirements formulated by the EDPB, especially since the published version of the guidelines reflects the joint position of the European supervisory authorities.

Data protection litigation

Current developments also make it increasingly important for companies to deal with the challenges, opportunities and risks of data protection litigation at an early stage and in a strategic manner. Data protection law represents both the focus and the crucial link to other areas of law, in particular the relevant procedural and litigation laws. Seamless coordination of data protection and litigation expertise is essential when it comes to defending against mass actions under civil law. With our outstanding experience in handling mass litigation, our well-coordinated teams of recognised data protection and litigation experts are able to support you from a single point of contact. 

Contact

Daniel Rücker
Daniel Rücker+49 89 28628457
Sebastian Dienst
Sebastian Dienst+49 89 28628457

Data Privacy
Class & Mass Action Defense
Digital Business
Data Protection Litigation

Share

Show all

Insights

hand touching led wall screen
News

Data Compliance Governance

16.04.2024
compass with pulse
News

Data Act – Scope, Impact, Implementation

16.04.2024
coloured purple and yellow led screen
News

Berliner Sparkasse succeeds with Noerr in model declaratory proceedings

05.04.2024
telescopes with pulse
News

Digital Markets Act: European Commission opens investigations against Alphabet, Apple and Meta

28.03.2024
LED field Data Protection Litigation
News

Update on the Data Governance Act

12.03.2024
street view with pulse
News

European data protection authorities start coordinated investigation into right of access

11.03.2024
EU Flag with Pulse
News

Digital consumer protection: current case law and European legislation

04.03.2024
container storage port
News

Update Commercial 2024

01.03.2024
library
News

Judgment of the Cologne Administrative Court of 17 November 2023 – BNetzA Acted Unlawfully by Naming Company in Press Release

01.03.2024