Insights Data subject’s right of access: European data protection authorities launch coordinated enforcement


On 28 February, the European Data Protection Board (“EDPB”), an independent body tasked with ensuring consistent application of the GDPR comprising the heads of the national data protection supervisory authorities (“SAs”), launched its Coordinated Enforcement Framework (“CEF”) action for 2024. The CEF provides a framework for coordinated SA action on a topic within the scope of the GDPR, to be defined each year, which may include awareness raising, information gathering, enforcement sweeps and joint investigations where appropriate. For more background on the CEF, please refer to Wiggin’s previous report.

This is the third coordinated enforcement action and will focus on the right of access by data subjects (the two previous actions focused on public sector cloud services and data protection officers). The right of access enables individuals to check whether their personal data is being processed in a compliant manner and can enable the exercise of other rights such as to the right of rectification and erasure. The right of access is, according to the EDPB, one of the most frequently accessed data protection rights and one on which the SAs receive many complaints.

Throughout 2024, the SAs will implement the CEF at national level by sending questionnaires to organisations to identify if formal investigation is warranted, commence formal investigations or follow up on ongoing formal investigations. The results will be collated and analysed to determine whether further supervision and enforcement is needed, and whether there is a need for targeted follow-up at EU level. The EDPB will publish a report on the outcome of its analysis once the actions are concluded.

The European Data Protection Supervisor (“EDPS”), which monitors compliance with data protection laws by the EU institutions, bodies, offices and agencies (“EUIs”) under Regulation (EU) 2018/1725, will also participate in the CEF action, focusing on EUIs’ compliance with the right of access under that Regulation, and its findings will feed into the EDPB’s final report.

Organisations with establishments in the EU may potentially be targeted by the action. The EDPB’s 2022 guidelines on data subject rights of access under GDPR are available here.

For more information, click here and here.