Insights European Data Protection Board adopts final versions of three sets of Guidelines


Following consultation, the EDPB has now adopted a final version of its Guidelines on data subject rights – Right of access. The Guidelines analyse the various aspects of the right of access and provide more precise guidance on how the right should be implemented in different situations. The Guidelines also provide clarifications on the scope of the right, the information the controller must provide to the data subject, the format of the access request, the main ways of providing access, and the notion of manifestly unfounded or excessive requests.

In addition, the EDPB has adopted final versions of its updated Guidelines on identifying a controller’s or processor’s lead supervisory authority and its updated Guidelines on data breach notification, following targeted consultations on both.

The new version of the Guidelines on data breach notification clarifies that the notification shall be the responsibility of the controller. During the consultation, some stakeholders also raised concerns over operational issues when a personal data breach needs to be notified to multiple data protection authorities (DPAs). The EDPB says that the targeted update simply aligned the text of the Guidelines with the text of the GDPR, which does not provide for one-stop-shop for controllers not established within EEA. Nevertheless, the EDPB says that it will publish a contact list for data breach notification with relevant links and accepted languages for all EEA DPAs on its website soon. This will make it easier for controllers to identify the relevant DPA contacts and requirements. To read the EDPB’s press release in full, click here.