Coordinated Enforcement Action: the right of access to personal data
The EDPS is participating in the European Data Protection Board’s (EDPB) Coordinated Enforcement Action on how individuals’ right of access is addressed specifically in the EU institutions, bodies, offices and agencies (EUIs), alongside the other 27 Data Protection Authorities (DPAs) across the European Economic Area (EEA).
The right of access lies at the heart of data protection, allowing individuals to check whether their personal data is processed in a compliant manner by organisations or EUIs, often enabling the exercise of their other rights, such as the right to rectification or erasure of data. Thus, it is one of the most frequently exercised data protection rights, and for which DPAs receive many complaints each year.
Wojciech Wiewiórowski, EDPS, said: “I am proud of the EDPS’ active participation in the third coordinated enforcement action pursued in the context of the EDPB. Individuals should have the right to access what personal data is stored about them and for what purpose. This right lies at the root of what data protection and privacy mean in the EU, and, as such, must be correctly ensured and guaranteed”.
In this Coordinated Enforcement Action, the EDPS will focus on EUIs’ compliance with the right of access under the applicable data protection law, Regulation (EU) 2018/1725. The EDPS will check the complaints made by individuals against EUIs on their right of access that it receives, and how EUIs comply with the right of access in practice, for example.
Upon completing its review, the EDPS will summarise its findings, drawing conclusions on the best and worst practices identified, as well as areas for improvement. Subsequently, the results of this joint action will be analysed in a coordinated manner with the other DPAs of the EU/EEA to decide on possible follow-up supervision and enforcement actions. The EDPB will publish a report on the outcome of this analysis, once the coordinated enforcement action is concluded.
This third coordinated enforcement action, in which the EDPS participates, is part of the EDPB’s Coordinated Enforcement Framework (CEF) that aims to streamline enforcement and cooperation amongst DPAs. Previous coordinated actions looked into the use of cloud services by the public sector, in 2022, and the role and responsibilities of Data Protection Officers, in 2023.
Background information
The rules for data protection in the EU institutions, bodies, offices and agencies, as well as the duties of the European Data Protection Supervisor (EDPS), are set out in Regulation (EU) 2018/1725.
Wojciech Wiewiórowski (EDPS) was appointed by a joint decision of the European Parliament and the Council to serve a five-year term, beginning on 6 December 2019.
About the right of access: The right of access is the right for any data subject to obtain from the controller of a processing operation the confirmation that data related to him/her are being processed, the purpose(s) for which they are processed, as well as the logic involved in any automated decision process concerning him or her. This right also allows the data subject to receive communication in an intelligible form of the data undergoing processing and of information regarding the processing. This right can be exercised without unnecessary constraints, at any time, and is free of charge. The data controller must respond to a data subject's request for access to their personal data without undue delay and in any event within 1 month from the receipt of the request (which may be extended by 2 further months where necessary).
See Articles 17 and 14 of Regulation (EU) 2018/1725. More information to help organisations respond to individuals’ requests for access to their personal data in line with the GDPR can also be found in the EDPB Guidelines 01/2022 on data subject rights - Right of access. These guidelines of the European Data Protection Board also provide a useful guide for EUIs when responding to individuals’ requests for personal data they process under Regulation (EU) 2018/1725.
About complaints to the EDPS: The EDPS investigates complaints from individuals about the processing of their personal data carried out by EUIs. More information on the right to complain to the EDPS and the EDPS’ complaint handling process can be found on the EDPS Website under the Complaints page.