---

EDPB finds barriers to rights of access to data

A report from the European Data Protection Board (EDPB) has found that some organisations lack documented internal procedures for dealing with requests for access to personal data.

The issue is one of seven identified by an EDPB review of how data controllers across Europe are dealing with such requests.

As part of the review, 30 data-protection authorities last year launched co-ordinated investigations into how controllers were complying with the right of access.

The review covered 1,185 controllers, from small and medium-sized enterprises (SMEs) to big companies active in different industries and fields, as well as a range of public bodies.

Awareness

The EDPB said that the results suggested that more awareness of its 2022 guidelines on the issue was needed.

The review also found “inconsistent and excessive interpretations” of the limits to the right of access, such as overly relying on certain exceptions to automatically refuse access requests.

It also identified barriers that individuals could face when exercising their right of access, such as formal requirements or being requested to provide excessive identification documents.

Larger bodies more compliant

Despite these issues, two-thirds of national authorities ranked the level of compliance of responding controllers as ‘average’ to ‘high’.

The review also found that large-sized controllers or controllers receiving more requests were more likely to reach a higher level of compliance than small organisations with fewer resources.

The report provides a list of non-binding recommendations on the right of access for data controllers and watchdogs.