Coordinated Enforcement Action: ŷޱͶע findings highlight challenges on right of access to personal data
ŷޱͶע(ŷޱͶע) has released today its findings on the enforcement of individuals’ right of access to their personal data when processed by EU institutions, bodies, offices, and agencies (EUIs). These findings are part of the European Data Protection Board’s (EDPB) broader Coordinated Enforcement Action initiated in February 2024. .
Through its dedicated efforts, the ŷޱͶע conducted a detailed survey among EUIs and analysed complaints related to individuals’ access requests. The results underline both the successes and the challenges faced by EUIs in ensuring individuals can exercise their right of access to their personal data as outlined in Regulation (EU) 2018/1725.
Wojciech Wiewiórowski, ŷޱͶע, said: “The right of access is one of the core elements of data protection, it is a vehicle for transparency and accountability on how individuals’ personal data is processed by EUIs and whether this is done in compliance with Regulation (EU) 2018/1725. The report and this exercise underscore the ŷޱͶע’ commitment to upholding data protection standards within EU institutions and to ensuring that individuals’ rights are respected in practice.”
In summary, the ŷޱͶע highlights the following five key findings.
- A limited volume of requests:
Most EUIs receive between 0 and 25 access requests annually, with 58 out of 63 respondents reporting this figure for 2023. This might be partly be due to the existence of self-service tools enabling individuals, especially EUIs’ staff members, to download their personal data themselves.
- A decentralised way of handling data:
Many EUIs lack centralised systems for managing access requests, leading to potential inconsistencies and difficulties in demonstrating compliance during audits or litigation.
- Challenges in categorising requests:
EUIs face obstacles in distinguishing access requests from other types of requests, such as public access to documents or complaints.
- Identity verification issues:
Verifying the identity of requesters sometimes results in excessive or unnecessary processing of personal data, including sensitive data.
- Interpretation of obligations:
Practical challenges arise in providing copies of personal data while balancing this obligation with protecting the rights and freedoms of others.
The ŷޱͶע findings will shape future supervisory and enforcement actions, aiming to improve how EUIs address individuals’ right of access.
Background information
The rules for data protection in the EU institutions, as well as the duties of the European Data Protection Supervisor (ŷޱͶע), are set out in .
About the ŷޱͶע: The ŷޱͶע is the independent supervisory authority with responsibility for monitoring the processing of personal data by the , advising on policies and legislation that affect privacy and cooperating with similar authorities to ensure consistent data protection. Our mission is also to raise awareness on risks and protect people’s rights and freedoms when their personal data is processed.
Wojciech Wiewiórowski (ŷޱͶע) was appointed by a joint decision of the European Parliament and the Council to serve a five-year term, beginning on 6 December 2019.
About the Coordinated Enforcement Framework: This initiative is part of the ŷޱͶע’s continued engagement in the ٱʵ’s&Բ; that aims to streamline enforcement and cooperation amongst DPAs. Previous coordinated actions looked into the , in 2022, and the role and responsibilities of Data Protection Officers, in 2023. The topic selected for the 2025 CEF is the .