European Union: European Data Protection Board (EDPB) adopted 2024 coordinated enforcement action on implementation of the right of access by controllers

On 16 January 2025, the European Data Protection Board (EDPB) issued findings from its coordinated enforcement actions focusing on the implementation of the right of access (to data) by controllers under the GDPR. As part of the 2024 Coordinated Enforcement Framework (CEF) initiative, first announced on 17 October 2023, 30 supervisory authorities (SAs) across the EEA conducted investigations into controllers' compliance with the right of access. These investigations included a questionnaire completed by 1'185 controllers from various organisations, ranging from SMEs to large organisations and public entities. Findings indicated that compliance levels varied, with larger organisations and those handling higher volumes of access requests demonstrating better adherence. Challenges identified included limited awareness of EDPB Guidelines 01/2022, inconsistent retention practices, and insufficiently tailored responses to data subjects. The report recommends raising awareness of the Guidelines, improving internal procedures, and adopting best practices, such as user-friendly access request systems and enhanced documentation. Some actions, including enforcement and guidance, remain ongoing at the national level.