EDPB CEF 2024 & 2025: Data Subject Rights (& Wrongs)

The European Data Protection Board (“EDPB”) has launched its Coordinated Enforcement Framework (“CEF”) action for 2025, which will centre on the right to erasure under Article 17 of the General Data Protection Regulation (“GDPR”). This marks a thematic continuation of the EDPB’s focus on the implementation of data subject rights, following last year’s CEF action on the right of access.

The EDPB is composed of representatives from the various EU Data Protection Authorities (“DPAs”) and its goal is to ensure a consistent application and enforcement of the GDPR across EU Member States. The CEF is an action of the EDPB under its 2024-2027 strategy, which seeks to streamline enforcement and cooperation among DPAs. The reports that the EDPB produces with its findings from a CEF action usually contain key learnings which ought to be implemented by controllers seeking to ensure compliance with the GDPR.

CEF 2025 – The Right to Erasure

According to the EDPB, the right of erasure was chosen as the CEF action for 2025 because it represents one of the most commonly exercised rights under the GDPR and is a frequent source of complaints received by DPAs. Thirty DPAs across Europe, as well as the European Data Protection Supervisor, will take part in this initiative.

CEF 2024 – The Right of Access

Earlier this year, the EDPB adopted a report on the implementation of the right of access by controllers, arising from the 2024 CEF action (the “EDPB Report”). The 2024 CEF action involved 1,185 controllers of varying size, industry and sectors. The EDPB Report provides useful recommendations for controllers on how to comply with the right of access. In particular, it recommends that controllers assess access requests on a case-by-case basis. The EDPB Report further observed that controllers were less aware of the content of the ‘EDPB Guidelines 01/2022 on data subject rights – Right of access’ (the “Guidelines on Access Requests”) which provide extensive guidance to controllers on implementing right of access and the various exemptions available.

Around two-thirds of DPAs rated the compliance level of responding controllers as 'average' to 'high'. Higher compliance was observed among controllers receiving a larger volume of access requests and larger organisations. While a number of positive practices are included in the EDPB Report, there are also challenges identified, for which the EDPB has included non-binding recommendations:

 

Challenge

EDPB Recommendations

Lack of awareness about the scope of access

  • Controllers should pre-assess which types of information may contain personal data and where this is held. The EDPB Report recommends referring to the controller’s record of processing activities (often referred to as a ROPA) to identify possible storage locations of personal data.
  • The EDPB Report finds that searches are often too narrow with controllers only searching commonly used databases and not verifying whether they hold additional personal data that falls within the scope of the requestor’s access request.
  • For repeated access requests, the EDPB Report finds it concerning that many controllers merely inform the requestor of changes to their personal data since their last request, and do not provide full access to their personal data, even though the requestor has not limited their request in that manner.

Retention periods

  • The EDPB Report finds that controllers often have inconsistent and unclear practices with regard to how long they retain data related to access requests, with some storing the access request and related communications indefinitely. The EDPB suspects that this may be because controllers are unaware that the data minimisation principle also applies to data and communications related to access requests.
  • The EDPB Report recommends that controllers fix a retention period for access request data and communications based on objective criteria and document their reasoning. Therefore, controllers should revisit their retention policy.
  • It is also recommended to store access request data and communications separately from other information about the data subject.
  • The EDPB Report notes that further guidance from DPAs on deciding retention periods may be helpful for controllers.

Lack of documented internal procedures

  • The EDPB Report finds that controllers often have insufficient internal policies and procedures addressing how access requests are to be handled, which can heighten the risk of infringing a data subject’s rights. It notes that the EDPB could issue further guidance on the topic.
  • Controllers should ensure that they are actively reviewing and (where necessary) improving their data protection practices on an ongoing basis. In particular, the EDPB report suggests that the reviews should consider and take account of the Guidelines on Access Requests.
  • Controllers should ensure that all employees are trained to recognise an access request regardless of the submission channel (e.g. channel for customer complaints) and are aware of the appropriate channel to transfer the access request to.
  • When a controller is in doubt as to whether an individual’s request is in fact an access request, the controller should verify this with the requestor.

Barriers to facilitating the right of access

  •  The EDPB Report observes that DPAs identified various barriers which prevent data subjects from exercising their right of access, including:
    • Controllers requiring data subjects to use a specific channel for submitting access requests1 or to make the request in writing. The EDPB Report notes that controllers should ensure that they are prepared to handle an access request even if the request is not submitted through their dedicated channel or in the controller’s preferred form.
    • Controllers requesting further information to verify the identity of the data subject. The EDPB Report recommends that each access request, when received, should be assessed on a case-by-case basis to determine if further identification or authentication of the data subject is required. The EDPB comments that asking for further identification documents for all access requests may constitute excessive processing and may create an unnecessary barrier to the data subjects’ right of access.
    • Controllers do not always consider the accessibility needs of data subjects when fulfilling an access request (e.g. a verbal response may be more appropriate for a visually impaired data subject).

Inconsistent and excessive interpretations of the limits to the right of access

  • The EDPB Report observes that DPAs noticed that controllers often rely too broadly on the exemptions for ‘manifestly unfounded or excessive’ requests and for ‘protecting the rights and freedoms of others’. Examples given include:
    • Some controllers consider requests to be ‘manifestly unfounded or excessive’ due to their lack of precision, the suspected intentions of the data subject or the associated cost.
    • With respect to the exemption for ‘protecting the rights and freedoms of others’, some controllers rely on this too broadly where they refuse to provide video footage in its entirety on the basis that other individuals appear in the footage, however, the controller ignores that they could blur or pixilate those individuals or they decide not to for cost reasons.
  • The EDPB acknowledges that access requests can be both costly and time-consuming for controllers to handle properly, and that controllers may fear that granting access could expose their organisation to abuse or misuse. However, the EDPB reaffirms that the GDPR provides for very few limits to the right of access and that, importantly, the right of access is not subject to a proportionality assessment with respect to the efforts that the controller is to take. In particular, the concepts of “manifestly unfounded or excessive” should be interpreted narrowly, as “the principles of transparency and cost free data subjects rights must not be undermined”.
  • The EDPB Report notes that controllers should be aware that where they restrict a data subject’s right of access (e.g. reliance on an exemption), they must be able to demonstrate and explain their reasoning for doing so.
  • The EDPB suggests that DPAs and the EDPB could develop guidance with examples of correct refusal practices and scenarios to help controllers understand the boundaries within which access requests can be fully or partially rejected.
  • The EDPB suggests that the Guidelines on Access Requests be updated to reflect recent caselaw developments from the Court of Justice of the EU on the right of access.

Specification of access requests

  • The EDPB Report notes that several DPAs have found controllers, as their default position, asking requestors to further specify or narrow their access request. Some controllers do this without checking whether they actually process a large amount of personal data relating to the requestor or whether the scope of the particular request is unclear.
  • The EDPB recommends that controllers assess each access request on a case-by-case basis to verify whether further specification is in fact needed.
  • The EDPB Report recommends that controllers provide data subjects with self-service tools or possibilities to preselect one, several or all processing activities which they would like to receive information on.

Additional information on the processing is not tailored to the access request

  • As well as providing individuals with access to their personal data, Article 15 of the GDPR also requires the controller to provide additional information about the processing of their personal data including the purposes of the processing, who the data is shared with and how long it is retained for. To satisfy this requirement, many controllers provide the data subject with their standard data protection notice as means for providing the additional information.
  • The EDPB Report found that controllers are not tailoring the additional information to the particular access request received and suggests that the practice of providing a data protection notice may be problematic at times. The EDPB Report states:  “In particular, pre-existing documents should only be referred to after careful assessment of the specific access request. This is because, on the one hand, these documents often do not contain all information required under Art. 15 (1) and (2) GDPR. On the other hand, not all information provided in these documents may apply to the specific data subject, leaving them to guess which information applies to them specifically (e.g. how long exactly their data will be retained).” (emphasis added)
  • The EDPB Report recommends that controllers handle access requests on a case-by-case basis and inform the specific data subject which personal data is processed for which purposes, as well as include information as listed in Art. 15 (1) and (2) GDPR which is tailored to the specific data subject and access request.


What does this mean for controllers?

The EDPB Report on the right of access contains a plethora of recommendations for controllers on the handling of access requests. Controllers would be well advised to review their practices and policies related to access requests and to consider updating these to take account of the EDPB’s recommendations. The EDPB Report also recommends various updates to its Guidelines on Access Requests, for which controllers should keep an eye out.

Given the EDPB’s continued focus on compliance with data subject rights, particularly the right to erasure, into this year, we encourage clients to carefully assess their practices against rights related obligations more generally.

How can McCann FitzGerald LLP help?

For further information or assistance, please reach out to one of the key contacts below, or your usual contact at McCann FitzGerald LLP.

Also contributed to by Isobel Murphy.


  1. Cf. Guidelines 01/2022, para 54. : “It should be noted that the controller is not obliged to act on a request sent to a random or incorrect e-mail (or postal) address, not directly provided by the controller, or to any communication channel that is clearly not intended to receive requests regarding data subject's rights if the controller has provided an appropriate communication channel, that can be used by the data subject.”

This document has been prepared by McCann FitzGerald LLP for general guidance only and should not be regarded as a substitute for professional advice. Such advice should always be taken before acting on any of the matters discussed.

Key Contacts