Launch of coordinated enforcement action on the right of access

3 mn

On 28 February, the European Data Protection Board (EDPB) launched its Coordinated Enforcement Framework (CEF) action for 2024.

Reading time: 3 minutes, 54 seconds


On 28 February, the European Data Protection Board (EDPB) launched its Coordinated Enforcement Framework (CEF) action for 2024. This year, the Luxembourg data protection authority (Commission nationale pour la protection des données, (CNPD)), as well as 30 other data protection authorities (DPAs), will focus their attention on the implementation of the right of access by public and private organisations.

For its third CEF action, the EDPB decided to prioritise the right of access because it is one of the most commonly exercised data protection rights and is the subject of many complaints to DPAs.

In this context, it is important to understand (i) what CEF actions consist of, (ii) what the right of access encompasses and (iii) how organisations should implement this right in practice.


1. Coordinated Enforcement Framework

The CEF is one of the key actions by the EDPB and consists of coordinated investigations into a specific topic conducted by DPAs. These investigations aim to streamline enforcement and cooperation between the authorities.

To determine how organisations are complying with the right of access, DPAs will implement the CEF in the following ways:

The results of the CEF will be analysed to gain a deeper understanding of the topic and to help DPAs develop further supervision and enforcement actions at EU level. Once the CEF is finalised, the EDPB will publish a report on its findings.


2. Scope of the right of access

The right of access is enshrined in Article 8 of the EU Charter of Fundamental Rights and further developed and defined in Article 15 of the General Data Protection Regulation (GDPR).

According to the right of access, individuals have the right to obtain from the controller confirmation as to whether or not personal data concerning them is being processed, and, where that is the case, the right to access their personal data, as well as additional information in relation thereto (e.g. the purposes of the processing, the categories of personal data, etc.). Individuals also have the right to obtain a copy of the personal data in a commonly used electronic form.

In addition, the information provided should be complete and up to date. However, limiting access to part of the information can be considered in cases where, for example, the data subject has explicitly limited the request to a subset or where exceptions or restrictions to the right of access apply.

Furthermore, it is important to note that the right of access is not absolute as it should not infringe the rights and freedoms of others (e.g. the right of data protection of others and intellectual property rights). In the event of a clash between the rights of two parties, the controller must balance these and, if necessary, appropriate measures mitigating the risks should be implemented (e.g. redacting information). In addition, where requests from a data subject are manifestly unfounded or excessive, the controller may either charge a reasonable fee that reflects the administrative costs of providing the information or refuse to act on the request.

Finally, the requested information should be provided without undue delay and in any event within one month of receiving the request. However, this deadline can be extended by a maximum of two months as required by the complexity of the request.


3. How to properly implement the right of access?

Failure to respond to an access request, a late or incomplete response, or accepting the access right of a data subject whose identity has not been properly verified may lead to sanctions by the competent DPA.

It is therefore vital that all controllers (i.e. companies and public bodies processing personal data):





How we can help

Contact our experts, Astrid WagnerBénédicte d’Allard, Delphine Garnier, Faustine Cachera, Julien Pétré and Sophie Calmes for further assistance on how to comply with the right of access. They will be delighted to support you in any way, for example with putting in place a Data Subject Access Request (DSAR) policy.


Read the Guidelines 01/2022 on data subject rights – Right of access_

Download the press release

Luxembourg Newsflash – Launch of coordinated enforcement action on the right of access

pdf323 KB