CEF 2024: IDPC Report on Coordinated Enforcement Action 2024 on Right of Access
CEF 2024: IDPC Report on Coordinated Enforcement Action 2024 on Right of Access
January 2025
As part of a Coordinated Enforcement Action (CEF) coordinated by the European Data Protection Board (EDPB) in 2024, the Information and Data Protection Commissioner (IDPC) office of Malta carried out a survey in the form of a questionnaire sent to private organisations to verify the implementation of the right of access by data controllers. Its overall assessment is positive and the outcome demonstrates a high level of awareness and compliance by data controllers in accordance with article 15 of the General Data Protection Regulation (GDPR).
General Overview
This survey was conducted by the IDPC alongside another 29 data protection and privacy authorities across the EEA for the third edition of the European Data Protection Board’s CEF. Data protection authorities across the EEA launched coordinated actions and carried out large-scale investigations regarding the implementation of the right of access by data controllers with encouraging results overall. The EDPB has now published its report on the findings. It identifies challenges and lists, for each challenge identified, a list of non-binding recommendations and/or points of action. The report includes an annex with the national reports of all the supervisory authorities that took part in the CEF.
Local Overview
The IDPC sent questionnaires as a fact-finding exercise to a total of 100 data controllers across the private sectors, ranging from micro to large enterprises within the health, insurance, finance, retail, telecommunications and manufacturing sectors and industries. This exercise in particular sought to identify issues or challenges faced by data controllers in complying with requests for access by data subjects, best practices in handling requests for access and the level of awareness and compliance by the data controllers consulted. The responses received were used to draft the national report.
Six years after the GDPR came into force, the results of this coordinated enforcement action show that organisations have seriously considered and implemented their obligations in relation to the right of access as exercised by data subjects. The IDPC takes a positive note of this, acknowledging that the level of experience and expertise of data controllers is high in this regard and clearly indicates that compliance with requests for access by data subjects is given its due importance. Responses however, also highlighted a lack of resources. This could possibly lead to slight discrepancies between organisations in the efficiency in which the requests are tackled.
As a way forward the IDPC will strive to participate actively in the EDPB’s series of coordinated enforcement actions which seek to streamline enforcement and cooperation amongst data protection and privacy authorities.
Read here the EDPB's media release on CEF 2024.