Netherlands: New EDPB Enforcement Action On Data Subject Access Requests (DSARs)

On the 28th of February 2024, the European Data Protection Board ("EDPB") launchedits most recent Coordinated Enforcement Framework("CEF") action. This time the spotlight will be on how organisations handle the Data Subject Access Requests, commonly known as DSARs. In this blog, we will explain the procedural landscape behind a CEF action, offer key insights into why the right of access is a central focus of the CEF and examine the role of the participating Data Protection Authorities ("DPAs"). We will also discuss what your organisation can do today in light of the potential implications of this new enforcement action.

Another CEF?

The CEF is a fundamental component of the EDPB's 2021-2023 Strategy , which aims to enhance collaboration among DPAs in addressing key data protection issues. Namely, through the EDPB, each year DPAs select a focal enforcement topic on which they will act in a coordinated way. The CEF's structured programme involves electing a predetermined topic, agreed methodology, and voluntary DPA participation. The topics of the two previous CEFs included cloud usage in the public sector (2022) and the designation and position of Data Protection Officers (2023). The framework emphasises strategic coordination, enabling DPAs to collectively address critical data protection challenges. The ongoing CEF focus on the implementation of the right of access by data controllers exemplifies this coordinated strategy. Since its announcement by the EDPB last week, several DPAs as well as the European Data Protection Supervisor voiced their approval of the forthcoming CEF along with their intention to participate.

Why the right of access?

The choice of the right of access as a topic for this year's CEF is not coincidental. This right, as set out in Art. 15 of the GDPR, is a cornerstone right for data subjects. Without knowledge about the processing of their personal data, individuals face obstacles in asserting additional rights to which they are entitled under the GDPR, such as rectification, erasure, or the ability to lodge a complaint with a supervisory authority. Nevertheless, Art.15 on its own still provides considerable room for interpretation. A substantial challenge arises in aligning the provisions of Art. 15 with what is practically manageable and feasible for organisations. While the right of access is essential in ensuring data subjects are empowered with sufficient information to counter any potential non-compliance by data controllers, its practical application may lead to unnecessary administrative burdens and information overload. One particularly contentious issue for example emerges related to the right to a copy under Art. 15(3), which enables the data subject to request a "copy of the personal data undergoing processing" from the data controller. As highlighted by German DPAs, the lack of specificity in this provision could potentially result in an overwhelming burden and cost for organisations.

More specificity with regards to the handling of DSARs has over the years been provided by the Court of Justice of the European Union ("CJEU"). Just in 2023, there were at least three different CJEU judgements involving Art. 15. In Case C ‑ 154/21 , the CJEU ruled that the data controller is in most cases required to reveal the specific identity of recipients of personal data, unless the request is manifestly unfounded or excessive. The practical implication of this ruling is that controllers must ensure that they can easily consult their records to identify the specific recipients for each third-party data transfer. Further, in Case C ‑ 579/21, the CJEU confirmed the broad interpretation of the right of access to personal data under Art. 15, which may include information on who accessed personal data, along with the dates and purposes for such access. In addition, expanding on the conversation about the right to a copy, the CJEU in Case C ‑ 487/21 determined that the right to a copy according to Article 15(3) GDPR implies that the data subject should receive a faithful and intelligible reproduction of all their personal data. However, this does not entail a general obligation for a data controller to always share complete copies of documents or databases in response to a DSAR, unless required in light of the specific request.

The EDPB itself has already elaborated on DSARs when it published the final version of its guidelines on the right of access in March 2023. With its guidelines, the EDPB aimed to enhance the understanding of a data controller's responsibilities outlined in Art.15 GDPR, ensuring that data subjects can seamlessly exercise their right of access. The guidelines offer valuable insights into various facets of the right of access, such as additional clarity on the definition of personal data and the scope of the right to access. They also provide further specification of the responsibilities of data controllers pursuant to Art. 15 and outline the limits and restrictions associated with the right of access. However, in practice, a large discrepancy still exists with regard to how organisations handle DSARs.

Upcoming steps in the CEF process and action taken by DPAs

Once a topic for an annual action is agreed upon, the process is internally managed and coordinated by the EDPB Secretariat, in collaboration with DPAs. The collaborative process involves defining the action's scope, creating a questionnaire or audit guide, and launching coordinated actions concurrently. Ongoing communication enables DPAs to discuss progress and share updates on the initiatives and investigations. Coordinators propose a common outline and structure, agreed upon by the group, and each DPA participating drafts a national report, shared within the group. Coordinators then aggregate these reports to prepare the EDPB report submitted to the EDPB Plenary for adoption, summarising main findings and recommendations, along with national level descriptions. For example, read about the key findings and recommendations which emerged from the previous CEF action on DPOs here .

DPAs have the autonomy to determine the number and types of external organisations or stakeholders to engage with, aligning with their strategy, enforcement priorities, available resources, and the agreed-upon scope. It is important to note that national DPAs can in fact choose from a range of diverse actions, allowing them to participate in CEF actions in three different ways. Essentially, this means that DPAs can choose to participate only as i) a fact finding exercise, or ii) with the intention to initiate new formal investigations. Lastly, their participation may lead to iii) a follow-up of ongoing formal investigations.

What can your organisation do today?

Being able to handle DSARs in an efficient and compliant manner is oftentimes the result of good privacy governance within an organisation. The EDPB's newest CEF highlights the key importance of the right of access, underscoring its impact on privacy and data protection in practice. As such, this is a strategic opportunity for organisations to reassess and fortify their DSAR processes, ensuring alignment not only with current EDPB guidelines but also through anticipating and preparing for the current CEF action.

Considerati has supported many organisations with the strategic set up or improvement of their data subject right processes, including DSARs. Do not hesitate to contact us should you wish to discuss the set up at your organisation or if you have questions about how the latest CEF action might impact your organisation.

The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.