The right of access
On January 20, 2025, the Spanish Data Protection Agency announced its participation in a European initiative coordinated by the European Data Protection Board (EDPB) to assess how public and private entities manage the exercise of the right of access by data subjects. This initiative seeks to ensure that citizens can effectively exercise this right and that data controllers comply with the obligations established in the General Data Protection Regulation.
The right of access allows individuals to know what personal data an organization holds about them and how it is being used. It is essential to ensure transparency and data control by data subjects. The coordinated action had the following main objectives:
- Ensure the effectiveness of the exercise of the right of access by interested parties.
- Evaluate how data controllers address this right.
- Promote awareness of applicable requirements and EDPB guidelines related to the right of access.
MethodologyYoThere is Participationn
The survey involved 1,185 public and private sector entities from across the European Economic Area. The AEPD collected questionnaires from 39 Spanish entities (23 from the public sector and 16 from the private sector), whose processing affects approximately 750,000 employees and covers approximately 140 million personal data items belonging to citizens, users, and customers. The sectors assessed included air transport, commerce, insurance, finance, private security, energy, tourism, hospitality, communications, pharmaceuticals, and clinical trials. In addition, the AEPD collaborated with the Andalusian Transparency and Data Protection Council and the Catalan Data Protection Authority to expand the scope of the survey.
He resulting report identifies challengesYohello, good morningtopractices and offers recommendations to improve attention to the right of access:
- Common Challenges:
- Difficulties in identifying and authenticating applicants.
- Delays in responding to requests.
- Lack of clear internal procedures for managing requests.
- Good Prtopractices:
- Implementation of defined internal procedures and use of platforms for privacy management.
- Availability of accessible channels for submitting applications.
- Answers in clear and understandable formats.
- Adoption of appropriate security measures when facilitating access.
- Continuous training of employees in data protection.
- Recommendations:
- Define clear internal procedures and use privacy management tools.
- Establish specific channels for receiving access requests.
- Ensure that responses are understandable and provided in an appropriate format.
- Implement security measures to protect data when responding to requests.
- Verify the identity of the applicants and, where applicable, proof of their representation.
- Increase awareness among data controllers and provide appropriate training to employees.
For compliance and data protection professionals, these findings underscore the importance of:
- Establish Effective Procedures: Develop and document clear procedures for managing access requests, ensuring they are handled consistently and in compliance with the GDPR.
- Trainingeithern Continues: Regularly train staff on the importance of the right of access and associated procedures to ensure an appropriate and timely response.
- Use of Technology Toolsgical: Implement technological solutions that facilitate request management and tracking, improving efficiency and reducing the risk of errors.
- Continuous Evaluation and Improvement: Conduct periodic audits of access request management processes to identify areas for improvement and ensure ongoing compliance.
The coordinated action of the EDPB and the participation of the AEPD highlight the importance of the right of access in the protection of personal data. Organizations must prioritize the implementation of effective practices to address this right, ensuring transparency and strengthening data subjects' trust in the handling of their personal data.
Access all the information in our Professional Master in Data Protection Audit, Risk Management and Cyber Compliance and learn more related posts in our Compliance section in our Compliance blog.
