GDPR: Citizens' right to information is often poorly complied with
EU data protection experts have reviewed how the right to access one's own data enshrined in the GDPR is handled and have come up against challenges.
(Image: peterschreiber.media/Shutterstock.com)
The European Data Protection Board (EDPB) and the EU Data Protection Supervisor Wojciech WiewiĂłrowski have carried out a Europe-wide review of the implementation of the general right of access enshrined in the General Data Protection Regulation (GDPR) and have now presented their findings. The inspectors have identified a number of problems with how citizens can currently find out what data companies and authorities have stored about them on the basis of this right. As an example, they cite obstacles such as excessive formal requirements or the unfounded request to present identification documents.
The 30 supervisory authorities involved also identified inconsistent and exaggerated interpretations of the statutory limits for the right of access. Those responsible sometimes relied too heavily on certain exceptions to automatically reject requests. According to the EDPB report, another problem is that internal procedures for processing requests for information are not documented.
A total of 1185 persons responsible from the business sector and public institutions responded to the questionnaires sent out. Two thirds of the participating supervisory authorities rated the degree of legal compliance of these responsible parties from "average" to "high". An important factor here was the volume of requests for information received by the controllers and the size of the organization: controllers that received more requests tended to meet the requirements better than small organizations with fewer resources. The EDPB positively assessed the implementation of tried and tested procedures such as user-friendly online forms and "self-service systems", which allow individuals to download their data independently at any time with just a few clicks.
Information is often inadequate
The eight participating authorities from Germany state in their evaluation that many of those contacted stated that they had only received a few requests for information. Apparently, the public is not sufficiently aware of the important right of data subjects. In the private sector, most requests were rooted in legal disputes.
Videos by heise
Many data controllers also find it difficult to grasp the scope of the right of access and the meaning of the term "personal data" in practice. Often only the most common internal systems are searched, not all databases. Furthermore, many people in charge do not know that personal information can also be "contained in non-textual files, metadata or backup data". It is sometimes said that the right to receive a copy is independent of the right to information. For example, an explicit request from the data subject to provide document or database extracts is expected.
The EDPB published guidelines on data subject rights, which include the right of access, back in 2022. The committee now wants to update these in light of the results. The report already contains a number of recommendations. The 2025 concerted review action will focus on the implementation of the right to erasure.
(vbr)
