EDPB launches its third Coordinated Enforcement Framework

The European Data Protection Board (“EDPB”) has formally launched its third Coordinated Enforcement Framework (“CEF”). The focus of this year’s action is on data subject’s access rights enshrined in Article 15 of the GDPR.

The CEFs seek to streamline enforcement and cooperation amongst Data Protection Authorities (“DPAs”) in Europe, with previous years focusing on the public sector’s use of cloud services and data protection officers.  This year, thirty-one participating DPAs will circulate fact-finding questionnaires to organisations in their territory, with the aim of identifying the need for formal investigations and launching such investigations where appropriate.

At the conclusion of the CEF, results will be aggregated to offer a pan-European overview and to facilitate targeted follow-up at the EU level.  The EDPB will publish a report of these outcomes once the actions are concluded.  

On 19 March 2024, Ireland’s Data Protection Commission (the “DPC”) announced that it will be participating in this year’s CEF. 

Comment

The right of access is one of the most frequently exercised data protection rights and often leads to the exercise of other data protection rights, such as the right to rectification and the right of erasure.  The DPC noted in its Annual Report for 2022 that complaints in relation to the exercise of access rights are the most common complaints, with over 1,000 such complaints received.  This has been a consistent theme for DPC Annual Reports over the last number of years, and it is therefore not surprising that the DPC is participating in the CEF.

In order to prepare for the CEF, organisations should review their transparency notices to ensure that data subjects are informed of their right of access and how to exercise this right.  In addition, organisations should ensure that they have appropriate policies and procedures in place to ensure that they can respond to access requests in accordance with their obligations under the GDPR.  In this regard, organisations should review the EDPB’s Guidelines on Data Subject Rights - Right of Access published in 2023 to ensure compliance. 

This document has been prepared by McCann FitzGerald LLP for general guidance only and should not be regarded as a substitute for professional advice. Such advice should always be taken before acting on any of the matters discussed.