The EDBP has issued finalised updated guidelines on data subject access requests, providing practical advice for organisations.
The European Data Protection Board (EDPB) has issued updated guidelines on data subject access requests that provide practical advice for organisations receiving these requests from individuals. This update builds on previous guidelines published a little over a year ago. Data subject access requests allow individuals access to their personal data held by organisations, and the EDPB guidelines make it clear that organisations have a legal obligation to respond to them promptly and without undue delay. The EDPB recommends that organisations have proper procedures in place for handling data subject access requests.
The updated guidelines outline what data must be provided in response to data subject access requests.
The guidelines emphasise that organisations have a legal obligation to respond to data subject access requests promptly and without undue delay. Data subjects have a right to know what personal data is being processed, the purposes of the processing, and the recipients of the data, among other information. The EDPB also clarifies that the right of access extends to all personal data, including metadata, that pertains to an individual. The updated guidelines also cover situations where exemptions may apply, such as when disclosing the data would infringe other individuals’ rights to privacy.
The new guidelines offer guidance on how organisations should respond to large-scale data subject access requests or those that are manifestly unfounded or excessive. The EDPB recommends organisations undergo a thorough review of their internal processes and policies to deal with these requests. Failing to respond to data subject access requests lawfully could lead to regulatory enforcement action and financial penalties. Organisations must have sufficient procedures in place for lawfully handling data subject access requests in a timely and efficient manner.