Loading

Blog details

Updated guidelines on data subject access requests issued by the EDPB

Updated guidelines on data subject access requests issued by the EDPB

The EDBP has issued finalised updated guidelines on data subject access requests, providing practical advice for organisations.

 

The European Data Protection Board (EDPB) has issued updated guidelines on data subject access requests that provide practical advice for organisations receiving these requests from individuals. This update builds on previous guidelines published a little over a year ago. Data subject access requests allow individuals access to their personal data held by organisations, and the EDPB guidelines make it clear that organisations have a legal obligation to respond to them promptly and without undue delay. The EDPB recommends that organisations have proper procedures in place for handling data subject access requests.

The updated guidelines outline what data must be provided in response to data subject access requests.

 

The guidelines emphasise that organisations have a legal obligation to respond to data subject access requests promptly and without undue delay. Data subjects have a right to know what personal data is being processed, the purposes of the processing, and the recipients of the data, among other information. The EDPB also clarifies that the right of access extends to all personal data, including metadata, that pertains to an individual. The updated guidelines also cover situations where exemptions may apply, such as when disclosing the data would infringe other individuals’ rights to privacy.

 

The new guidelines offer guidance on how organisations should respond to large-scale data subject access requests or those that are manifestly unfounded or excessive. The EDPB recommends organisations undergo a thorough review of their internal processes and policies to deal with these requests. Failing to respond to data subject access requests lawfully could lead to regulatory enforcement action and financial penalties. Organisations must have sufficient  procedures in place for lawfully handling data subject access requests in a timely and efficient manner. 

Does your company have all of the mandated safeguards in place to ensure the safety of the personal data you collect or process? Aphaia can help. Aphaia also provides both Data Protection Officer outsourcing, and GDPR and Data Protection Act 2018 consultancy services, as well as Telecom Regulatory Consultancy. We can help your company get on track towards full compliance. Contact us today.

Prev post
Coordinated investigation into the role of Data Protection Officers launched by EDPB
April 18, 2023
Next post
Spam emails result in a £130,000 fine from the ICO
April 25, 2023