DPC national report findings under the Coordinated Enforcement Framework for 2024

In 2024, the Data Protection Commission (DPC) participated in the third coordinated action by the European Data Protection Board (EDPB) which focused on the Right of Access. This action aimed to assess the levels of awareness and understanding of the EDPB Guidelines 01/2022 concerning the right of access among data controllers. The right of access is fundamental to data protection and is one of the most frequently exercised rights. It allows individuals to verify whether organisations process their personal data in compliance with the law.

To contribute to this initiative, the DPC conducted a comprehensive fact-finding exercise through a questionnaire distributed to 30 organisations across various sectors. The responses received were analysed and included in the DPC's national report, which is attached to the main report published by the EDPB.

Some the main findings of the DPC National report were

• Organisations that have established well-structured practices and compliance teams for handling Subject Access Requests (SARs) demonstrated the highest levels of compliance and awareness of GDPR provisions.

• Organisations that received a higher volume of SARs tended to have better-documented internal processes for managing these requests compared to those that received minimal requests.

• Organisations that employed automated workflow systems, digital tools, software, or ticketing systems were more effective in managing and tracking access requests.

• In determining the scope of personal data in replying to a SAR, we noticed good practices in respondents who follow a checklist of where personal data is held, including good use of Record of Processing Activities (ROPAs) which will identify if any new data is being processed.

Both the DPC national report and the EDPB report are now available on the EDPB website located here.