The European Data Protection Board (EDPB) and EU Data Protection Commissioner Wojciech Wiworowski have conducted a Europe-wide exercise to review the implementation of the general right of access contained in the General Data Protection Regulation (GDPR) and have now presented their results. , Inspectors have therefore identified some problems with how citizens can currently find out what data companies and authorities have stored about them, based on claims. As examples, they cite obstacles such as excessive formal requirements or unfounded requests to present identity documents.
Advertisement
Digital Services Act in Germany: Major legislation with teething problemsThe 30 regulators involved also identified inconsistent and exaggerated interpretations of statutory barriers to access. Those responsible for automatically denying requests sometimes relied too heavily on certain exceptions. another problem According to EDSA reportInternal procedures for processing requests for information are not documented.
A total of 1,185 people from businesses and public institutions responded to the questionnaire sent. Two-thirds of the participating supervisory authorities rated the degree of legal compliance of these responsible parties as “average” to “high”. An important factor was the volume of requests for information received by responsible people and the size of the organization: responsible people who received more requests were more likely to meet the requirements than smaller organizations with fewer resources. The EDPB positively evaluates the implementation of best practices such as user-friendly online forms and “self-service systems”, with which individuals can freely download their data at any time with just a few clicks.
Information is often insufficient
Eight officers involved from Germany are held in their assessment: Several responsible persons contacted said they had received only a few requests for information. Apparently the public does not have enough information about the important rights of the affected people. In the private sector, most requests were rooted in litigation.
Many responsible parties also have difficulty understanding the scope of the right to information and the scope of the term “personal data” in practice. Often only the most common internal systems are searched, not all databases. Many people in charge don’t even know that personal information “may also be contained in non-text files, metadata or backup data.” Some people say that the right to receive a copy is independent of the right to information. An explicit request from the person concerned to provide a document or database citation is required.
The EDPB published guidelines on the rights of affected people, including the right to information, as early as 2022. The Committee now wishes to update it in the light of the results. The report already includes several recommendations. The 2025 integrated review campaign will focus on the implementation of the right to erasure.
(Old)
Federal Network Agency: Fiber optic modem not required by provider
