Many organizations do not handle access requests properly. That's according to research by the European Data Protection Board (EDPB) ahead of Privacy Day on Jan. 28, 2025. The results of the study confirm the picture that the Personal Data Authority (AP) sees in daily practice.
The right of inspection is one of the privacy rights that everyone has. When an organization uses personal data, people may ask what data it is. And how the organization uses that data. In 2023, the EDPB also released guidelines on the right to access released.
30 privacy regulators in Europe, including the AP, asked 1185 organizations last year how they handle access requests. Both public organizations and companies, and both large and small companies from different sectors cooperated in the survey.
From the study revealed, among other things, that organizations often do not have a standard operating procedure for access requests. Moreover, some organizations often wrongly refuse requests for inspection. Organizations also often create unnecessary barriers for people before they allow inspection. Examples include requesting proof of identity when this is not necessary.
There is also much room for improvement in the Netherlands. Here, 30 percent of the organizations surveyed do not have a standard operating procedure for access requests. And 20 percent indicate that the data protection officer (FG) handles access requests, while this is not desirable. After all, as an internal supervisor, the FG checks whether an organization is complying with the law. And in the event of a complaint about the handling of a access request, for example, the FG should check himself in such a situation. A third of the organizations also reveal that they do not monitor or systematically check the handling of access requests.
The study found that there are significant differences between organizations and sectors. For example, some sectors have other laws in place that also already require organizations to give people access to their personal data. Organizations in those sectors generally have their affairs in order. The same is often true for large organizations, and organizations that receive many requests for access.
The EDPB also highlights the positive results of the survey. For example, two-thirds of the participating regulators conclude for their own countries that organizations are reasonably to very well compliant with the requirements of the General Data Protection Regulation (GDPR) for handling access requests.
Good examples also emerge from the survey. For example, there are organizations that make it easy for people to request access through online request forms. Or that let people download their personal data themselves with just a few clicks.
Also in 2025, the EDPB is conducting research, this year on the right to delete data.
The AP is one of the privacy regulators in the EDPB.
