Following public consultation, the EDPB has adopted a final version of the Guidelines on data subject rights – Right of access. The Guidelines analyse the various aspects of the right of access and provide more precise guidance on how the right of access has to be implemented in different situations. Among others, the Guidelines provide clarifications on the scope of the right of access, the information the controller has to provide to the data subject, the format of the access request, the main modalities for providing access, and the notion of manifestly unfounded or excessive requests. Following public consultation, the guidelines were updated and further clarifications were added on different aspects that were brought up in the consultation. Furthermore, some minor editorial adjustments were made to ensure consistency of different concepts.
In addition, the EDPB also adopted final versions of the targeted updates of Guidelines for identifying a controller or processor’s lead supervisory authority and the Guidelines on data breach notification. Both guidelines concern an update of the Art. 29 Working Party Guidelines on the same subjects. The public consultation only concerned the paragraphs of the guidelines that were updated.
Following public consultation, some feedback was included in the updated Guidelines on data breach notification. Most notably, the new version clarifies that the notification shall be the responsibility of the controller. In addition, some stakeholders raised concerns about operational issues when a personal data breach needs to be notified to multiple data protection authorities (DPAs). The EDPB recalls that the targeted update simply aligns the text of the Guidelines with the text of the GDPR, which does not provide for one-stop-shop for controllers not established within EEA. The EDPB however considered the stakeholders’ feedback, and decided to publish a contact list for data breach notification with relevant links and accepted languages for all EEA DPAs on its website in the near future. This will make it easier for controllers to identify the contact points and requirements per DPA.