CEF 2024: Launch of coordinated enforcement on the right of access

28 February 2024
Launch of coordinated enforcement

Brussels, 28 February - The European Data Protection Board has kicked off its Coordinated Enforcement Framework (CEF) action for 2024. Throughout the year, 31 Data Protection Authorities (DPAs), including 7 German State-level DPAs, across the EEA will take part in this initiative on the implementation of the right of access.

During its October 2023 plenary, the EDPB selected the right of access for its third coordinated enforcement action, as it is at the heart of data protection and one of the most frequently exercised data protection rights, and one which DPAs receive many complaints about. In particular, it enables individuals to check whether their personal data is processed in a compliant manner by organisations. In addition, it often enables the exercise of the other data protection rights, such as the right to rectification and erasure.

In 2023, the EDPB adopted Guidelines on data subject rights - Right of access to help organisations respond to data access requests from individuals in line with the requirements set out in the GDPR. To gauge how organisations are complying with the right of access in practice, participating DPAs will implement the CEF in a number of ways:

  • organisations will be sent questionnaires to aid fact-finding exercises or to identify if a formal investigation is warranted;
  • commencement of a formal investigation; and/or
  • follow-up of ongoing formal investigations.

The results of the joint initiative will be analysed in a coordinated manner and the DPAs will decide on possible further supervision and enforcement actions. In addition, all results will be aggregated, generating deeper insight into the topic and allowing targeted follow-up at EU level. The EDPB will publish a report on the outcome of this analysis once the actions are concluded.

This series of actions is the third initiative under the Coordinated Enforcement Framework (CEF), which aims to streamline enforcement and cooperation among DPAs.

Previous coordinated actions looked into the use of cloud services by the public sector, in 2022, and the designation and position of Data Protection Officers, in 2023.


For further information: