On 17 April 2023, the European Data Protection Board (EDPB) published on its website the final versions (2.0) of the following two sets of guidelines, after public consultation, adopted during its March plenary:
- Guidelines 01/2022 on data subject rights – Right of access (‘Guidelines on the right of access’)
- Guidelines 8/2022 on identifying a controller or processor’s lead supervisory authority (‘Guidelines on identifying a controller or processor’s LSA’).
The Guidelines on the right of access provide further comprehensibility on the scope of the right of access, the extent of the information to be provided to data subjects, the format of the access request, the main modalities for providing access, and the limits and restrictions of the right, including examples and a flowchart to support the controllers when handling the data subjects’ access requests. The main amendments outlined within the second version relate to:
- references to certain CJEU cases involving the right of access (e.g., C-307/22, C-154/21);
- situations in which the controller processes a large quantity of data concerning the data subject, and it has to ask the data subjects for specifications regarding the data, including an example in this vein;
- the cases where the controller is not able to reply to a request before the time scheduled for data deletion;
- the identification and authentication, including examples supporting controllers to assess whether more details are necessary considering also the data minimization principle;
- different means to provide access to data concerning the data subject;
- the format and timing for the provision of access;
- the flowchart detailed in the Annex.
The Guidelines on identifying a controller or processor’s LSA represent a targeted update of the Article 29 Working Party’s guidelines for identifying a controller or processor’s LSA, approved by EDPB, aimed to clarify how the lead supervisory authority is identified in cross-border data processing cases. Among others, it provides further clarifications on the notion of the main establishment in the context of joint controllership, or on how the controllers and processor will refer to the supervisory authority in cases of data breaches or investigations. The main amendments brought by the second version relate to the joint controllership section.
Both guidelines include a few minor editorial adjustments for the consistency of the concepts and the references used.