EGDF and ISFE ask EDPB to clarify its approach on data subjects’ right of access

EGDF and ISFE publishes their response on Guidelines 01/2022 on data subject rights – Right of access 

EGDF and ISFE members welcome the issue of Guidelines and Recommendations by the EDPB as they promote a common understanding of the European data protection framework and provide a harmonised interpretation of key provisions in the GDPR. This will help to ensure effective and meaningful implementation of the GPDR.

The GDPR substantially widened the regulatory framework on the protection of personal data, in particular with new transparency requirements and data subject rights. These Guidelines will, therefore, be of great value to our sector and will help companies to deal with access requests from data subjects and to provide them with sufficient, transparent and easily accessible information about the processing of their personal data.

We have, however, identified a number of interpretation issues in the text that do not appear to be in line with the legal framework of the GDPR and that hinder, rather than support, a meaningful implementation of the rules. We will highlight these in our comments below, following the order of the table of contents and corresponding paragraph numbers. The most important points that we wish to make are:

  1. Data controllers should be given clear discretion to assess and deny requests where malicious intent is apparent. The Guidance creates uncertainty on this point through contradictory statements
  2. The Guidance should give certainty to data controllers that, where they have provided an official and easily accessible route for the submission of data access requests, they may require its use for all such requests
  3. Data controllers should be given further discretion about how they provide data, so that they can comply with the Article 12 requirement to provide data in a concise, transparent, intelligible and easily accessible form
  4. The example relating to video games and anti-cheating practices in paragraph 171 should be clarified to ensure that games companies can fully protect both their own security and the rights of others, including players and themselves.

The full position paper can be accessed here:

or downloaded from here:

For more information EGDF approach on privacy and data protection, please visit: