In 2024, the Hellenic DPA participated in the 3rd European Data Protection Board Coordinated Enforcement Action (CEF) on the implementation of the right of access, which brought together a total of 28 data protection authorities.
In order to carry out this action, the Hellenic Authority sent a questionnaire on the implementation of the right of access to 36 organisations – controllers in the financial sector.
The Authority's main findings include the following:
- The majority of the participants have adopted a policy on the handling of access requests under Article 15 GDPR, as well as procedures to record handling and compliance.
- The access provided to data subjects upon request includes, in the majority of cases, all the information listed in Article 15(1)-(2) GDPR. Problems are identified in relation to the provision of information on the exact data retention period.
- Bodies with a high turnover and bodies which, by the nature of their activities, receive many requests for access tend to have a higher level of compliance than bodies with a lower turnover and fewer resources.
In general, the Authority assessed the level of compliance by controllers as ‘moderate’. In addition, there were no significant differences between the participants in terms of knowledge and application of GDPR provisions on the right of access, while the majority of participants were well aware of Guidelines 01/2022 on data subject rights – Right of access.
The record of the replies and the analysis of the relevant conclusions can be found in the relevant report of the Hellenic DPA, which is annexed to the main report of the EDPB. Both are available at the following link: https://www.edpb.europa.eu/news/news/2025/cef-2024-edpb-identifies-challenges-full-implementation-right-access_en.
Communication & Public Relations Department
