Strengthening Trust through Effective Management of Data Access Rights: Lessons from Recent Decisions in Cyprus
The right of access, set out in Article 15 of the General Data Protection Regulation (GDPR), is a cornerstone of data protection. It allows individuals to know whether and how their personal data are being processed, thereby promoting transparency and trust towards organizations. Ensuring the effective exercise of this right is a fundamental element of any organization’s compliance strategy and a reflection of its commitment to ethical data management.
Recent decisions by the Cyprus Commissioner for Data Protection highlight significant challenges in the practical implementation of this right and offer valuable lessons for strengthening compliance. These cases are a clear reminder that following the rules on paper isn’t enough. Organizations need solid everyday practices that truly respect and protect people’s rights.
Recorded Call and the General Healthcare System (GHS – GESY)
In a complaint against GHS, an individual requested a copy of a recorded phone conversation relating to him. Although the call was recorded, the organization failed to satisfy the request within the legal one-month deadline, as stipulated by Article 12(3) GDPR. Furthermore, the recording was eventually deleted after the standard three-month retention period had expired. The Commissioner found a clear violation of Article 15 GDPR, emphasizing the critical need for organizations to have in place a clear and efficient procedure for handling access requests. This case showed that even with good intentions, missing steps in the process can lead to breaking the rules and damaging an organization’s reputation. It highlights that protecting data isn’t just about having policies, it’s also about being well prepared to follow them in practice.
Access to Examination Data – General Healthcare System (GHS – GESY)
Another notable case involved a candidate for employment at the GHS who requested access to her corrected examination paper, detailed grading, and the correct answers. GHS rejected the request on the grounds of intellectual property protection. However, the Commissioner ruled that the grading data constitutes personal data, referencing the landmark CJEU Case C-434/16 Peter Nowak. The failure to fully satisfy the access request, combined with the organization’s lack of cooperation with the supervisory authority, resulted in findings of breach of both Article 15 and Article 31 GDPR. This case underscores the complexity of balancing legitimate interests, such as protecting intellectual property, with the fundamental rights of data subjects. It also highlights the necessity for organizations to carefully analyze and justify any limitation to the right of access, as blanket rejections without thorough legal grounding are unlikely to withstand scrutiny.
Delay in Access Request Fulfillment – Brivio Ltd
The case involving Brivio Ltd revolved around a delay in fulfilling a client’s data access request. Although the request was eventually met, internal organizational issues and an overwhelming volume of access requests led to a failure to respond within the mandatory timeframe. The Commissioner concluded that there had been a breach of Article 12(3) GDPR. This decision brings to light the operational pressures organizations may face but also confirms that logistical difficulties do not absolve data controllers from their legal responsibilities. It reinforces the message that organizations must anticipate surges in DSARs (Data Subject Access Requests) and have contingency plans in place, including sufficient resourcing and proactive monitoring of request backlogs.
Lessons for Organizations
These cases collectively convey critical lessons for organizations seeking to build a resilient and compliant data governance framework. Clear internal procedures are non-negotiable. Organizations must be capable of demonstrating that they can process access requests accurately and within the legally required timeframes. Moreover, they must communicate transparently with data subjects and supervisory authorities alike, ensuring that no access request is unjustly delayed or denied.
In strengthening compliance, it is essential to adopt the best practices observed in leading European jurisdictions. Establishing robust tracking systems to monitor the lifecycle of access requests is key. Investing in specialized tools for data subject rights management, as seen widely in Germany and the Netherlands, ensures that requests are neither overlooked nor mishandled, providing an auditable trail of actions taken.
Organizations should also prioritize the development of structured response templates that facilitate consistency and legal accuracy in communications with data subjects. Structured templates can significantly reduce the likelihood of errors or omissions that could otherwise expose the organization to regulatory sanctions.
Alongside these efforts, it’s essential to regularly train employees who handle personal data. They need to clearly understand their responsibilities and feel confident responding quickly and correctly when a request comes in. Building this kind of awareness helps create a culture where data protection becomes part of everyday work, not just something done after a problem arises.
Finally, harmonizing internal communication between customer service teams, legal departments, and Data Protection Officers (DPOs) is crucial. Consistent coordination among these units ensures that responses are prompt, accurate, and fully aligned with GDPR requirements. A siloed approach can lead to miscommunication, delays, and ultimately, compliance failures.
Managing the right of access isn’t just about ticking a legal box, it shows real respect for people’s rights and builds a strong reputation for the organization. Companies that focus on being open and responsible earn trust, not just from regulators, but also from their customers and business partners. As data privacy becomes more important in every industry, the organizations that treat it seriously and set a good example will be the ones that stand out and succeed in a world where privacy really matters.
How can we help
Our law firm helps organizations navigate the right of access under the GDPR with confidence and precision. We provide legal advice and representation in handling Data Subject Access Requests (DSARs), ensuring your responses are accurate, timely, and fully compliant with regulatory requirements. Our services include drafting and reviewing access request policies, preparing structured response templates to reduce risk and assist in communications with the Office of the Commissioner for Personal Data Protection. Whether you need support in a specific case or want to build a robust, proactive compliance framework, we are here to help you safeguard your organization and strengthen trust with your clients and regulators.
