NOYB analysis finds most data access requests under GDPR not properly handled

noyb (None of Your Business), a digital rights organisation, has published an analysis showing that most requests by individuals to access their personal data are not properly handled by companies.

Under the General Data Protection Regulation (GDPR), individuals have the right to request information about how their personal data is being processed. This right of access is often used to verify whether data is accurate or handled lawfully.

According to noyb’s analysis of 121 cases since 2018, only 16.5% of access requests received a satisfactory response. The majority were either incomplete (53.7%) or received no response at all (nearly 30%), meaning that 83.5% did not meet legal requirements.

The findings are presented in the context of ongoing discussions around proposed changes to the GDPR under the so-called Digital Omnibus initiative. The proposal includes potential limitations to the right of access, based on claims that the right is being misused.

noyb disputes this argument, stating that the main issue is not excessive use of access requests, but a lack of compliance by companies. The organisation also points to examples involving large technology firms, where repeated requests and follow-ups did not result in complete responses.

The analysis also references survey data indicating that most Data Protection Officers do not consider access requests to be a significant administrative burden.

The proposed changes to the GDPR are still under discussion in EU institutions, including the European Parliament and the Council. The debate reflects differing views on how to balance administrative requirements for companies with the protection of individuals’ data rights.