Making GDPR access rights workable in practice, reducing the burden on undertakings
Position paper on the proposed amendments to the GDPR in the European Commission’s Digital Omnibus
March 2026
Summary
With its proposals concerning the General Data Protection Regulation (GDPR) in the Digital Omnibus, the European Commission rightly addresses a problem that has existed since its entry into force in 2018: strategic requests for access by employees tie up considerable human and financial resources of employers, as they often concern large volumes of data accumulated over many years. Small and medium-sized enterprises (SMEs) in particular are often overwhelmed, as they lack the personnel and resources to handle such requests. This constrains entrepreneurial freedom and puts productivity at risk. While the Commission’s proposals to amend the GDPR contain important impulses, they fall short of the practical requirements of employee data protection. While the fair handling of employee data is an established and undisputed principle, the Regulation must be improved in a targeted manner to ensure its practical effectiveness:
- Employee data protection must be regulated uniformly across Europe; national derogations must be brought to an end.
- The conditions under which a request for access is considered excessive or otherwise abusive should be clearly defined in Article 12(5) GDPR. In addition, Recital 35 of the Digital Omnibus should be further clarified as guidance.
- Data that employees have themselves created or received must be excluded from the right of access under Article 15 GDPR.
- Information to be provided by the controller at the time of data collection pursuant to Articles 13 and 14 GDPR must be capable of being provided in electronic form.
- For data processing within a group of undertakings, Article 6 GDPR (lawfulness of processing) must provide for a group privilege, including a rebuttable presumption of a legitimate interest.
Abuse can be effectively prevented by adapting the Regulation, provided that the right of access is clearly defined and practicable procedures are available to controllers. This protects employees’ rights, relieves SMEs and strengthens trust in data protection. At the same time, targeted clarifications for data processing within a group of undertakings should facilitate the practical application of the GDPR.
The complete Posiion paper is available for download in the right-hand margin.
Contact:
BDA | German Employers
Confederation of German Employers' Associations
EU Transparency Register: 7749519702-29
BDA is the central business association organising the social and economic policy interests of the entire German economy. We pool the interests of one million businesses with around 30,5 million employers. These businesses are associated with BDA through voluntary membership of employer associations.
