The European Data Protection Board (“EDPB”) recently adopted a Report on its Coordinated Enforcement Framework (“CEF”) action on the right to erasure (Article 17 GDPR) (“the Report”). The EDPB selected this topic, as it is one of the most frequently exercised GDPR rights and has given rise to many complaints to Data Protection Authorities (“DPAs”) across the EEA, and a growing number of decisions from DPAs. For 2026, the CEF intends to focus on companies’ compliance with the transparency and information obligations in Articles 12-14 GDPR.
The Report notes that 32 DPAs across Europe took part in the CEF concerning compliance with the right to erasure. Following the CEF nine DPAs commenced new formal investigations or continued ongoing investigations, whilst 23 DPAs carried out fact-finding exercises. A total of 764 controllers across Europe responded to the CEF action, ranging from small and medium-sized enterprises (“SMEs”) to big companies active in many different industries and fields, as well as various types of public entities.
In this article, we look at the key findings of the Report, including the recurring challenges that controllers are facing in regard to the right to erasure.
Background
The right to erasure is not an absolute right, and the Report highlights how some controllers face difficulties in assessing and applying the conditions for the exercise of this right, including in carrying out the different balancing tests between the right to erasure and other rights and freedoms. The Report also notes that there are several pending referrals before the EU Court of Justice of EU (“CJEU”) to further clarify the conditions to exercise the right of erasure, and the exceptions allowing controllers to reject erasure requests.
At the date of publication of the CEF Report, more than 500 final decisions relating to the right to erasure are available in the EDPB register of one-stop-shop (“OSS”) final decisions. A case digest was published in 2023 to summarise the main findings of some of these OSS decisions, and to assist controllers with understanding their obligations in respect of the right to erasure. The Report notes that this case digest is currently being updated with more recent decisions.
Methodology of the CEF action
The Report notes that participating DPAs agreed on a questionnaire covering a range of topics relating to the right to erasure, from the internal request-handling process put in place to the implementation of the exceptions to the right of erasure and the steps taken to inform other controllers and data recipients about the erasure request. In addition, the questionnaire included a number of open questions, allowing DPAs to gain a deeper insight into the compliance of controllers with this right.
Areas for improvement
The Report identifies seven recurring challenges for controllers in implementing the right to erasure across the EU, and non-binding recommendations in respect of each issue, as set out below. The EDPB noted that the issues identified in the Report mirror the findings from the CEF’s 2024 work on the right of access under Article 15 GDPR. For example, a lack of appropriate internal procedures to handle requests, and a lack of sufficient information provided to data subjects. In addition, participating DPAs reported specific findings related to the reliance by some controllers on inefficient anonymisation techniques to handle erasure requests as an alternative to deletion. DPAs also noted inconsistent practices and difficulties faced by controllers regarding the determination of retention periods and the deletion of personal data in back-ups.
While the CEF assessed the overall level of compliance of the responding controllers as being “average” (depending on factors such as the size of the controller, the number of erasure requests received and its sector). The Report notes that larger organisations generally receive a higher number of erasure requests and tend to have more formalised and structured internal procedures, including technical and organisational measures, to ensure compliance with requests exercising the right to erasure.
Seven recurring challenges and CEF Recommendations
Issue 1: Absence of a documented and updated internal procedure to handle erasure requests – The Report notes that while the GDPR does not explicitly require controllers to adopt a particular procedure for handling erasure requests, a clear and efficient process helps ensure controllers respond within the statutory deadline and in an adequate manner. In addition, a documented procedure helps controllers to demonstrate compliance with their GDPR obligations, in line with the accountability principle (Articles 5(2) and 24 GDPR). The absence of such a procedure means that requests may be handled subjectively and inconsistently.
CEF Recommendation: DPAs / EDPB should consider providing further templates and guidance to assist controllers in handling erasure requests. In addition, controllers should map personal data and storage locations (including, where possible, by relying on their Record of Processing Activities (“ROPA”)) to have a clear overview of which personal data falls within scope, and where to search upon receipt of an erasure request.
Issue 2: Absence of, or inadequate staff training – In many cases data protection training is either not concluded regularly or limited to general sessions on an annual basis. The Report notes that this leads to difficulties in staff correctly identifying and handling erasure requests. Insufficient training may also result in important legal exceptions or requirements not being identified until too late. In addition, inconsistent handling of erasure requests may also undermine trust in the controller’s data protection practices.
CEF Recommendation: Controllers should raise awareness and provide resources to enable regular role-specific training using various formats (e.g. in-person training with e-learning tools and programmes for self-study).
Issue 3: Insufficient information provided to data subjects – The CEF found that controllers provided insufficient information relating to the conditions for exercising the right to erasure, and on the process for submitting an erasure request (e.g. who to contact and which communication channel(s) to use). Furthermore, some controllers do not provide justifications when refusing to grant an erasure request, or inform data subjects about the possibility of lodging a complaint with the competent DPA and seeking a judicial remedy if they do not take action regarding the request.
CEF Recommendation: DPAs / EDPB should consider making a template form available that data subjects could use to exercise their right to erasure, or give more visibility to existing templates. In addition, controllers should review and, if necessary update, their privacy notices to ensure that data subjects receive clear and understandable information on the scope of the right of erasure and how to exercise it. Best practices implemented by some controllers is to publish FAQs, use help centres and/or web forms to make it easier for data subjects to understand the right to erasure and submit a request.
Issue 4: Misuse of and legal uncertainty on the exceptions to deny erasure requests – Several DPAs demonstrated uncertainty or inconsistency in applying the exceptions under Article 17(3) GDPR. In cases where erasure requests are lawfully denied under Article 17(3) GDPR, some controllers do not consistently implement measures to ensure continued compliance with the data protection principles in Article 5 GDPR, such as data minimisation, storage limitation, and security of data. This in turn can lead to the continued risk of improper use or access to personal data.
CEF Recommendation: DPAs / EDPB should consider adopting further practical targeted guidance and clarification on the correct application of the exceptions to deny erasure requests. In addition, controllers should ensure that compliance or legal teams are involved in decision-making processes concerning the refusal or postponement of erasure requests. Controllers should also document legal reasonings and justifications in writing when relying on exceptions to the right to erasure.
Issue 5: Difficulties in defining and implementing data retention periods – The principle of storage limitation is linked to the exercise of the right to erasure. For instance, one of the grounds allowing data subjects to exercise this right is when a controller is subject to a national or EU legal obligation requiring it to erase data (Article 17(1)(e) GDPR). In addition, controllers can reject an erasure request to the extent that it is necessary to process the concerned personal data for compliance with a legal obligation (Article 17(3)(b) GDPR). The Report highlights that this presupposes that controllers are clear about their need to retain the relevant personal data (if any) and the applicable retention period.
CEF Recommendation: DPAs / EDPB should consider adopting further practical guidance on how to define and implement retention periods, also taking into account national legal obligations. In addition, controllers should maintain a data retention policy and specify any applicable legal obligations justifying the retention of personal data for a defined period.
Issue 6: Deletion of personal data in the context of back-ups – The CEF found that many controllers do not have specific procedures and measures in place to handle erasure requests in the context of back-ups, relying on either automatic deletion measures (not specific to the erasure request received) or on the implementation of retention periods applicable to the concerned back-ups.
CEF Recommendation: DPAs / EDPB should consider adopting further guidance explaining how controllers should practically deal with erasure of personal data store in back-ups, and what “without undue delay” means in this context. In addition, controllers should follow established standards to erase and destroy data in a secure and structured manner.
Issue 7: Difficulties with anonymisation to respond to erasure requests – The CEF found that a common practice amongst responding controllers is relying upon anonymisation as a substitute for a permanent deletion of personal data. This approach is frequently adopted where controllers wish to retain data for analytical and statistical purposes. However, controllers have expressed a need for clearer guidance on what legally constitutes anonymisation. The Report notes that the EDPB is currently working on Anonymisation Guidelines, taking into account recent clarifications provided by the CJEU in its EDPS v SRB ruling (Case C-413/23P).
CEF recommendation: DPAs / EDPB should consider continuing to issue practical actionable guidance on this subject. In addition, they should consider providing more guidance to help controllers ensure that personal data is truly anonymised, to the extent that it can no longer be linked to an identifiable individual.
Actions taken by DPAs relating to the right to erasure / DPC Findings
The Report notes that several participating DPAs had already imposed fines against controllers concerning the right of erasure prior to the launch of this CEF. For example, the Finnish DPA issued a fine of €75,000 against a private parking enforcement company for failure to delete personal data once no longer necessary for the purposes for which it was collected.
In addition, several DPAs had issued compliance or erasure orders, obligating controllers to erase personal data of data subjects. For instance, the Maltese DPA issued a compliance order to a vehicle insurer to erase personal data relating to a data subject who never entered into an insurance contract with it but only requested a quotation, stating that no legislation requiring the controller to keep the data existed. Following this CEF action, nine DPAs launched or continued formal investigations.
Findings of Irish DPC
The Report notes that following the CEF, the Irish Data Protection Commission (“DPC”) is planning to continue to engage with controllers informally regarding their responsibilities under Article 17 GDPR.
Most controllers have procedures in place to deal with erasure requests
Overall, the DPC found that the majority of responding controllers have some level of process in place for responding to erasure requests. The complexity of the procedures in place largely depends on the nature and size of an organisation, the complexity of the data procedures, and the volume of erasure requests received. However, most controllers had basic processes in place, as well as plans to acknowledge and track the requests received. One of the best practices which the DPC observed was the use of clearly defined retention policies by controllers when responding to erasure requests, and the use of designated teams to deal with such requests.
Difficulties with responding within statutory time-limit
A minority of responding controllers reported issues with responding to or taking action on erasure requests within one month as required by Article 12(3) GDPR. In particular, the need to consult with multiple stakeholders and gather additional information appears to create a greater potential for delayed action in response to an erasure request. Many of the issues identified could, in the DPC’s view, be addressed through the use of simple tools, such as the use of templates for the submission of erasure requests, and more specific procedures for processing such requests.
Common exceptions relied on to refuse requests
Interestingly, the DPC found that one of the most commonly applied exceptions relied on by controllers when refusing an erasure request is “compliance with a legal obligation”. Whilst in some instances the provisions of law that support these refusals is well established and supported by judicial decisions, the DPC noted that in other cases controllers rely on their institutional understanding of the application of the particular act or regulation that forms the basis of their refusal. In this regard, the DPC noted that there is a potential that the lack of correct interpretation of the legal obligation may lead to inappropriate denials of erasure requests. Accordingly, the Irish DPC noted that additional sector-specific guidance and/or consultation would be useful in ensuring controllers are responding appropriately to erasure requests.
Enforcement Actions
The Report notes that prior to launching the CEF 2025, the DPC had led various complaint-based examinations, with most being amicably resolved. Such amicable resolution involved the controller either agreeing to delete further personal data or providing a detailed explanation to the data subject regarding the reason for the retention of their personal data, and the data subject being satisfied with same.
The DPC has received over 3,0000 complaints relating to the right to erasure since the GDPR came into force in May 2018. The DPC notes that each examination of a complaint related to the right to erasure is unique. As a result, it is not possible to quantify exactly how long the examination of any individual complaint will take.
The Report states that no enforcement action had been taken by the DPC in regard to the right to erasure at the time of compiling the Report. However, the DPC is considering enforcement in relation to a number of complaints. In particular, the Report notes that the DPC’s own-volition inquiry into MTCH Technology Services Limited (Tinder) is still ongoing.
The DPC proposes that the EDPB develop additional in-depth guidance on the right to erasure, including sector specific sections and offer examples of best practices for controllers, to assist with their compliance with the right to erasure.
Contact Us
For more information please contact Technology and Innovation partner Davinia Brennan or any member of our Technology and Innovation Group.