EDPB report highlights challenges in implementing the right to erasure

Brussels, 18 February - The European Data Protection Board (EDPB) adopted a report on its Coordinated Enforcement Framework (CEF) action regarding the right to be forgotten (Art.17 GDPR). This topic was chosen as it is a frequently exercised GDPR right, often leading to DPA complaints. The action aims to ensure effective exercise of the right to erasure by individuals in Europe. It also seeks to understand how controllers comply with this right in practice. The EDPB identified good practices and key challenges, intending to offer further guidance on this important topic. In 2025, 32 DPAs across Europe participated in this initiative. Nine DPAs started new investigations or continued existing ones. Additionally, 23 DPAs conducted fact-finding exercises. A total of 764 controllers responded, including SMEs, large companies, and public entities from diverse industries. The results of these national actions have been aggregated and analysed together allowing for targeted follow-up on both national and EU level. Areas of improvement and main challenges The report lists the issues that were identified, along with a series of recommendations addressed to controllers, to help them implement the right to erasure. DPAs identified seven recurring main challenges. These results confirmed findings from the 2024 right of access action, such as inadequate internal procedures for requests and insufficient information for individuals. Some controllers relied on inefficient anonymisation instead of deletion for erasure requests. DPAs also noted inconsistent practices and difficulties in determining retention periods and deleting data from backups. In addition, as the right to erasure is not an absolute right, some controllers face difficulties in assessing and applying the conditions for the exercise of this right, including in carrying out the different balancing tests between the right to erasure and other rights and freedoms. Extensive national guidance, documents, and templates assist controllers in complying with the right of erasure. They also help individuals exercise this right effectively. In line with the Helsinki Statement, aiming for easier GDPR compliance and consistent enforcement, national guidance will be leveraged at EDPB level. Background and next steps The CEF is a key action of the EDPB under its 2024-2027 Strategy, aimed at streamlining enforcement and cooperation among DPAs. In 2023, the EDPB published the report on its first coordinated action on the use of cloud-based services by the public sector. In 2024, the EDPB also published the report on the outcome of the second coordinated action on the designation and position of Data Protection Officers. In 2025, the EDPB issued the report on its third coordination action on the implementation of the right of access. The CEF 2026 action will be on the obligations of transparency and information under the GDPR.