In February 2026, the European Data Protection Board (EDPB) published the results of its 2025 Coordinated Enforcement Action (CEF), which focused on how organisations implement the right to erasure under Article 17 of the GDPR. This investigation, involving 32 supervisory authorities (SAs) across the European Economic Area (EEA), assessed the compliance of 764 controllers, ranging from micro-enterprises to large organisations across multiple sectors, including public administration, healthcare, finance, and retail. The findings provide valuable insights into recurring compliance issues and best practices in the enforcement of the right to erasure.
🗑️ Volume of Erasure Requests
While 70% of controllers processed fewer than 10 erasure requests per year, 42% of organisations processed personal data of vulnerable subjects which are more likely to exercise the right to erasure. This underscores the importance of effective erasure procedures for organisations handling sensitive personal data.
Interestingly, parents or guardians of vulnerable individuals, especially children and elderly persons, were disproportionately the ones exercising the right to erasure. This highlights the importance of addressing specific needs of vulnerable groups in data protection practices.
🎯 Challenges in Handling Erasure Requests
1. Absence of Documented Procedures
A significant challenge identified was the lack of structured internal procedures for handling erasure requests, with 17 SAs highlighting this issue. The absence of a formal procedure often led to inconsistent practices in handling requests, with some organisations excluding certain types of data, such as email records and backup data, from the scope of erasure without proper justification.
Recommendation: Organisations are encouraged to map personal data and storage locations, using tools like the Record of Processing Activities (ROPA) to ensure that all relevant data can be identified when responding to requests.
2. Inadequate Staff Training
Many organisations failed to provide adequate, role-specific training to staff handling erasure requests. This often resulted in missed deadlines, incomplete deletions, and limited awareness of the exceptions under Article 17(3). In some cases, controllers did not provide staff with clear guidance on when and how to apply the legal exceptions that permit denying erasure requests
Recommendation: The report calls for regular, role-specific training, including practical scenarios that explain the correct handling of erasure requests and the legal conditions for applying exceptions.
3. Legal Uncertainty Regarding Exceptions
Another challenge was the frequent misuse or legal uncertainty surrounding the exceptions to erasure under Article 17(3) GDPR. Some organisations were found to apply these exceptions automatically, without a case-by-case assessment. This was especially evident where requests were rejected on the basis of the “freedom of expression” or “legal obligation” exceptions.
Recommendation: Supervisory authorities recommend that controllers document their reasoning when applying exceptions and ensure that compliance or legal teams are involved in decision-making to prevent arbitrary rejections.
🧬 Sector-Specific Findings (Life Sciences & Healthcare)
For organisations handling sensitive health data, particularly in clinical research, the right to erasure intersects with stringent data retention obligations. It can be extracted from the report that many controllers in the healthcare sector face challenges in balancing these legal retention requirements with the right to erasure, especially when retention obligations are tied to ongoing research or regulatory frameworks.
Recommendation: For life sciences, it is critical to document how retention periods and legal obligations are integrated with data subject rights, and to ensure data processing complies with the GDPR’s storage limitation principle
✅ Best Practices
🔹 Clear Internal Procedures
Larger organisations, particularly in the private sector, demonstrated better compliance by implementing formal procedures for handling erasure requests. These organisations often use automated systems to record and track erasure requests, which help ensure compliance with GDPR’s one-month response deadline.
🔹 Transparency with Data Subjects
Controllers who performed well were transparent in their communications with data subjects, providing clear instructions on how to exercise their right to erasure and offering multiple channels for submitting requests, such as online forms, email, and dedicated portals
🔹 What This Means for Your Organisation
The EDPB’s 2025 CEF action serves as a valuable reminder for all organisations, especially those in regulated sectors like healthcare and finance, to evaluate their data protection procedures and ensure compliance with the right to erasure. Specifically:
- Develop and Update Procedures: Establish a clear, documented process for handling erasure requests if one does not already exists. Ensure all staff members are trained and have the necessary resources to identify and process such requests efficiently.
- Implement Robust Data Mapping: Conduct data mapping exercises regularly to ensure that all relevant data is identified when responding to erasure requests. This is particularly critical for organisations dealing with large volumes of sensitive data.
- Ensure Legal Consistency: Refuse erasure requests only after assessing each case on its own merits. Ensure that legal teams are involved in the decision-making process to prevent inconsistent applications of exceptions.
👀 Looking Ahead
The EDPB plans to continue raising awareness and providing guidance on the right to erasure. In the meantime, organisations should use the CEF findings as an opportunity to review their data retention and erasure request frameworks and strengthen compliance mechanisms to uphold data subject rights.
Author: Ibrahim Yalvac
