EDPB report on the right to erasure: Key takeaways from the 2025 Coordinated Enforcement Action and what controllers must do now

When 32 data protection authorities (DPAs) across Europe spend a year scrutinizing how organizations handle requests to delete personal data, the results demand attention. The European Data Protection Board's newly released report on its 2025 Coordinated Enforcement Framework (CEF) action reveals: most organizations are doing just enough to get by - and many are falling short.

Published in mid-February 2026, this fourth coordinated enforcement initiative examined how controllers implement the right to erasure under Art. 17 GDPR. The findings are drawn from responses by 764 controllers - spanning small and medium enterprises (SMEs) to multinational corporations, across industries and the public sector. Nine DPAs launched formal enforcement investigations. Twenty-three conducted fact-finding exercises. The message is clear: erasure compliance is now firmly in regulators' crosshairs.

The EDPB's overall assessment: Compliance is "average"

That's diplomatic language for a landscape riddled with inconsistency. Larger organizations generally have more formalized procedures, while smaller entities often lack basic documentation. Private-sector controllers outperform their public-sector counterparts, with clearer processes and more frequent staff training.

EDPB: Seven key takeaways

The report identifies seven systemic weaknesses that cut across sectors and organization sizes - issues that expose companies to regulatory action, reputational damage, and mounting complaint volumes.

Absence of documented internal procedures

Inadequate internal procedures emerged as a central concern: as many as 17 DPAs raised concerns about controllers lacking documented procedures for handling erasure requests or having incomplete processes that are only reviewed reactively. In the private sector, 85% of organizations regularly review their Art. 17 GDPR procedures, compared to only 25% in the public sector.

Inadequate staff training

Training deficiencies remain widespread, with approximately 20% of controllers providing no regular refresher training on data protection matters. This can lead to failures in recognizing when data subjects are exercising their right to erasure, resulting in missed legal deadlines, incorrect handling, or important legal exceptions being overlooked.

Insufficient information provided to data subjects

Thirteen DPAs noted that some controllers provide insufficient information to data subjects with respect to the right to erasure. Controllers frequently fail to explain clearly how to submit an erasure request, the conditions for exercising the right, and what happens if a request is refused. Some controllers do not inform data subjects of their right to lodge a complaint with a DPA or seek judicial remedy.

Misapplication of legal exceptions

The report highlights misapplication of exceptions under Art. 17(3) GDPR. Controllers demonstrated uncertainty and inconsistency in applying exceptions - particularly the "compliance with a legal obligation" ground - sometimes treating them as automatically applicable without conducting case-by-case assessments. Where exceptions are relied upon, some controllers fail to implement ongoing data protection measures such as data minimization, storage limitation, and security. Some controllers also demonstrate a lack of understanding when balancing interests under Art. 17(3)(c) GDPR, refusing erasure requests on the grounds of legitimate interest without proper assessment or documentation of the balancing test.

Difficulties defining and implementing retention periods

Retention period challenges pose significant practical difficulties. Controllers struggle to define clear retention periods and communicate them in privacy notices. Retention periods can stem from a variety of European or national laws or regulations, which can be general or sector-specific and are phrased very differently. For example, one controller was unable to distinguish the appropriate retention periods for different processing operations and instead applied the longest period applicable to one processing activity to all of them - a common legacy system issue. This practice is fundamentally at odds with the principles of data minimization and storage limitation.

Deletion of personal data in back-ups

Regarding back-up data, half of the responding DPAs raised concerns that many controllers have no specific procedures for erasure in this context. Some controllers do not delete or remove personal data from back-ups at all, nor do they have processes to prevent previously deleted data from being restored when back-ups are reinstalled. DPAs have expressly requested EDPB guidance on back-up erasure, signaling this will be a supervisory focus area.

Reliance on ineffective anonymization techniques

Finally, the EDPB identified issues regarding the reliance on anonymization as a substitute for permanent deletion of personal data. Many anonymization techniques deployed by controllers are weak or amount to mere pseudonymization, leaving re-identification risks. Controllers have expressed a need for clearer guidance on what legally constitutes anonymization. The EDPB is currently working on Guidelines on anonymization, taking into account the recent CJEU ruling in EDPS v SRB (Case C-413/23P), which will be critical for controllers relying on anonymization as an erasure alternative.

Rising complaint volumes signal enforcement focus

Complaint statistics underscore the importance of the right to erasure. In the Netherlands, 580 complaints in 2024 (18.6% of total complaints) related specifically to the right to erasure - the largest single complaint category for the Dutch DPA. In Ireland, over 3,000 erasure-related complaints have been filed since May 2018, with a slight upward trend. Spain has received over 7,000 erasure complaints since the GDPR came into force, representing approximately 8% of total complaints. Slovenia reported that Article 17 complaints rose from 4% of all complaints in 2020 to 19% in 2024 - a steadily increasing relative share.

Existing guidance and requests for further EDPB action

The CEF highlights that extensive guidance documents and templates already exist at national level to help controllers comply with the right to erasure. Several DPAs have published general and targeted guidance, including factsheets, webpages, data erasure request forms, podcasts, virtual assistants, and online toolkits for SMEs.

Despite this wealth of national guidance, several DPAs have called for further action at the EDPB level regarding comprehensive guidelines on the right to erasure.

Outlook: More regulatory scrutiny, controllers should act now

The findings of the EDPB report are not surprising. The challenges surrounding the right to erasure - including underdeveloped internal procedures, inadequate staff training, and uncertainty regarding exceptions - have long been known to data protection practitioners. 

However, this report puts a spotlight on two particularly persistent and consequential weaknesses: (i) the absence of systematic internal data classification and (ii) the lack of automated deletion labels within organizations' IT systems. These deficiencies impede both the effective handling of individual erasure requests and the proactive, timely deletion of personal data required to uphold the principles of data minimization and storage limitation under Art. 5(1)(c) and (e) GDPR.

Organizations should take note: Multiple DPAs - including CNIL, the Portuguese CNPD, and the Swedish IMY - have indicated that CEF findings will inform sector-specific inspections and supervisory planning in 2026. Nine DPAs launched or continued formal investigations as part of this CEF action, with ongoing enforcement proceedings in Ireland, France, Portugal, Slovenia, and Germany.

These developments signal heightened regulatory scrutiny in the area of data subject rights, which could translate into increased fine exposure for organizations that fail to address the identified compliance gaps. Based on the CEF results, many DPAs plan to carry out actions at national level to communicate and raise awareness with respect to the right to erasure, including publishing more online guidance, online training sessions, conferences, and workshops. A few DPAs will also consider adopting guidance targeted to specific sectors and services. 

Controllers are well-advised to monitor these developments closely and to conduct a gap analysis of their own Art. 17 GDPR compliance posture.