EDPB report highlights gaps in implementation of the right to erasure

The European Data Protection Board (EDPB) has adopted a report on its 2025 Coordinated Enforcement Framework (CEF) action focused on the right to erasure under Article 17 of the General Data Protection Regulation (GDPR). The right to erasure, also known as the ‘right to be forgotten,’ allows individuals to request the deletion of their personal data in certain circumstances.

The initiative involved 32 data protection authorities (DPAs) across Europe. Nine DPAs launched or continued formal investigations, while 23 carried out fact-finding exercises. In total, 764 data controllers, including small and medium-sized enterprises, large companies, and public bodies, participated in the review.

The EDPB’s analysis identified several recurring challenges. These include insufficient internal procedures for handling erasure requests, inadequate information provided to individuals, and inconsistent practices. Some controllers were found to rely on anonymisation techniques instead of deletion, and difficulties were reported in determining appropriate data retention periods and managing deletion in backup systems.

The report also notes that the right to erasure is not absolute, and organisations sometimes struggle to balance this right against other legal obligations or competing rights and freedoms.

The EDPB states that the findings will inform follow-up actions at both the national and EU levels. Existing national guidance and tools to support compliance may be further leveraged to promote more consistent implementation of the right to erasure across the EU.