EDPB launches 2025 coordinated action on the right to erasure under GDPR

The European Data Protection Board (EDPB) has officially launched its 2025 Coordinated Enforcement Framework (CEF) action, placing the spotlight on the implementation of the right to erasure – commonly known as the ‘right to be forgotten’ – under Article 17 of the General Data Protection Regulation (GDPR). This initiative announced on 5 March 2025, is the fourth major coordinated action under the CEF mechanism and follows the 2024 focus on the right of access. With thirty national data protection authorities (DPAs) and the European Data Protection Supervisor (EDPS) participating, the effort signals a pan-European commitment to examine how this fundamental right is being applied in practice.

Why the right to erasure?

The EDPB selected the right to erasure during its October 2024 plenary meeting, citing its high volume of usage and the number of related complaints submitted to DPAs. As one of the most frequently exercised GDPR rights, it raises complex operational and legal questions, especially when data subjects seek deletion of their personal data across diverse digital systems and organisational structures.

How the CEF operates

The Coordinated Enforcement Framework is the EDPB’s strategic tool for fostering consistency in the interpretation and enforcement of GDPR across Europe. It enables multiple DPAs to examine a common topic simultaneously using harmonised methodologies, thereby identifying both systemic issues and divergent national practices. While rooted in a shared investigatory structure, the framework allows each authority to engage according to its mandate – through questionnaires, formal investigations, or follow-ups on ongoing cases. This flexibility accommodates national differences while enabling comprehensive analysis.

The legal and practical dimensions of Article 17

Article 17 of GDPR gives individuals the right to request the erasure of personal data under certain conditions, such as when data is no longer necessary for its original purpose or when processing has been unlawful. In some instances, data controllers are also independently required to delete data without a subject’s explicit request. Despite its clear legal basis, practical implementation often proves challenging due to technical constraints, organisational miscommunication, and procedural inconsistencies.

For example, difficulties arise in coordinating erasure between controllers and processors, particularly when roles and responsibilities are not clearly defined. Human error, such as misrouting or misclassifying requests, also continues to be a source of non-compliance, especially where manual systems are still in place. These recurring issues underscore why the EDPB has made this right the focus of its 2025 coordinated action.

Investigative scope and methodological approach

The 2025 action will evaluate how organisations manage and process erasure requests, with emphasis on the interpretation of Article 17’s conditions and exceptions. Authorities will assess whether erasure rights are truly actionable in practice and not merely theoretical. To do this, participating DPAs will employ a mix of tools: distributing fact-finding questionnaires, initiating targeted investigations, and reviewing prior enforcement cases. They will target a wide array of sectors and organisational types, allowing for comparative insights across industries and jurisdictions.

A central coordination effort – likely spearheaded by the EDPB Secretariat – will ensure the findings are consistent and can be meaningfully aggregated. Standardised instruments and shared evaluation frameworks will support a coherent approach, even as individual authorities tailor their actions to local contexts.

Challenges facing organisations

Many of the difficulties in implementing the right to erasure stem from technical architecture and organisational workflows. Systems that lack fine-grained deletion capabilities or that were not built with ‘privacy by design’ in mind often require costly workarounds or manual interventions. Meanwhile, procedural shortcomings—such as lack of employee training or absence of clear escalation paths – can lead to inconsistent or failed erasure processes. These issues are compounded when data processors mishandle requests or fail to communicate with controllers, a problem observed in past regulatory findings.

Privacy vs public interest

The erasure right, while central to individual privacy, must be weighed against competing legal and societal interests. These include freedom of expression, access to public records, legal obligations, and historical preservation. Article 17 explicitly carves out exceptions for these competing values, but applying them requires contextual judgement. The 2025 CEF action will explore how organisations manage this balance and whether they can make consistent, proportionate decisions when faced with erasure requests that touch on broader public concerns.

What comes next

Throughout 2025, the coordinated investigations will unfold across Europe. Participating DPAs will work independently but in tandem, with findings expected to be synthesised into a final report in early 2026. This report will likely highlight best practices, expose persistent challenges, and possibly recommend further regulatory or legislative actions.

For organisations, the message is clear: the spotlight on erasure practices is intensifying. This is an opportune moment to review and strengthen internal protocols, staff training, and technical capabilities related to data deletion. Doing so will not only support compliance but also build public trust in how personal data is handled and respected.