The European Data Protection Board (EDPB) has made the “right to erasure” focus of supervisory authority control and enforcement practice. Companies should better prepare to be ready.
What is the EDPB?
The European EDPB is an independent body that brings together the national data protection supervisory authorities of the EU Member States and the European Data Protection Supervisor. Its main task is to ensure the harmonized application of data protection rules within the European Union. This is achieved in particular through coordinated measures, guidelines and recommendations aimed at maximizing the effectiveness of the GDPR throughout the EU. This supranational cooperation is intended to ensure a coherent and harmonized level of data protection that optimizes the protection of personal data within the European legal area.
Sense of the measure
As part of the “Coordinated Enforcement Framework” (CEF), the EDPB annually selects a specific data protection topic that forms the focus of coordinated enforcement measures across the EU. This initiative serves the harmonized application and effective enforcement of the General Data Protection Regulation (GDPR) in the member states of the European Union. The national data protection supervisory authorities work closely together to ensure coherent and consistent enforcement.
Focus topic “Right to erasure”
The main topic for 2025 is the data subject’s right to erasure under Art. 17 GDPR. The right to erasure (“right to be forgotten”) under Article 17 of the General Data Protection Regulation (GDPR) grants data subjects the right to request the immediate elimination of their personal data. However, even independently of requests for erasure, companies must determine for each process for processing personal data how long personal data is required and may be retained before it must be erased. Realizing this for all processes and implementing it throughout the entire company IT can be a mammoth task and is the Achilles heel of many companies.
It is to be expected that data protection authorities will soon be increasingly approaching companies and scrutinizing this issue. This may take the form of new formal investigations as well as targeted investigations. In some cases, follow-up measures cannot be ruled out. In particular, the focus will be on examining how companies deal with and respond to incoming cancellation requests. This involves analyzing in detail whether and how the legal requirements and the exceptions provided for are complied with when implementing the right to erasure.
Effect of the CEF
The core element of the CEF is a questionnaire on the implementation of the “right to be forgotten”. The aim is to determine how stringently and effectively the right to be forgotten is implemented by the national authorities. The results of the joint initiative will be analyzed as part of the EDPB and published in a report upon completion.
The CEF Initiative 2025 makes it clear that the right to erasure remains a central pillar of data protection. Companies are confronted with the need to subject their erasure processes to increased regulatory scrutiny. The insights gained from this study could not only contribute to a more precise interpretation of the legal requirements, but also increase regulatory pressure on companies to consistently implement erasure strategies that comply with data protection regulations. In this context, the discussion about the appropriate balance between individual data protection rights and economic interests is likely to become even more important and increasingly complex and dynamic.
In Germany, the state data protection supervisory authorities from Baden-Württemberg, Brandenburg, Mecklenburg-Western Pomerania, Lower Saxony, North Rhine-Westphalia, Rhineland-Palatinate and the Federal Commissioner are taking part.
What you should do now
Of course, the question then arises as to how the subject matter of the CEF, the “right to be forgotten”, is to be implemented in practice. Companies should pay particular attention to the following.
- Processes for handling deletion requests: Companies should develop clear, efficient processes to process deletion requests quickly and in compliance with data protection regulations.
- Documentation: Each request and the decisions made should be well documented in order to be able to prove that the request was handled properly in the event of an audit by the data protection authorities.
- Check exceptions: Companies must carefully check whether the data falls under the exceptions and ensure that no legal obligations or legitimate interests prevent the processing.
- Ensuring data erasure: Companies must take technical and organisational measures to ensure that personal data is erased completely and irrevocably where necessary.
Overall, companies should take proactive measures to ensure that they fulfil the requirements of Art. 17 GDPR, as violations of the erasure obligations can lead to severe fines.
Conclusion
As part of the “Coordinated Enforcement Framework” (CEF), increased scrutiny and harmonization of erasure practices is expected. Companies are therefore increasingly required to align their erasure processes not only legally, but also organizationally and technically for maximum efficiency and compliance.
In view of the growing regulatory pressure and the potential sanctions in the event of violations, precise compliance with data protection erasure requirements is increasingly becoming a key factor in companies’ risk management. In order to meet the complex requirements, companies must continuously review and adapt their internal processes, whereby careful documentation and the immediate and irrevocable deletion of personal data are essential prerequisites for maintaining GDPR compliance and the trust of data subjects.
Feel free to contact us if we can help you with this or if you have any questions.
