The European Data Protection Board (EDPB) has adopted a report on its Coordinated Enforcement Framework (CEF) action on the right to be forgotten (Art.17 GDPR). The Board selected this topic as it is one of the most frequently exercised GDPR rights and one about which DPAs frequently receive complaints from individuals.
The main objectives of this coordinated action are to ensure that the right to erasure is effectively exercised by individuals in Europe and understand how controllers comply with this right in practice. In addition, the EDPB identified good practices and the most important related challenges, with the aim of providing further guidance on this topic.
Throughout 2025, 32 DPAs across Europe took part in this initiative. More specifically, 9 DPAs have initiated new formal investigations or have continued ongoing ones, and 23 DPAs carried out a fact-finding exercise. A total of 764 controllers across Europe responded to the action, ranging from small and medium-sized enterprises (SMEs) to big companies active in many different industries and fields, as well as various types of public entities.
The results of these national actions have been aggregated and analysed together allowing for targeted follow-up on both national and EU level.
Areas of improvement and main challenges
The report lists the issues that were identified, along with a series of recommendations addressed to controllers, to help them implement the right to erasure.
Seven recurring main challenges were identified by DPAs. The results confirmed some of the findings of the 2024 coordinated action on the right of access, for example when it comes to the lack of appropriate internal procedures to handle requests, or the lack of sufficient information provided to individuals. In addition, participating DPAs reported specific findings related to the reliance by some controllers on inefficient anonymisation techniques to handle erasure requests as an alternative to deletion. DPAs also noted inconsistent practices, and the difficulties faced by controllers regarding the determination of retention periods and the deletion of personal data in the context of back-ups.
In addition, as the right to erasure is not an absolute right, some controllers face difficulties in assessing and applying the conditions for the exercise of this right, including in carrying out the different balancing tests between the right to erasure and other rights and freedoms.
Follow-up to help organisations comply
Extensive guidance, documents and templates exist at national level to help controllers comply with the right of erasure and help individuals exercise this right. In line with the Helsinki Statement’s objectives of making GDPR compliance easier and ensuring consistent interpretation and enforcement across Europe, the extensive guidance and templates already available at national level will be leveraged at EDPB level where appropriate.
Background and next steps
- The CEF is a key action of the EDPB under its 2024-2027 Strategy, aimed at streamlining enforcement and cooperation among DPAs.
- In 2023, the EDPB published the report on its first coordinated action on the use of cloud-based services by the public sector.
- In 2024, the EDPB also published the report on the outcome of the second coordinated action on the designation and position of Data Protection Officers.
- In 2025, the EDPB issued the report on its third coordination action on the implementation of the right of access.
- The CEF 2026 action will be on the obligations of transparency and information under the GDPR.