Privacy
1 min read
  • privacy
  • governance
  • compliance
  • data-rights

EDPB says right to erasure is still being undermined by weak controller practices

A coordinated European enforcement action found recurring problems with how organisations handle GDPR erasure requests, including weak procedures, inconsistent deletion practices, and difficulties around backups and anonymisation.

Summary

The European Data Protection Board says its coordinated 2025 enforcement action on the GDPR right to erasure found recurring weaknesses in how controllers handle deletion requests in practice. The findings suggest the issue is not a lack of awareness of the right itself, but persistent operational difficulty in implementing it consistently.

What happened

On 18 February 2026, the EDPB announced that it had adopted a report on its Coordinated Enforcement Framework action concerning the right to be forgotten under Article 17 GDPR. Thirty-two data protection authorities participated, with nine launching or continuing formal investigations and twenty-three carrying out fact-finding exercises. A total of 764 controllers responded across Europe, including SMEs, large companies, and public bodies.

The Board said participating authorities identified seven recurring challenges. These included weak internal procedures, insufficient information for individuals, inconsistent deletion practices, reliance on inefficient anonymisation techniques in place of deletion, uncertainty around retention periods, and difficulty deleting personal data from backup environments.

Why it matters

The right to erasure is one of the most frequently exercised GDPR rights, and one of the areas where regulators receive regular complaints. When authorities find the same practical failures across hundreds of controllers, that points to a broader implementation problem rather than a handful of isolated compliance misses. This has consequences for privacy teams, operational governance, data lifecycle management, and the credibility of rights handling processes.

Assessment

This looks less like a doctrinal GDPR debate and more like an execution gap. Organisations often know the right exists, but still lack the internal workflows, retention discipline, backup controls, and cross-team coordination needed to honour it reliably. The report also matters because it signals where future guidance and enforcement energy may go next: not only toward whether erasure is offered, but whether it actually works in real systems.

  • review internal erasure-request procedures end to end rather than treating them as a legal-only workflow
  • check whether deletion and backup handling processes are technically aligned with published retention rules
  • verify that anonymisation is not being used as a weak substitute where deletion is required
  • prepare for more scrutiny of rights handling evidence, timelines, and user-facing explanations

Further reading