The European Data Protection Board (EDPB), the independent EU body responsible for ensuring the consistent application of the EU General Data Protection Regulation (GDPR) across all EU member states, has kicked off its ‘Coordinated Enforcement Framework’ (CEF) action for 2025, which will focus on the enforcement of Article 17 of the GDPR (the so-called ‘right to be forgotten’, or right to erasure).

What is the EDPB Coordinated Enforcement Framework?

The CEF is a key component of the EDPB's strategy and is designed to improve enforcement and cooperation among domestic data protection authorities (DPAs) across Europe. 

Previous CEF actions have covered varied topics such as the use of cloud-based solutions in the public sector and the designation and position of data protection officers within businesses. The EDPB’s 2024 CEF action was focused on the enforcement of the right of access.

Why the Right to Erasure?

The right to erasure, under Article 17 of the GDPR, allows individuals to request the deletion of their personal data without undue delay under certain circumstances, such as the data no longer being necessary for its original purpose or consent being withdrawn.

The EDPB selected the right to erasure as the focus of this year's coordinated action because it is one of the most frequently invoked rights under the GDPR. DPAs across the EU bloc also receive a high volume of complaints from individuals regarding the handling of erasure requests, which continue to be ignored or not addressed properly on a regular basis.

Scope of the Coordinated Action

A total of 32 DPAs will participate in this initiative. 

Throughout the year, participating DPAs will be contacting data controllers across various sectors of the economy to assess how they manage and respond to requests for erasure. This will involve a mix of the following:

• Formal investigations – participating DPAs may open formal investigations into specific companies if they suspect non-compliance with Article 17 of the GDPR.
   
• Fact-finding exercises – participating DPAs will also conduct broader inquiries to understand current practices within their jurisdiction and identify gaps or problematic trends. DPAs may then take further steps to ensure compliance based on the findings of those inquiries.

The DPAs will specifically consider how data controllers: (i) apply the conditions for the right to erasure to be exercised; (ii) consider the application of exceptions to the right to erasure; and (iii) action requests to exercise the right to erasure within the prescribed time limit.

Throughout the year, participating DPAs will maintain close contact to share their findings. The collective results of these national actions will then be aggregated and analyzed. 

This coordinated approach will allow the EDPB to gain a better understanding of the practical application of the right to erasure, and to develop targeted follow-up actions at both national and EU levels. The EDPB will likely publish a report in early 2026 to summarize its findings.

Key Takeaways

The right to erasure is one of the most widely used and ‘visible’ right under the GDPR. Despite that fact, many organizations do not have compliant procedures in place to handle erasure requests.

As the right to erasure will now be in the spotlight, it will likely be enforced more aggressively and organizations operating in the EU should carefully review their procedures for handling erasure requests and ensure they are compliant with Article 17 of the GDPR.