Right to Erasure (right to be forgotten): Lessons from the EDPB Implementation Enforcement Action
- Rock Consultancy
- 2 days ago
- 3 min read
20 March 2026
Intro
Under Article 17 GDPR, individuals have the right to request erasure of their data (right to be forgotten). This right is not absolute, for example the data controller needs to retain the data to comply with a legal obligation or the data controller requires the data for the purpose of a legal claim.
The European Data Protection Board (EDPB) selected the topic ‘Implementation of the right to erasure by controllers’ for its 2025 Coordinated Enforcement Action (CEA). The EDPB decided to prioritise this topic given that this right is one of the most frequently exercised data protection rights and one about which supervisory authorities frequently receive complaints.
The CEA involved contributions from 764 controllers across 32 supervisory authorities, including the Irish Data Protection Commission.
Following the 2025 CEA, the EDPB issued its report on the ‘Implementation of the right to erasure by controllers’ (Report). The Report highlighted significant gaps and assessed the level of compliance as “average”. There is a call for a more structured and “operationalised” system of personal data governance.
Details
The Report cited that organisations' awareness of the right to erasure is not the problem. The report has identified seven “recurring” issues:
Absence of a documented and updated internal procedure to handle erasure requests.
Absence of or inadequate training.
Insufficient information provided to data subjects.
Misuse of and legal uncertainty on the exceptions to deny erasure requests.
Difficulties in defining and implementing data retention periods.
Deletion of personal data in the context of back-ups.
Difficulties with anonymisation to respond to erasure requests.
Below are the recommendations controllers may use to manage these challenges:
Implement efficient erasure request procedures:
Organisations need to have clear procedures for handling and recording requests from data subjects.
Training staff and raising awareness:
Staff should receive adequate training and be well-equipped to handle erasure requests.
Mapping and monitoring personal data:
A critical element in ensuring that data erasure requests are met is locating personal data. There should be an efficient and effective system in place to locate data and ensure erasure requests are carried out within the required deadline.
Transparent and timely information
Organisations should provide transparent and accessible information and are required to explain data request decisions to the data subject clearly and in a timely manner.
Technical Capacities
The EDPB emphasises that organisations are required to have systems in place that support deletion of personal data promptly.
Record Keeping
Organisations must ensure proper and accurate documentation of data subject requests.
Key Takeaways
Organisations must have procedures in place to compliantly handle data erasure requests
Organisations need to ensure they have the appropriate technical capability to delete data
Staff training is key—organisations must ensure their personnel know and understand the required procedures.
Based on the EDPB’s assessment, it is evident that organisations need to take meaningful steps to have a procedure in place, adequate staff training and technical capability to ensure compliance with their obligations.
Further Reading:
European Data Protection Board, Coordinated Enforcement Action: Implementation of the Right to Erasure by Controllers (18 February 2026)edpb_cef-report_2025_right-to-erasure_en.pdf
Data Protection Commission, The Right to Erasure https://www.dataprotection.ie/en/individuals/know-your-rights/right-erasure-articles-17-19-gdpr
At Rock Consultancy, we can support your organisation with data subject request complaints, including with procedures, operationalise and training your personnel.
For any queries on this article or how Rock Consultancy can support your organisation, please contact us at info@rockconsultancy.ie
