The Right to Erasure in 2025—What the EDPB’s New Enforcement Focus Means for Organizations

Introduction

In 2025, the European Data Protection Board (EDPB) has placed a spotlight on the right to erasure, also known as the “right to be forgotten,” as part of its Coordinated Enforcement Framework (CEF). This initiative involves 30 Data Protection Authorities (DPAs) across Europe, along with the European Data Protection Supervisor, to scrutinize how organizations manage erasure requests and apply exceptions. Given that the right to erasure is one of the most frequently exercised and complained about GDPR rights, this focus is both timely and crucial for organizations.

What Is the Right to Erasure?

Article 17 of the GDPR outlines the right to erasure, allowing individuals to request the deletion of their personal data under certain conditions. This right is vital for protecting privacy and is commonly exercised in scenarios such as outdated or irrelevant data, withdrawal of consent, or unlawful data processing.

What’s New in 2025?

The EDPB’s coordinated action in 2025 aims to assess the compliance of organizations with the right to erasure. This involves a comprehensive scope of activities, including investigations, fact-finding missions, and follow-ups by the 30 DPAs and the EDPS. The scale of this initiative underscores the importance of adhering to GDPR requirements.

What Will DPAs Be Looking For?

DPAs will focus on how organizations process and respond to erasure requests, the application of conditions and exceptions, and the documentation and compliance practices in place. Ensuring that these processes are robust and transparent is essential for compliance.

Practical Steps for Organizations

Organizations should take proactive steps to review and improve their handling of erasure requests. This includes establishing clear policies, conducting staff training, and maintaining thorough records. Preparing for potential DPA inquiries or audits is crucial to avoid penalties.

Common Pitfalls and How to Avoid Them

Frequent mistakes include delays in processing requests, incomplete erasure, and poor communication with data subjects. To avoid these pitfalls, organizations should adopt best practices for compliance, such as timely responses and clear communication channels.

Conclusion

Getting the right to erasure right is not only about compliance but also about building trust with data subjects. Organizations are encouraged to review their current processes in light of the EDPB’s focus to ensure they are prepared for the increased scrutiny.

Other links on the web

• Such laws exempt journalists: Five press bodies to discuss data protection law in open meeting
• Data Privacy and Cyber Security Update April 2025
• Sertainty and SecureCo successfully complete pilot demo of end-to-end self-governing secure data sharing solution
• Justice Department implements critical national security program to protect Americans’ sensitive
• NDPC partners with Health Ministry to boost data protection in Nigeria’s healthcare sector
• European Commission confirms plans to simplify GDPR
• 51 Useful Data Protection Resources: Blogs, Videos, Guides, Infographics, Tools & More
• DAG Flachet Codific Cyber Resilience Act: Regulatory Standards for Organizations
• CEF 2025 Launch: Coordinated Enforcement on the Right to Erasure
• Principles of Privacy by Design