GDPR Right to Erasure an Enforcement Priority in 2025

The European Data Protection Board (EDPB) announced the GDPR’s right to erasure, or “right to be forgotten,” will be the focus of the Coordinated Enforcement Framework (CEF) in 2025. Thirty-two European Data Protection Authorities (DPAs) will participate in this initiative. The DPAs will contact controllers from different sectors by opening new formal investigations or doing fact-finding exercises. DPAs will check how controllers handle and respond to the requests for erasure and how they apply the conditions and exceptions when requests are made.

DPAs will share and discuss their findings throughout 2025. The results of the right to erasure enforcement actions will be aggregated and analyzed to generate deeper insight.

GDPR Right to Erasure Requirements

The GDPR gives data subjects the right to request controllers erase their data when one of the following scenarios applies:

1. The data is no longer necessary for the purposes for which it was collected or otherwise processed
2. The data subject revokes consent for their data to be processed
3. The data subject objects to their data being processed (see Article 21)
4. The personal data have been unlawfully processed
5. The data must be erased for compliance with a legal obligation in Union or Member State law to which the controller is subject
6. The data was collected in relation to the offer of information society services referred to in Article 8

Right to Erasure Compliance Strategy

Here are some steps businesses can take to ensure they respond to erasure requests in a GDPR-compliant manner.

Establish a Clear Data Deletion Policy

Businesses should create, document, and operate from a formal data deletion policy that outlines how they handle requests for erasure. Your policy needs to specify the types of data that can be deleted, when deletion is permitted or required, and the timeframe for responding to requests. Include any exceptions, such as legal obligations to retain certain records. By clearly defining these procedures, businesses can ensure they act promptly and in compliance with the law when individuals exercise their right to erasure.

Implement a Secure Verification Process

Before deleting data, businesses must verify the identity of the requesting individual to prevent unauthorized deletions. This is an important step to reduce the risk of accidental or malicious data deletions. The verification process should be secure yet user-friendly. Methods such as multi-factor authentication or matching requests with existing account credentials can be effective verification strategies.

Develop a System for Locating and Deleting Data

Businesses need a system that can efficiently locate and remove an individual’s data across all databases and storage systems. This includes structured databases, unstructured data sources such as emails and backups, and third-party service providers handling data on the company’s behalf. Automated tools or data mapping techniques can help identify where personal information is stored.

Notify Third Parties and Processors

If your business has shared personal data with vendors, it may need to inform them of an erasure request unless it is impossible or requires disproportionate effort. This applies to data processors, cloud storage providers, and external partners who may have copies of the data. Establishing contractual agreements with third-party service providers that include erasure obligations can help ensure that data is properly deleted across all relevant platforms.

Maintain Records of Erasure Requests

Maintain a log of erasure requests and actions to demonstrate compliance with GDPR. This record-keeping should include the date of the request, the verification process used, the steps taken to delete the data, and any reasons for denial. Maintaining these records helps businesses protect themselves in case of regulatory audits or disputes while ensuring transparency in their data protection practices.

CompliancePoint has a team of privacy experts who can help your organization comply with the GDPR right to erasure and all the law’s requirements. Reach out to us and connect@compliancepoint.com to learn more about our services.