In 2025, the Right to erasure in accordance with Art. 17 GDPR at the center of a Europe-wide review by the data protection supervisory authorities. As part of the Coordinated Enforcement Framework (CEF) of the European Data Protection Board (EDPB), companies and public bodies will be put to the test. There is therefore an urgent need for data controllers to strategically prepare for possible control measures as part of the CEF Action 2025.
What is the aim of the CEF Action 2025?
The CEF Action 2025 aims to promote uniform and effective implementation of the right to erasure under Art. 17 GDPR throughout the EU. The focus is on the question of whether and how data controllers implement this central data subject right in practice. The coordinated audit initiative not only serves the purpose of monitoring, but also the exchange of experience between the supervisory authorities and raising awareness of data protection requirements among companies and public bodies.
The selection of the "right to erasure" topic for 2025 is particularly relevant, as it is one of the most frequently asserted rights of data subjects and also represents a significant operational challenge for data controllers. This is not only about responding to erasure requests, but also about the structural anchoring of erasure processes in IT systems, workflows and compliance structures. The extent to which those responsible
- Process deletion requests correctly and efficiently,
- Correctly apply exceptions to the deletion claim,
- systematically implement internal deletion concepts,
- and inform the persons concerned in a transparent manner.
The participating data protection supervisory authorities use standardized questionnaires throughout Europe in order to gain comparable findings. These can be supplemented by in-depth interviews, document analyses or on-site audits. The aim is to summarize the results following the audits, identify systematic weaknesses and, if necessary, develop recommendations or guidelines for those responsible.
The findings are evaluated centrally and published.
Right to erasure in accordance with Art. 17 and Art. 19 GDPR
The right to erasure is in Art. 17 GDPR and is one of the central rights of data subjects. It obliges the controller to delete personal data immediately under certain conditions.
- 17 para. 1 GDPR specifies the material requirements for a right to erasure. These include, in particular, the discontinuation of the purpose (the data is no longer required for the original purposes), the withdrawal of consent, objection to processing in accordance with Art. 21 GDPR, unlawful processing or statutory erasure obligations.
- 17 para. 3 GDPR regulates exceptions to the right to erasure. These include statutory retention obligations, overriding public interests, archiving purposes in the public interest and the assertion, exercise or defense of legal claims. In practice, these exceptions must be carefully checked and documented in order to withstand a supervisory review.
- 19 GDPR also obliges controllers to inform all recipients to whom personal data has been disclosed of the deletion, unless this proves impossible or involves a disproportionate effort. This obligation to inform helps to ensure the scope of the right to erasure even in the case of data transfers.
One aspect that is often underestimated is the close connection with the Right to object pursuant to Art. 21 GDPRespecially in connection with direct advertising. A permissible objection often leads directly to a right to erasure, so that both rights must be considered and implemented together in practice.
Relevance of the CEF Action 2025 for companies and authorities
The CEF Action 2025 poses challenges for companies and public bodies, especially if they regularly process personal data. Almost all sectors are affected - from healthcare to financial and insurance service providers to e-commerce providers and public authorities. Law firms have also already received questionnaires.
One risk factor is the lack of or inadequate implementation of systematic erasure processes. Although many organizations have policies that mention the right to erasure, they fail to implement them in practice. Systems are often unable to delete data completely or there are no clear responsibilities for processing deletion requests. In addition, exceptions under Art. 17 para. 3 GDPR, such as statutory retention periods or legitimate interests, are not properly documented or are applied too broadly.
In addition, organizations are increasingly required to prove to data subjects and supervisory authorities that deletion requests have been processed in a timely, comprehensible and data protection-compliant manner. The authorities are specifically asking for this evidence as part of the CEF Action 2025. This concerns both internal processes and cooperation with external service providers and processors.
Reading tip: Integrated risk management in practice - combining data protection, compliance and security
Seven strategic recommendations for preparation
- Check erasure capability: Those responsible should carry out a systematic inventory of all data processing systems. It must be clearly documented where data is stored and whether it can be completely deleted - including in the context of backups or cloud services.
- Define deletion concept and deadlines: An internal deletion concept should clearly regulate which personal data is to be deleted and when. Legal retention obligations (e.g. HGB, AO, SGB) as well as industry-specific requirements must be taken into account.
- Update the record of processing activities (RPA): The VVT must contain information on retention and deletion periods, processing purposes and responsibilities. It serves as a central verification document as part of the CEF audit.
- Ensure transparency towards data subjects: Data protection declarations should clearly explain the right to erasure. At the same time, a structured process for handling requests should be established - including standardized response templates, including for refusals in exceptional cases.
- Clarify training and responsibilities: Employees in data protection-relevant functions - particularly in IT, HR and customer service - should receive regular training. Responsibilities and escalation paths for deletion requests should be clearly defined internally.
- Check contracts with processors: Data processing contracts must contain clear regulations on data erasure, especially after the end of the contract. In addition, it must be ensured that processors themselves are obliged to delete data completely and can also document this.
- Preparation for requests from authorities: Early internal coordination with data protection officers and compliance officers is recommended. A central point of contact for data protection inquiries should be defined that can respond quickly in the event of a CEF audit.
Typical questions about the CEF Action 2025 and self-check
The Baden-Württemberg State Commissioner for Data Protection and Freedom of Information has put the questionnaire for the Europe-wide campaign on the right to erasure online. Typical questions include:
- "How does your organization assess that personal data (which is the subject of a request for erasure) is no longer necessary for the purposes for which it was collected or otherwise processed (Art. 17 (1) (a) GDPR)?"
- "How does your organization proceed if the data subject withdraws consent (Art. 17 (1) (b) GDPR)?"
- "How does your organization proceed if the data subject objects to the processing (Art. 17 (1) (c) GDPR)?"
- "In the case of a request for erasure on the basis of Art. 17(1)(c) GDPR, has your organization ever refused to erase data on the basis of its "overriding legitimate grounds for processing"? How do you understand the term "overriding legitimate grounds" and how are these grounds reconciled with the interests, rights and freedoms of the data subjects? Please describe in detail the cases you have encountered, including the trade-offs made in each case."
Companies can therefore prepare themselves specifically for the test campaign.
If you need support in implementing a deletion concept or would like to identify and rectify potential vulnerabilities, please contact us. Our data protection experts will be happy to help.
☎️ +49 (228) 926165-100
📧 info@2b-advice.com
English 
German 
Italian 
French