CEF 2025: How the data protection supervisory authority's review of the right to erasure is progressing

CEF 2025: Review action on the right to erasure.
Categories:

In 2025, the Right to Deletion according to Art. 17 GDPR at the center of a Europe-wide review by the data protection supervisory authorities. As part of the Coordinated Enforcement Framework (CEF) of the European Data Protection Board (EDPB), companies and public bodies are put to the test. For Responsible persons There is therefore an urgent need for action to prepare strategically for possible control measures as part of the CEF Action 2025.

What is the aim of the CEF Action 2025?

The CEF Action 2025 aims to ensure a uniform and effective implementation of the right to freedom of movement throughout the EU. Deletion according to Art. 17 GDPR to promote. The focus is on the question of whether and how Responsible persons implement this central data subject right in practice. The coordinated audit initiative not only serves the purpose of monitoring, but also the exchange of experience between the supervisory authorities and the sensitization of companies and public bodies to data protection requirements.

The selection of the topic "Right to Deletion" for the year 2025 is of particular relevance, as it is one of the most frequently asserted rights of data subjects and also represents a significant operational challenge for those responsible. This is not only about responding to erasure requests, but also about the structural anchoring of erasure processes in IT systems, workflows and compliance structures. The extent to which Responsible persons

  • Process deletion requests correctly and efficiently,
  • Correctly apply exceptions to the deletion claim,
  • systematically implement internal deletion concepts,
  • and inform the persons concerned in a transparent manner.


The participating data protection supervisory authorities use standardized questionnaires throughout Europe in order to gain comparable findings. These can be supplemented by in-depth interviews, document analyses or on-site audits. The aim is to summarize the results following the audits, identify systematic weaknesses and, if necessary, make recommendations or Guidelines for those responsible.

The findings are evaluated centrally and published.

Right to erasure pursuant to Art. 17 and Art. 19 GDPR

The right to Deletion is in Art. 17 GDPR and is one of the central rights of data subjects. It obliges the controller, personal data immediately under certain conditions.

  • 17 para. 1 GDPR states the material requirements for a claim to erasure. These include, in particular, the purpose (the data is no longer required for the original purposes), the Revocation one Consentthe Contradiction against the Processing pursuant to Art. 21 GDPRan unlawful Processing or statutory deletion obligations.
  • 17 para. 3 GDPR regulates exceptions to the right to erasure. These include statutory retention obligations, overriding public interests, archiving purposes in the public interest and the assertion, exercise or defense of legal claims. In practice, these exceptions must be carefully checked and documented in order to withstand a supervisory review.
  • 19 GDPR obligated Responsible persons In addition, all recipients to whom personal data have been disclosed about the Deletion unless this proves impossible or involves a disproportionate effort. This duty to inform helps to ensure the scope of the right to erasure even in the case of data transfers.


One aspect that is often underestimated is the close connection with the Right to object pursuant to Art. 21 GDPRin particular in connection with direct advertising. A permissible Contradiction often leads directly to a right to erasure, so that both rights must be considered and implemented together in practice.

Relevance of the CEF Action 2025 for companies and authorities

The CEF Action 2025 poses challenges for companies and public bodies, especially if they regularly personal data process. Almost all sectors are affected - from healthcare to financial and insurance service providers to e-commerce providers and public authorities. Law firms have also already received questionnaires.

One risk factor is the lack of or inadequate implementation of systematic deletion processes. Although many organizations have policies in place that protect the right to Deletion but fail when it comes to practical implementation. The systems are often unable to delete data completely or there are no clear responsibilities for processing deletion requests. In addition, exceptions under Art. 17 para. 3 GDPR such as statutory retention periods or legitimate interests are not properly documented or are applied too broadly.

In addition, organizations are increasingly required to prove to data subjects and supervisory authorities that deletion requests have been processed in a timely, comprehensible and data protection-compliant manner. The authorities are specifically asking for this evidence as part of the CEF Action 2025. This concerns both internal processes and cooperation with external service providers and processors.

Reading tip: Integrated risk management in practice - combining data protection, compliance and security

Seven strategic recommendations for preparation

  1. Check erasability: Responsible persons should carry out a systematic inventory of all data processing systems. It must be clearly documented where data is stored and whether it can be completely deleted - including in the context of backups or cloud services.
  2. Deletion concept and define deadlines: An internal Deletion concept should clearly regulate which personal data is to be deleted and when. Legal retention obligations (e.g. HGB, AO, SGB) as well as industry-specific requirements must be taken into account.
  3. List of processing activities (VVT) must be updated: The VVT must contain information on retention and deletion periods, processing purposes and responsibilities. It serves as a central verification document as part of the CEF audit.
  4. Transparency towards data subjects: Data protection declarations should include the right to Deletion in an understandable way. At the same time, a structured process must be established for processing inquiries - including standardized response templates, including for rejections in exceptional cases.
  5. Clarify training and responsibilities: Employees in data protection-relevant functions - especially in IT, HR and customer service - should receive regular training. Responsibilities and escalation paths for deletion requests should be clearly defined internally.
  6. Check contracts with processors: Data processing contracts must contain clear provisions on data erasure, especially after the end of the contract. In addition, it must be ensured that processors themselves are responsible for the complete Deletion and can also document this.
  7. Preparation for requests from authorities: Early internal coordination with data protection officers and compliance officers is recommended. A central point of contact for data protection inquiries should be defined that can respond quickly in the event of a CEF audit.

Typical questions about the CEF Action 2025 and self-check

The State Commissioner for the Data protection and Freedom of Information Baden-Württemberg has completed the questionnaire for the Europe-wide campaign on the right to Deletion online. Typical questions include:

  • "How does your organization assess that personal data (which are the subject of a request for erasure) are no longer necessary in relation to the purposes for which they were collected or otherwise processed (Art. 17 (1) (a) GDPR)?"
  • "What does your organization do when the affected Person their Consent revoked (Art. 17 para. 1 letter b GDPR)?"
  • "What does your organization do when the affected Person of the Processing contradicts (Art. 17 para. 1 letter c GDPR)?"
  • "If your organization has submitted a request for erasure on the basis of Art. 17(1)(c) GDPR ever refused to provide data on the basis of its "overriding legitimate grounds for processing". Processing" to be deleted? How do you understand the term "overriding legitimate grounds" and how are these grounds reconciled with the interests, rights and freedoms of the data subjects? Please describe in detail the cases you have encountered, including the balancing of interests in each case."

Link tip: Online self-check on Article 17 GDPR by the State Commissioner for Data Protection and Freedom of Information Baden-Württemberg

Companies can therefore prepare themselves specifically for the test campaign.

If you need support in implementing a deletion concept or would like to identify and rectify potential vulnerabilities, please contact us. Our data protection experts will be happy to help.
☎️ +49 (228) 926165-100
📧info@2b-advice.com

Contact us
Tags:
, , ,
Share this post :

Popular categories

Newsletter

Subscribe to our data protection newsletter to receive the latest updates, tips and insights straight to your inbox.
Subscribe

Latest posts