| The right to erasure (Art. 17 GDPR), also known as the “right to be forgotten”, is one of the most frequently exercised data subject rights – and unfortunately regularly leads to complaints to data protection authorities. In order to examine the practical implementation of this right and how e.g. businesses deal with deletion requests, the European Data Protection Board (EDPB) has launched a Europewide coordinated enforcement measure, the Coordinated Enforcement Framework (CEF), for the year 2025. A total of 32 european data protection authorities, including several from Germany, are taking part. To this end, the authorities are analyzing the procedures used and comparing them on the basis of a Europe-wide questionnaire. The aim is to identify challenges, determine best practices and suggest improvements. For businesses with extensive data holdings and complex IT structures, data erasure in compliance with data protection requirements can be a real challenge. How can data be classified and how can you ensure that data is effectively and permanently erased? How do you deal with backup copies? Which legal retention periods need to be taken into account and when does which data need to be erased? Once the audit is completed, the findings will be published in an report. The results could lead to data protection authorities taking appropriate action or issuing recommendations for deletion procedures to ensure that the “right to be forgotten” exists not only on paper but also in practice. We recommend that, as a controller, you ensure the practical implementation of your deletion policy and we would be happy in supporting you with setting this up. After all, incomplete implementation of the right to erasure could soon become not only a data protection problem but also a compliance risk. |