knowledge 16 April 2026 |

Delete and Disclose: EDPB CEF 2025 & 2026

CEF 2025: The Right to Erasure

The EDPB’s 2025 CEF action assessed how controllers implement the right to erasure in practice, across different sectors and organisations of various sizes. In total, 32 supervisory authorities (SAs) participated in the CEF action and 764 controllers responded to a questionnaire. The findings of the SAs are set out in a report adopted by the EDPB on 10 February 2026 (the “Erasure Report”).

The Erasure Report notes that in general, many controllers implement “good practices” in relation to the right to erasure, including having a dedicated legal and/or compliance team in place to handle erasure requests, informing data subjects of the consequences of definitive deletion of their data and documenting legal reasons and justifications when relying on exceptions to erasure.

However, the report also identifies a number of key challenges facing controllers processing erasure requests. In respect of each of these challenges, the EDPB has suggested the following non-binding recommendations:

Challenges	Recommendations
1. Absence of or outdated internal procedure for erasure requests	Many controllers lack formal, documented procedures for handling erasure requests, leading to inconsistent and subjective handling of requests. Organisations should establish clear internal procedures with defined deadlines, steps, and responsibilities, and map personal data storage locations using the organisation’s record of processing activities (ROPA).
2. Absence of or inadequate training of staff	Staff often receive only generic annual training and lack specific knowledge of Article 17 GDPR, resulting in failures to recognise erasure requests or meet legal deadlines. Controllers should provide mandatory, role-specific training from the point of hire, with regular refreshers and practical testing using simulated requests.
3. Insufficient information provided to individuals	Data subjects are frequently not informed about the existence of their right to erasure, nor given clear instructions on how to exercise it. Privacy notices should be updated to explain the right, its scope, and the submission process, including in an easily accessible manner the contact details or the channel to use for data subjects to submit their erasure request.
4. Misuse of / legal uncertainty around exceptions to deny erasure requests	Controllers often apply exceptions under Article 17(3) GDPR automatically or inconsistently, without conducting case-by-case assessments or documenting their reasoning. Legal justifications for relying on exceptions should be documented in writing, and compliance or legal teams should be involved in such decisions.
5. Difficulty in defining and implementing data retention periods	Many controllers, particularly smaller ones, struggle to determine appropriate retention periods and often apply the longest period across all activities without proper assessment. Organisations should document retention periods in the ROPA, and maintain an updated retention policy.
6. Deletion in the context of backups	There is significant inconsistency in how controllers handle erasure requests in the context of back-up systems, with many relying on automatic overwriting or set intervals rather than specific procedures. Controllers should follow established standards for secure data destruction, verify that erasure has occurred, and be able to demonstrate such erasure.
7. Anonymisation used as a substitute for deletion	Controllers frequently rely on anonymisation as a substitute for deletion but misunderstand its legal and technical requirements, often applying only pseudonymisation or partial masking which does not satisfy GDPR standards. Organisations should ensure awareness of EDPB guidance on anonymisation and as a best practice implement or base security policies on recognised technical standards such as ISO/IEC 27001 to improve their processes.

 

CEF 2026: The Right to be Informed

On 19 March 2026, the EDPB launched its 2026 CEF action on compliance with the obligations of transparency and information under Articles 12, 13 and 14 GDPR. The EDPB selected the topic at its October 2025 plenary, describing the “right to be informed” as core to transparency and data subjects’ control over their personal data. The launch note for the action indicates that 25 SAs will participate during the course of 2026 and will contact controllers from different sectors through enforcement actions and/or fact‑finding exercises.

The sequencing of the EDPB CEF actions is noteworthy. The Erasure Report flags the insufficient provision of information to individuals on their data subject rights as a recurring issue. The 2026 CEF action focuses on the provision of information to data subjects as a standalone priority. Read together, it is clear that the EDPB’s focus is moving from the implementation of data subject rights in practice to the importance of controllers’ obligations to ensure that such rights are easily exercised and properly enforced by providing data subjects with clear and accessible information.

What does this mean for controllers?

Controllers would be well advised to review their practices and policies related to erasure requests and to consider if any updates are required to take account of the EDPB’s recommendations in the Erasure Report. In light of the EDPB’s recent focus on the obligations of transparency and information under the GDPR, we also encourage clients to carefully review their privacy notices and the information provided to data subjects on the exercise of their data subject rights set out in such notices.

How can McCann FitzGerald LLP help?

For further information or assistance, please reach out to one of the key contacts below, or your usual contact at McCann FitzGerald LLP.