Contact Us

February 28, 2026

DPO ADVISORS

EDPB CEF report on Right to Erasure






Regulatory Alert — EDPB CEF report on the right to erasure


🛡️ Regulatory Alert · February 2026

EDPB flags gaps in Right to Erasure
& controller readiness under Article 17 GDPR

The EDPB’s Coordinated Enforcement Framework report highlights recurring operational weaknesses: incomplete procedures, inconsistent practice, anonymisation shortcuts, and deletion in backups.

🇪🇺
18 Feb 2026
Primary source: EDPB press release and published report
🗑️
Article 17
One of the most frequently exercised GDPR rights
⏱️
7 min
Practical compliance actions and evidence checklist

📅 February 2026
✍️ DPO Advisors
⏱️ 7 min read
GDPR
EDPB
ERASURE
⚠️

Action required. Stress-test your Article 17 workflow end-to-end, including backups, identity verification, timelines, and exception handling. Prepare evidence you can share with DPAs.

01 — Background

What the EDPB published and what it means

On 18 February 2026, the EDPB adopted and published a report under its Coordinated Enforcement Framework (CEF) on how controllers implement the right to erasure (Art. 17 GDPR). The EDPB highlights recurring challenges and good practices, with follow-up expected at both national and EU level.

2025
32 DPAs took part in the coordinated action. Controllers across sectors responded to the initiative.

Finding
A recurring gap is the lack of appropriate internal procedures to handle requests consistently.

Finding
DPAs report limited or unclear information provided to individuals during processing of requests.

Finding
Some controllers rely on inefficient anonymisation as an alternative to deletion.

Finding
Retention periods and deletion in backups are persistent operational pain points.

Signal
Expect more scrutiny of end-to-end execution and evidence, not just policy statements.

🔍 The operational “proof points” for Art. 17

Evidence

What to be ready to demonstrate during a DPA inquiry
🧾

Documented SOP
Intake, identity verification, timelines, communications, and consistent decision logic for exceptions.

🗄️

Execution across systems
System map, deletion runs, vendor coordination, and a defensible approach for backups and restores.

📊 Likely supervisory focus (qualitative)

Documented procedures & accountabilityHigh
Clear ownership, SLAs, and QA

Deletion execution across systemsHigh
Primary stores, derived data, vendors

Backups & retention alignmentMed-High
Defensible technical approach + transparency

Exception handling & balancing testsMedium
Consistency and traceable decisions

02 — Operating model

Design the workflow for real-world complexity

Erasure is not a single database delete. Controllers must coordinate across product surfaces, identity checks, legal holds, logs, analytics, vendor processors, and backup architectures. The right is also not absolute, so exceptions must be applied consistently.

🔑 Core principle: treat erasure as an operational control. You must be able to show how requests are processed, why decisions were made, and what was actually deleted.

📱 A defensible Art. 17 flow

✅ Standardised handling across functions
💻

Intake
Portal / email

🧾

Decision
ID + exceptions

🗄️

Execution
Systems + backups

  • 🔍
    Identity verification. Standardise it and avoid collecting unnecessary additional data.
  • 🗺️
    System map. Maintain a live inventory for erasure: primary stores, derived data, logs, vendors.
  • ⏱️
    Traceable SLAs. Timestamp intake, decision, and completion. Keep communications consistent.
  • 🧯
    Backups. Define a defensible technical approach and explain it transparently.
  • ⚖️
    Exceptions. Apply consistent criteria and document balancing tests when relevant.
03 — Action plan

Four concrete actions to take now

This CEF report is a practical benchmark. Treat it as a maturity checklist and close gaps before requests become complaints or coordinated follow-ups.

ACTION 01
🧭

Audit your Art. 17 SOP
Validate intake, identity checks, timelines, and standardised communications. Add QA sampling.

ACTION 02
🧪

Run an end-to-end deletion test
Test erasure across representative systems and vendors, including derived datasets and logs.

ACTION 03
🗄️

Fix the backup story
Align retention schedules with backup strategy, restoration handling, and transparency notices.

ACTION 04
⚖️

Standardise exceptions
Train case handlers on exceptions and balancing tests. Document decision templates.

⚠️ Three lessons for privacy teams

Lesson 1
Erasure is operational engineering: system maps, automation, and evidence.

Lesson 2
Backups are in-scope. A “we cannot delete in backups” posture is rarely defensible.

Lesson 3
Consistency matters. SOPs and QA reduce complaint and enforcement exposure.

🛡️

Need an Article 17 readiness review?

DPO Advisors can benchmark your workflow against coordinated enforcement expectations and help operationalise deletions across systems and backups.

Talk to our experts →

DPO Advisors
Published February 2026 · dpoadvisors.com · contact@dpoadvisors.com