The European Data Protection Board recently published its report on the results of its 2025 Coordinated Enforcement Framework (CEF) on the right to erasure (or ‘right to be forgotten’). As in 2024, the CNPD joined this action by asking several controllers based in Luxembourg about their practices regarding the right to erasure. The CNPD has drawn up a national report, consolidated at European level.
The CEF 2025 report is rich in observations on the effective implementation of the right to erasure and also offers useful recommendations and best practices for organisations. In total, no fewer than 764 organisations took part in this action at European level.
Overview of the results
While the various participating data protection authorities consider that the level of compliance of organisations is generally ‘average’, it varies very strongly according to their size, sector and number of erasure requests received.
The results of this CEF confirmed some of the findings of the 2024 coordinated action on the right of access, in particular regarding the lack of appropriate internal procedures to process requests or the lack of sufficient information given to individuals exercising their right. In addition, the authorities reported specific findings regarding the use of inefficient anonymisation techniques by some controllers to handle erasure requests as an alternative to deletion. DPAs also noted inconsistent practices, and the difficulties faced by controllers regarding the determination of retention periods and the deletion of personal data in the context of back-ups. In addition, as the right to erasure is not an absolute right, some controllers face difficulties in assessing and applying the conditions for the exercise of this right, including in carrying out the different balancing tests between the right to erasure and other rights and freedoms.