The European Data Protection Board released its final report detailing the results of the latest Coordinated Enforcement Framework action on data protection authorities' enforcement of the right to erasure under the EU General Data Protection Regulation. The board also released a report recapping a stakeholder workshop intended to gather input on anonymization and pseudonymization. 

The coordinated action program, which began in 2020, is an annual initiative taken by DPAs at the national level. The board indicated the right to erasure was "one of the most frequently exercised GDPR rights and one about which DPAs frequently receive complaints from individuals."

The CEF report states 32 member state data protection authorities took part in the EDPB-led effort. In that time, the EDPB said nine DPAs opened formal investigations or are continuing ongoing ones, while 23 DPAs conducted fact-finding exercises. The work elicited responses from 764 European data controllers, according to the report. 

However, the CEF report also identifies seven reoccurring challenges it has encountered implementing the right to be forgotten across the EU. The EDPB said the issues identified in the report mirrored the findings from the CEF's 2024 work on the right of access in the EU. 

The EDPB notes that data controllers may have a "lack of appropriate internal procedures to handle requests, or the lack of sufficient information provided to individuals," as lingering issues hampering CEF work. Also, the EDPB indicated because the right to erasure is "not an absolute right," a number of data controllers "face difficulties in assessing and applying the conditions for the exercise of this right, including in carrying out the different balancing tests between the right to erasure and other rights and freedoms."

"Participating DPAs reported specific findings related to the reliance by some controllers on inefficient anonymisation techniques to handle erasure requests as an alternative to deletion," the CEF report states. "DPAs also noted inconsistent practices, and the difficulties faced by controllers regarding the determination of retention periods and the deletion of personal data in the context of back-ups."

Several DPAs issued follow-up guidance after the CEF report was released, including Finland, France, Greece and Sweden. 

France's DPA, the Commission nationale de l'informatique et des libertés, said it issued two formal notices as part of its CEF work last year, which may result in forthcoming penalties to the noticed parties. The CNIL also said the size of the organization acting as a controller is a key determining factor in how capable it is to honor data subject deletion requests. 

"This coordinated European-wide audit campaign reveals that the size of an organization and its sector of activity influence the number of erasure requests received and the overall level of compliance observed," the CNIL's guidance states. "Larger organizations generally receive a greater number of requests and are more likely to have formalized internal procedures supported by appropriate technical and organizational measures."

The DPAs of Finland, Greece and Sweden issued questionnaires to data controllers as part of the CEF action last year. 

Finland's Office of the Data Protection Ombudsman said it sent a voluntary questionnaire to 61 organizations and received 37 responses. Additionally, the DPA said it has published supplemental guidance for best practices for implementing the right to erasure.

The Hellenic Data Protection Authority said its questionnaire was sent to 35 data controllers. The Greek DPA said several of its main findings were that controllers replaced deletion with anonymization "without sufficient guarantees for its irreversible nature," difficulties applying exceptions to the right to erasure and that deletion from backup files did not occur in all circumstances. 

Overall the DPA said the level of compliance among surveyed data controllers in Greece was "high." 

Sweden's data protection authority, the Integritetsskyddsmyndigheten, sent its questionnaire to 20 major public and private sector organizations. 

"The observations about problems, challenges and best practices among Swedish businesses that IMY made last autumn are well in line with what the EDPB has now concluded," the IMY said.

EDPB report recaps anonymization/pseudonymization workshop

The EDPB also released its report containing stakeholder input from its workshop on anonymization and pseudonymization held 12 Dec. 2025. 

The workshop was held following the Court of Justice of the European Union ruling in the EU Single Resolution Board v. European Data Protection Supervisor in September of last year, in which the court affirmed that pseudonymized data can constitute as personal data under certain circumstances. 

The EDPB said the event was targeted to the general public, with a focus on sector associations, nongovernmental organizations, individual companies, law firms and academics. The 105 participants were given a discussion paper featuring four key questions on the topic prior to the event and then divided into four groups during the workshop to share their opinions on each question. 

The four questions sought to provide clarity to stakeholders for how regulators view the CJEU ruling, including: What additional guidance data controllers need to help them make better assessments on a case-by-case basis when anonymized and/or pseudonymized data can be identifiable; how controllers can assess the identification capabilities when anonymized or pseudonymized data is transferred to third parties; how controllers can determine what re-identification means are "reasonably likely" to be employed by recipient of the data, per the CJEU decision, and how a controller processing pseudonymized data can determine if it contains personal data and what technical and organizational efforts can a controller use to ensure a recipient can not eliminate. 

IAPP European Operations Coordinator Laura Pliauškaitė attended the workshop in December and said the overarching message stakeholders wanted to convey to the EDPB was a "strong call for more practical tools and guidance."

"Some participants highlighted a lack of clarity on how the ruling would apply in the context of joint controllership, especially when one controller does not have access to data,” Pliauškaitė wrote. "They also asked for more clarification on the relationship between the controller and the processor from each of their perspectives."

Alex LaCasse is a staff writer for the IAPP.