The headline finding: overall compliance is "average." For the organizations DPAs are now planning sector-specific inspections on, average is not enough.
Your data protection team probably has an erasure procedure. The EDPB's audit tells you exactly where it is most likely to be wrong.
Key takeaways:
- The EDPB's February 2026 CEF report examined 764 controllers across 32 EU DPAs and rated overall right-to-erasure compliance as "average," with 9 DPAs opening formal investigations.
- The seven recurring failures the EDPB found are not edge cases: 17 DPAs raised concerns about missing internal procedures, and half of all participating DPAs flagged backup deletion gaps as a specific problem.
- Fixing these failures requires operational changes, not just policy updates: systematic data classification, verified backup erasure procedures, and documented exception assessments on a case-by-case basis.
What Article 17 Requires
The right to erasure, established as EU law in the 2018 GDPR and grounded in the CJEU's 2014 Google Spain ruling (C-131/12), gives data subjects the right to obtain deletion of their personal data without undue delay when one of six statutory grounds applies: the data is no longer necessary for the purpose it was collected; the data subject withdraws the consent on which processing was based; the data subject objects under Article 21 and no overriding legitimate grounds exist; the data was unlawfully processed; a legal obligation under EU or member state law requires erasure; or the data relates to a child's information services consent. Where the controller has disclosed the data to third parties, Article 19 GDPR requires notification of the erasure to each recipient.
The one-month response deadline under Article 12(3) GDPR runs from receipt of the request, not from identity verification or internal escalation. Two-month extensions are permitted for complex or voluminous requests, but only if the controller notifies the data subject of the extension within the first month with an explanation.
What the EDPB's 2026 Audit Actually Found
The EDPB's Coordinated Enforcement Framework (CEF) runs a different theme each year. In 2024, DPAs examined data subject access rights. In 2025, the focus shifted to erasure. The resulting report, adopted on February 10, 2026, is the most data-rich picture of Article 17 compliance in existence.
Scope: 32 supervisory authorities participated. They sent questionnaires to 764 controllers ranging from small businesses to multinationals, across both private and public sectors. Nine DPAs moved beyond fact-finding to open formal investigations. Twenty-three conducted structured fact-finding exercises that feed directly into 2026 supervisory planning.
The overall compliance rating of "average" conceals a significant divide: larger organizations with dedicated compliance teams generally maintain documented procedures. Smaller organizations frequently have none. Public-sector controllers consistently underperform their private-sector counterparts, with only 25% of public bodies regularly reviewing their Article 17 procedures compared to 85% of private companies.
Complaint volumes confirm erasure is one of the most exercised data subject rights in practice. In the Netherlands, 580 erasure complaints were filed in 2024 alone, making it the largest single complaint category at 18.6% of all complaints that year. Spain has received more than 7,000 erasure complaints since GDPR took effect. In Slovenia, the share of complaints relating to Article 17 rose from 4% in 2020 to 19% in 2024. Ireland has logged over 3,000 erasure complaints since May 2018, with the trend still increasing.
These numbers matter for risk calibration. Erasure requests are not hypothetical compliance exercises. They arrive at volume, they generate complaints when mishandled, and now, they are generating formal DPA investigations.
The 7 Failures DPAs Are Finding
1. No Documented Internal Procedures
Seventeen of the 32 participating DPAs identified missing or incomplete documented procedures as a recurring problem. Controllers in this category handle erasure requests on an ad hoc basis: someone receives a request, figures out what to do, and the outcome depends entirely on who that person is. There is no documented workflow specifying who receives requests, who has authority to approve erasure or apply an exception, what the escalation path looks like, or how decisions are recorded.
The fix is procedural documentation that maps the full lifecycle of a request: intake, identity verification, data location, legal exception assessment, execution, third-party notification (where applicable under Article 19 GDPR), and response to the data subject. The procedure does not need to be long. It needs to be complete and consistently followed.
If you manage DSARs through Secure Privacy's privacy governance platform, erasure requests arrive through a managed workflow with built-in audit trail, removing the dependency on individual judgment.
2. Inadequate Staff Training
Approximately 20% of responding controllers provide no regular refresher training on Article 17. Initial onboarding training, where it exists at all, is rarely Article 17-specific. The practical consequence is staff who do not know the legal exceptions that apply, do not recognize requests that arrive in non-standard forms (a customer complaint email that functions as an erasure request, for example), and miss the one-month response deadline under Article 12 GDPR.
The EDPB's recommendation is mandatory, role-specific training that includes the Article 17 exceptions and the organization's internal procedure, repeated regularly, not just at hire. For organizations with high staff turnover in customer-facing roles, this means a standing training cadence, not a one-time event.
3. Insufficient Information to Data Subjects
Thirteen DPAs noted that controllers fail to clearly explain how to submit erasure requests, what grounds apply, and what happens after submission. Privacy notices often address the right to erasure in one sentence. Controllers frequently omit information about the right to lodge a complaint with a supervisory authority and the right to judicial remedy if a request is refused.
Article 13(2)(b) and Article 14(2)(c) GDPR require that privacy notices explain the existence of the right to erasure, not merely acknowledge it. A privacy notice that says "you may have the right to request deletion of your personal data" without specifying how, when, and what the outcome will be does not satisfy the requirement. Update your privacy notice and make the erasure request path accessible, not buried.
4. Misapplication of Legal Exceptions
Article 17(3) GDPR provides six grounds on which a controller can refuse an erasure request: compliance with a legal obligation, performance of a task in the public interest, archiving purposes in the public interest, public health purposes, establishment or defense of legal claims, and exercise of freedom of expression. Controllers routinely apply these exceptions in two problematic ways: treating them as automatic rather than assessing them on the facts of each specific request, and failing to document the reasoning.
The interest-balancing test under Article 17(3)(c), which applies when a controller relies on legal claims, is particularly frequently misapplied. An undocumented blanket policy of refusing erasure for "legal purposes" is not a case-by-case assessment. DPAs are finding this and documenting it in formal investigation notes.
Every exception application needs a contemporaneous written record: which exception applies, why it applies to this specific request, what data is covered, and who made the determination.
5. Retention Period Definition Challenges
Controllers that do not maintain retention schedules face a specific Article 17 problem: they cannot determine when data should be deleted in the absence of a request, and they cannot confirm to a data subject that data has been erased without knowing where it lives and how long it has been kept. The EDPB found a common pattern of organizations applying their longest retention period across all processing activities as a default, which conflicts directly with the storage limitation principle under Article 5(1)(e) GDPR.
The records of processing activities (RoPA) are the right place to document retention periods per processing activity. Without them, Article 17 compliance is structurally impossible: you cannot erase data you cannot locate, and you cannot locate data without a processing inventory.
6. Backup Deletion Deficiencies
Half of the participating DPAs flagged backup deletion as a specific problem, making it the most widely cited technical failure in the report. Controllers rely on automatic backup rotation to eventually overwrite deleted data, with no procedures for preventing the restoration of data that has already been erased in response to an Article 17 request. A data subject whose data is deleted from production systems in response to a valid erasure request remains in backup archives that are periodically restored during incident recovery, at which point the deleted data reappears.
The EDPB explicitly noted that several DPAs requested EDPB-level guidance on backup erasure, signaling that this is an active area of regulatory attention. The standard the report points toward is a documented procedure for excluding specific records from backup restoration, with verified execution. Following established secure destruction standards (such as those referenced in ISO/IEC 27001) and maintaining evidence of backup erasure are the practical requirements.
This is a technical challenge that many organizations have not solved. Shadow data and untracked processing in backup systems is one of the most common sources of compliance failure precisely because it is invisible until an incident exposes it.
7. Ineffective Anonymization Techniques
Some controllers handle erasure requests by anonymizing data rather than deleting it. The EDPB found that a significant share of these cases rely on pseudonymization rather than true anonymization. Pseudonymized data, where identifying fields are replaced with tokens while the token mapping is retained, remains personal data under GDPR. Applying pseudonymization in response to an Article 17 request and then treating the obligation as fulfilled is a compliance failure.
True anonymization must be irreversible: no reasonable means of re-identification can exist in the hands of the controller, any joint controller, or any reasonably foreseeable third party. The EDPB is currently developing Guidelines on Anonymization, partly in response to the CJEU ruling in EDPS v SRB (Case C-413/23P), which will provide more specific criteria. Until those guidelines are finalized, the test is irreversibility under any reasonable re-identification scenario, not just the controller's current technical capabilities.
If you are using pseudonymization and anonymization techniques in response to erasure requests, verify that the technique applied actually removes all means of re-identification before treating the request as closed.
What DPAs Are Doing With These Findings
Nine DPAs opened formal investigations as a direct result of the CEF action, with active proceedings in Ireland, France, Portugal, Slovenia, and Germany. Three DPAs (CNIL in France, CNPD in Portugal, and IMY in Sweden) have indicated they will use the CEF findings to inform sector-specific inspections throughout 2026.
The EDPB's sequencing is deliberate: 2024 covered access rights, 2025 covered erasure, and 2026 CEF will focus on transparency and information provision. Organizations that fixed their SAR procedures after the 2024 CEF action but have not addressed erasure are now in the active enforcement window.
The GDPR enforcement data for 2026 shows the trend lines: DPA enforcement is increasingly coordinated across jurisdictions, and CEF findings translate directly into supervisory programs within each participating authority.
Article 17 Compliance Audit Checklist
Review each item against your current state:
| Area | Check |
|---|---|
| Internal procedures | Documented workflow for Article 17 requests exists, is current, and is followed consistently |
| Staff training | Role-specific Article 17 training in place; refresher schedule defined |
| Privacy notice | Erasure grounds, submission process, and complaint rights clearly described |
| Exception decisions | Every exception application documented with legal basis and case-specific reasoning |
| Retention schedule | Defined retention periods per processing activity in your RoPA; default is not "keep longest" |
| Backup erasure | Procedure exists for excluding erased records from backup restoration; execution is verified |
| Anonymization | Technique applied meets irreversibility standard; pseudonymization not counted as erasure |
| Third-party notification | Article 19 GDPR notification to recipients assessed and executed where applicable |
Frequently Asked Questions
Does the one-month deadline under Article 17 apply from the date of the request or the date of identity verification?
The one-month period runs from the date the controller receives the erasure request, not from identity verification completion. If identity verification takes time, the clock does not pause. Where requests are complex or numerous, a two-month extension is available under Article 12(3) GDPR, but the controller must notify the data subject of the extension within the first month and give reasons.
Can we refuse an erasure request if the data is needed for a legitimate interests purpose?
No. Legitimate interests as a lawful basis under Article 6(1)(f) does not appear in the Article 17(3) list of exceptions. If your only basis for retaining data after an erasure request is that you relied on legitimate interests for the original processing, that basis does not justify refusal. The relevant exceptions are legal obligation, public interest, legal claims, and a narrow set of public health and archiving purposes.
What does "undue delay" mean in practice for Article 17?
"Without undue delay" in Article 17(1) means as soon as reasonably practicable, subject to the one-month outer limit. It does not mean the maximum time is always appropriate. Where a request is straightforward, data is located quickly, and no exception assessment is required, executing deletion in a week is the standard a court would likely expect. Routinely taking close to a month for simple requests without documented operational justification would draw scrutiny.
Do we need to notify all data processors of an erasure request?
Under Article 19 GDPR, controllers must notify any recipient to whom personal data has been disclosed. Recipients include processors and any other third parties with access to the data. The notification obligation covers all recipients unless notification is impossible or involves disproportionate effort, in which case the controller must document why. Processors themselves are generally bound by Article 28 DPA obligations to support erasure, but you are responsible for ensuring those obligations are actually exercised.
If data is in encrypted backups we cannot decrypt, are we compliant without deleting it?
The EDPB's position, and the general DPA consensus reflected in the CEF report, is that reliance on backup encryption as a substitute for specific deletion procedures does not fully satisfy Article 17. Encrypted data in accessible backups is still personal data. The practical standard expected is a documented procedure for excluding the specific records from restoration, with verification evidence. Where that is technically impossible, the controller should document why and implement mitigating controls.
Does Article 17 require search engines to de-index content about a person?
Yes, under the logic established in Google Spain (C-131/12): search engines are independent data controllers for the personal data appearing in their results, and a data subject can request de-indexing directly from the search engine even if the underlying source page remains accessible. The controller obligation for GDPR-covered organizations is distinct: you are responsible for erasing data from your own systems. If you have also published content that appears in search results, you may have a separate obligation to request de-indexing from search engines if that content contains the data subject's personal information and no exception under Article 17(3) applies.
Does Article 17 apply to data processed under a contract (Article 6(1)(b) basis)?
The right to erasure under Article 17(1)(b) specifically applies when data processed on a contractual basis under Article 6(1)(b) is no longer necessary for the purpose of the contract. If a contract has ended and the data was only ever processed to perform it, the data subject can request erasure. Retention for post-contract legal claims requires documenting the legal claims exception under Article 17(3)(e), not simply asserting that the contract once existed.
Tracking Article 17 requests, documenting exception decisions, and managing backup erasure procedures across an organization are operationally demanding tasks without tooling support. Secure Privacy's Privacy & AI Governance Platform provides a managed DSAR workflow that covers erasure requests with built-in audit trail, retention schedule management, and integration with your records of processing activities. The platform is used by organizations in 50+ countries to handle data subject rights at scale.




