European Data Protection Board (EDPB) guidance, opinions and enforcement action

EDPB work programme

The EDPB Work Programme 2026–2027, adopted on 12 February 2026, sets out the Board’s strategic priorities for the next two years. Built on the EDPB Strategy 2024–2027 and the Helsinki Statement commitments, the programme aims to strengthen regulatory coherence, promote compliance and support both organisations and supervisory authorities across the EU.

A major priority is the development of updated and new guidance in areas where interpretation of the GDPR continues to vary. Topics expected to progress to final guidance include anonymisation, pseudonymisation, legitimate interest, children’s data, consent‑or‑pay models, scientific research processing and rights under the Law Enforcement Directive. Many of these reflect persistent challenges identified by regulators across Member States as well as organisations across the EU. Some also come off the back of the proposed digital omnibus that has proposed changes for GDPR. 

The programme also emphasises the need to “ease compliance”, particularly for SMEs and public‑sector bodies. The EDPB plans to produce ready‑to‑use templates, including model legitimate‑interest assessments, records of processing activities, privacy notices, breach‑notification templates and DPIAs. This follows feedback gathered during the 2026 public consultation and supports a wider move toward practical tools, consistent documentation and streamlined operational compliance.

Overall, the work programme signals a shift towards accessible, user‑friendly guidance that balances innovation and competitiveness with fundamental rights in an increasingly complex digital‑regulatory environment. The provision of the guidance will be a positive step and help data protection teams focus more time on wat is important, protecting rights and freedoms of data subjects.

Coordinated enforcement action – right to be erasure / be forgotten

The European Data Protection Board (EDPB) has published its 2025 Coordinated Enforcement Framework (CEF) report, providing a comprehensive assessment of how organisations across the EEA implement the right to erasure under Article 17 GDPR. This right, which is frequently exercised and often mishandled, was assessed through coordinated investigations involving 32 Supervisory Authorities, offering one of the most detailed cross-sector compliance analyses to date.

For organisations, the findings serve as both a warning and an opportunity. While many continue to face structural compliance challenges, the report highlights clear, actionable steps to strengthen governance, improve data handling processes and reduce enforcement risk.

We have distilled the most relevant findings and implications to support in aligning with regulatory expectations

Key challenges

1. Lack of appropriate internal procedures

Many controllers did not have clear, documented and consistently applied internal processes for receiving, assessing and responding to erasure requests.
 The EDPB reports that this deficiency results in:

• Delayed responses
• Mishandled or overlooked requests
• Inconsistent application of GDPR criteria
• Poor record-keeping and traceability

These shortcomings were highlighted across the EU, including by Ireland and reflect similar findings from the 2024 CEF on the right of access.

2. Insufficient information provided to data subjects

Controllers frequently did not provide adequate, transparent, or user-friendly guidance on:

• The process for submitting an erasure request
• The legal conditions and exceptions
• Expected timelines
• The outcome of the request and reasoning behind denials
• This leaves individuals uncertain about how to exercise their rights and can increase the risk of complaints to DPAs.

3. Inefficient or improper use of anonymisation instead of deletion

A recurring problem across multiple jurisdictions was the incorrect substitution of anonymisation for actual deletion.

The issues included:

• Use of weak or reversible anonymisation methods
• Controllers assuming “masking” equaled deletion
• Failure to ensure the impossibility of re-identification

DPAs found this approach particularly problematic because it does not satisfy the requirement to erase personal data entirely under GDPR.

4. Difficulty applying conditions and exceptions

Controllers struggled to correctly interpret Article 17:

• Conditions (e.g., data no longer necessary, consent withdrawn, unlawful processing)
• Exceptions (e.g., legal obligations, freedom of expression, public health, legal claims)

This complexity led to inconsistent balancing tests, frequent misapplication and contradictory decision-making across sectors.

5.  Inconsistent practices around retention periods

Supervisory authorities reported that many organisations did not have:

• Clear, justified retention schedules
• Mechanisms to automatically delete data when retention periods expire
• Documentation explaining why certain data must be retained

This leads to over-retention, delays in deletion, or uncertainty about when erasure is legally required.

6.    Challenges deleting personal data from backups

Many controllers lacked the technical means or processes to erase personal data stored in backups. Challenges included:

• Architectural limitations in legacy systems
• Entire backup drives treated as indivisible units
• Inadequate logging to identify data locations
• Misconception that “backups don’t count” under the GDPR

7.  Lack of staff training and awareness

A lack of proper training meant that employees:

• Mishandled requests
• Missed legal deadlines
• Provided incomplete responses
• Misunderstood legitimate grounds for refusal or acceptance

8. Over-reliance on manual workflows

Many organisations still rely on manual or partly manual systems to process erasure requests. This leads to:

• Human error
• Missed requests
• Breakdown during internal transitions

Ireland’s case study provides a direct example: an erasure request was overlooked during a process change, prompting DPC intervention.

Actions to take now

Organisations should take steps to ensure they can meet right to erasure requests effectively and consistently. This includes identifying where requests are likely to arise, establishing clear and repeatable processes and strengthening governance around data‑subject rights. Enhancing internal procedures, clarifying roles and responsibilities and reducing reliance on manual workflows will all help minimise errors and delays. At Forvis Mazars we are also building automation into our processes using accessible tools to support clients in managing these requests more efficiently.

Coordinated enforcement action – transparency

The EDPB has announced their CEF for 2026 will focus on transparency. 25 supervisory authorities are taking part in this imitative that will allow them to examine practices relating to articles 12 – 14 of the GDPR.

How does the CEF work?

The supervisory authorities generally take the following steps when doing their investigations:

• Send a questionnaire that will ask how your organisation informs individuals about the use of their personal data, for example, through privacy notices or other communications.
• The questionnaire may be mandatory or optional, depending on how the relevant authority decides to use it, either as part of an investigation or simply to gather information.
• Authorities will review the responses to identify common issues or gaps in compliance. Based on what they find, they may publish guidance, offer training, or take further action.
• Investigations may follow if an organisations practices are severely lacking, this will depend on how the supervisory authority is treating the process.

In short, companies should be prepared to explain how they meet transparency requirements under the GDPR and to take action if their practices fall short.

The preparation should include a review of transparency practices in light of the EDPB guidance on transparency adopted from the previous Article 29 working party, written in April 2018: Article 29 Working Party - Guidelines on transparency under Regulation 2016/679 | European Data Protection Board

Strengthening transparency practices

Undertaking a transparency audit can help ensure that privacy notices and related communications are up to date, accurate and capable of meeting regulatory scrutiny. This may include reviewing the clarity of information provided to individuals, checking the completeness of disclosures and assessing whether communications reflect current processing activities.