The European Data Protection Board (EDPB) has launched its 2025 enforcement sweep targeting organizations' compliance with data subjects' right of erasure (right to delete or be forgotten), focusing particularly on how exceptions are applied. Thirty-two EU member state data protection authorities (DPAs) will participate in this year-long sweep that began March 5, 2025.
The EU General Data Protection Regulation provides that a data subject, including a job candidate, employee, consumer, and individual whose data is collected in the business-to-business context, has the right to request erasure of personal data related to them.
Organizations with employees in the European Economic Area or who otherwise are directly subject to the EU General Data Protection Regulation should review or update internal data subject access request practices, policies and privacy notices, verification processes, data retention schedules, and employee training to minimize risk in case of an inquiry from a national DPA.
The EDPB launches annual enforcement sweeps known as Coordinated Enforcement Framework actions or CEFs. CEFs are conducted by EU member state DPAs. CEFs review an organization's compliance with a specific principle or obligation under the EU General Data Protection Regulation. In the past, CEFs have reviewed the appointment of data protection officers and the implementation of the right of access.
The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.
