EDPB Report: GDPR Right to Erasure Challenges & Compliance

The European Data Protection Board (EDPB) has published a report identifying recurring problems with how organisations handle requests to delete personal data. According to the EDPB, the report was adopted on 18 February 2026 and focuses on the right to erasure under Art.17 GDPR, one of the most frequently exercised rights under the regulation.

What happened?

The EDPB coordinated a Europe-wide enforcement exercise throughout 2025, involving 32 data protection authorities (DPAs) across the continent. A total of 764 controllers took part, ranging from small and medium-sized businesses to large companies and public bodies across many different industries.

Nine DPAs opened or continued formal investigations as part of the exercise. A further 23 carried out fact-finding work. The results were then combined and analysed to give a picture of how well organisations are actually handling erasure requests in practice.

The report identifies seven recurring challenges that are getting in the way of full compliance, though the EDPB source does not list each challenge individually by name. Alongside the challenges, the report also highlights good practices and includes a series of recommendations addressed to controllers.

What comes next?

According to the EDPB, follow-up is planned at both national and EU level. National guidance and templates developed during the exercise will also be used to inform broader EDPB-level guidance on the topic. This means further clarification for businesses on how to handle erasure requests correctly is likely to follow.

What does this mean for your website?

If your website collects personal data, such as customer email addresses, contact form submissions or account details, your visitors have the right to ask you to delete that information under Art.17 GDPR. This report is a signal that DPAs across Europe are paying close attention to how businesses respond to these requests, so it is worth reviewing your process now. You can start with our GDPR compliance checklist and check whether your privacy policy explains how customers can exercise their rights.