EDPS participates in fourth Coordinated Enforcement Action: focus on the right to erasure of personal data

Demonstrating our commitment to the consistent application and enforcement of data protection across the EU institutions (EUIs) and the EU as a whole, the EDPS is participating in the European Data Protection Board’s (EDPB) Coordinated Enforcement Action on the right to erasure of personal data.

This is the fourth Coordinated Enforcement Action that the EDPS partakes in alongside 31 data protection authorities (DPAs) of the European Economic Area, since the launch of the initiative, under the Coordinated Enforcement Framework, in 2022. Prior topics concerned the role of data protection officers, the use of cloud services in the public sector, and the right of access to personal data in the EU institutions, bodies, offices and agencies (EUIs) and across the EU.

Wojciech Wiewiórowski, EDPS, said: “With our involvement in this Coordinated Enforcement Action, we walk the talk by continuously advocating for a coherent application of EU data protection law, and the consistent protection of individuals’ personal data, across the EU/EEA. The right to erasure empowers individuals to reclaim their identity in the digital world. It is a complex right to ascertain, therefore our role is to ensure that it is correctly understood and applied within the EUIs.”

The right to erasure - or right to be forgotten - is enshrined in Article 19 of Regulation (EU) 2018/1725 (EUDPR), the EU data protection law for EUIs, and in Article 17 of the General Data Protection Regulation (GDPR) for EU/EEA countries, that have similarities. This right allows individuals to maintain control over their personal data, by requesting its deletion from EUIs or EU/EEA’s public or private entities that are processing this personal data. It is the most frequent right that individuals ascertain.

Importantly, the right to erasure (or right to be forgotten) is not an absolute right; exceptions exist under the EUDPR and GDPR, such as, in the case of compliance with a legal action, for public interest. Therefore, each request to erasure from individuals needs to be analysed on a case-by-case basis by controllers who decide on the processing of individuals’ personal data based on a justified and legal reasoning. The right to erasure therefore challenges the delicate balance between the right to data protection and the collective memory of society.

To carry out this Coordinated Enforcement Action, the EDPS will conduct a fact-finding exercise, including a questionnaire to EUIs’ controllers, based on the analysis of complaints by individuals regarding the right to erasure, to check how they apply the legal obligations of this right.  As a follow-up, the EDPS will summarise its findings, draw conclusions on the best and worst practices found, and identify areas for improvement.

The results of this joint action will also be analysed in a coordinated manner with the other DPAs of the EU/EEA to decide on further supervision and enforcement actions, if necessary. The EDPB will publish a report on the outcome of this analysis, once the coordinated enforcement action concludes.