Article 17 GDPR in the EDPB's Next Coordinated Action

Germany

The European Data Protection Board (EDPB) makes the right to erasure (Article 17 GDPR) the subject of the Coordinated Action of data protection authorities for 2025

The topic of the next Coordinated Action of the European data protection supervisory authorities for 2025 is the right to erasure – one of the most important rights of data subjects in practice. This gives us a good reason to take a closer look at Article 17 GDPR.

In accordance with their Coordinated Enforcement Framework (CEF), the data protection authorities select a prioritised and usually particularly practice-relevant topic for what they call their Coordinated Action each year. The CEF aims to "streamline" and optimise the implementation of the GDPR and cooperation between national data protection supervisory authorities in the EU. The individual national authorities can join the Coordinated Action on a voluntary basis. The results of the national measures are then summarised in reports and jointly analysed to gain deeper insights into the issue and enable a targeted follow-up at both the national and EU level.

In 2025 the Coordinated Action will focus on Article 17 GDPR

The topic selected for 2025 was the implementation of the right to erasure by data controllers in accordance with Article 17 GDPR. This is (alongside the right of access) one of the most important rights of data subjects under the GDPR and is often asserted together with or following a data access request. The right to erasure (Article 17 GDPR) is one of the rights most frequently exercised by data subjects vis-à-vis enterprises that process their data. It is just as often the subject of complaints to the supervisory authorities. 

The aims of the Coordinated Action include to evaluate the implementation of the right to erasure in practice. The action itself is due to be launched in the first half of 2025. The Coordinated Action on the right to erasure is the fourth initiative under the CEF. The Coordinated Actions in previous years focused on the use of cloud services by the public sector (2022), the role and acknowledgement of the data protection officer (2023) and the right of access (2024). The report on the right of access is scheduled to be released at the beginning of 2025.

The right to erasure pursuant to Article 17 GDPR

The regulatory content of Article 17 GDPR is complex and only becomes clear on closer inspection.

Obligation to erase

Article 17 (1) GDPR firstly stipulates that personal data must be erased without undue delay at the request of the data subject, and/or under certain conditions without a request from the data subject and thus autonomously, by the data controller if one of the reasons listed in Article 17 (1) GDPR applies. The obligation to erase therefore not only exists in the event of a "request for erasure" by a data subject, but also automatically exists if one of the reasons listed in Article 17 (1) GDPR applies. It follows from this obligation that the data controller must check at regular intervals whether their processing of personal data is (still) lawful and must provide time limits for regular review and erasure (see recital 39 GDPR, time limits for erasure, periodic reviews). This obligation is closely related to the principles of purpose limitation, data minimisation and storage limitation (Article 5 (1) (b), (c) and (e) GDPR. In the past, violations of this obligation have been punished with sometimes substantial fines. Violations of the provisions of the GDPR may also give rise to compensation claims in accordance with Article 82 GDPR in the same way as violations of Article 17 GDPR.

The following reasons for erasure are important from a practical perspective:

  • Cessation of purpose, i.e. the data are no longer necessary in relation to the purposes for which they were collected or otherwise processed – Article 17 (1) (a) GDPR: This alternative exists, for example, if the data have been processed to establish or perform a contract and the contract has been fulfilled (exception: retention obligations, see below).
  • Withdrawal of consent if there is no other legal basis for (further) processing – Article 17 (1) (b) GDPR: This alternative includes, for example, cases in which the data subject had given consent for a newsletter to be sent but has withdrawn this consent.
  • An objection by the data subject Art. 17 (1) – (c) GDPR in connection with Art. 21 (1) or (2) GDPR: An objection according to Art. 21 (1) GDPR is often raised if processing is  based  on a legitimate interest (Article 6 (1) (f) GDPR Objections  in accordance with Article 21 (2) GDPR  relate  to direct marketing, e.g. by post).
  • The unlawful processing of data – (d): Data must of course be erased if the processing of the data was unlawful, i.e. if there is no legal basis for it.

The right to erasure and the obligation to erase are directed at "data controllers" (Article 4 (7) GDPR). In addition to the entities that originally process the data of a data subject (in the above examples, the advertisers or the enterprises that have concluded a contract with the data subject), "data controllers" can also be search engine operators, as according to case law, they carry out independent data processing by providing users with revised search results. Often a request for a search engine operator to delist personal data is based on an objection pursuant to Article 21 (1) GDPR in conjunction with Article 17 (1) (c) GDPR.

Right to be forgotten – "Wiping all traces"

The "right to be forgotten" is regulated in Article 17 (2) GDPR. As per the saying "the internet never forgets", this right applies above all to processing operations in which personal data are processed on the internet and can therefore be retrieved and reproduced indefinitely. The right of erasure is aimed at "wiping all traces" of personal data that are accessible to the general public through publications, in particular on the internet.  The data controller who made the personal data public and is required to erase them has a duty to provide certain information to others: They must inform other data controllers processing the data that the data subject has requested that they erase all links to the data or copies or replications of the data. They must take suitable measures, including technical measures, to fulfil this duty to provide information, taking into account the available technologies and the implementation costs. Implementing this duty to provide information can be difficult in practice, as the original data controller will not know all the controllers processing the data, especially in cases where the data are disseminated on the internet. The extent of their duty to perform a search and provide information varies from case to case. In any case, the biggest internet search engine providers must be informed of the erasure request at a bare minimum. In contrast to the obligation to erase, which is geographically limited to the EU, the duty to provide information can apply worldwide.

Exceptions from the obligation to erase personal data

Under certain conditions, there are exceptions to the obligation to erase personal data (Article 17 (3) GDPR). The most important exceptions from a practical point of view are:

  • Right of freedom of expression and of information – Article 17 (3) (a) GDPR: Insofar as processing is necessary to exercise these rights, there is an exception to the obligation to erase. The point behind this is to prevent the right of freedom of expression and the right of information from being undermined by data protection law. This applies in particular to publications in the press and other media. However, the exception always requires a balancingof these rights on the one hand and the rights of the data subject on the other. This exception does not apply to internet search engine providers, as, according to the CJEU, they cannot invoke the aforementioned rights themselves. The CJEU nevertheless also applies Article 17 (3) (a) GDPR in these cases and thus indirectly takes into account the freedom of expression and information of publishers and internet users.
  • Comlpiance with a legal obligation: The data controller is subject to a legal obligation which requires the processing of the data – Article 17 (3) (b) GDPR: Data that must be retained due to a legal obligation (e.g. under commercial or tax law) may not be erased by the data controller. They are therefore in conflict here between their obligation to erase the data on the one hand (e.g. due to a completed contract) and a legal obligation to retain or document the data (such as the content of the contract, invoices, etc.) on the other. It is worth bearing in mind that full access to the data is not usually required for the (changed) purposes of fulfilling retention and documentation obligations, meaning that in these cases "blocking" the data combined with access restrictions to the data is often the method of choice.

So far, the EDPB has only adopted one guideline on one aspect of the right to erasure

Guideline 5/2019 on the criteria of the Right to be Forgotten in the search engines cases under the GDPR (part 1) deals with the right to be delisted by online search engines as part of the right to be forgotten. In essence, this involves data subjects demanding that search engine providers remove one or more links to webpages from the results displayed following a made on the basis of their name. The guideline therefore only applies to search engine providers as "data controllers" and delisting requests submitted by data subjects.

Conclusion for practice: Review and implement the requirements of Article 17 GDPR at an early stage

Violations of the rights of data subjects under the GDPR, such as Article 17 GDPR, can result in fines and claims for compensation. The right to erasure is an important issue that enterprises need to consider as part of their data protection compliance, risk management and the organisation of their operational business processes. The result of the Coordinated Action is therefore of considerable practical importance for enterprises and should be taken into account when implementing the requirements under Article 17 GDPR.

The CMS Enforcement Tracker provides an overview of GDPR fines.