Building on Lessons from the 2024 Focus on the Right to Access 

On March 5th, the European Data Protection Board (EDPB) revealed its 2025 Coordinated Enforcement Framework (CEF), prioritizing the enforcement of the data subject's right to erasure. This initiative will see 32 Data Protection Authorities (DPAs) from over 20 countries collaborate to address this vital aspect of GDPR compliance. The CEF, a key pillar of the EDPB’s strategy, promotes consistent enforcement and enhanced cooperation among DPAs by spotlighting a specific data protection right each year. 

What We Learned from the 2024 CEF on the Right to Access 

The 2024 CEF focused on the right to access and highlighted common pitfalls organizations face when managing access requests. Challenges included poorly documented internal procedures, excessively broad rejections of legitimate requests, and placing undue burdens on individuals seeking to exercise their rights. 

While details on specific enforcement actions were limited, Supervisory Authorities (SAs) took tangible steps to address these issues through formal investigations, increased regulatory oversight, and closer supervision. These efforts provided clear guidance to organizations, laying the groundwork for improvement. 

As the 2025 CEF transitions its focus to the right to erasure, the insights gained from last year’s enforcement campaign offer a crucial foundation for refining data protection practices and ensuring better compliance. 

What types of data are mainly concerned by the processing activity of the responding controllers?

What type of data subjects were mainly concerned with the processing activities of the responding controllers?

‍

Implications for Organizations in 2025 

The organizations targeted in the 2024 CEF were predominantly businesses processing a wide variety of data types regulated under the GDPR. The most common categories included contact information and payment data, with employees and customers being the primary data subjects. If your organization handles similar data, it’s likely you’ll be affected by the 2025 initiative focusing on the right to erasure. 

As data collection continues to grow, unchecked practices risk undermining individuals’ rights. Current challenges—such as inadequate internal processes, overly complex request procedures, and excessive authentication requirements—pose significant barriers to data subjects attempting to exercise their rights, including access and erasure. 

For organizations identified as non-compliant during the 2024 CEF, leniency was often extended in favor of guidance rather than penalties. However, those same organizations are unlikely to receive the same treatment in 2025 if deficiencies persist. 

Preparing for the 2025 Right to Erasure Enforcement 

To avoid enforcement risks, organizations should take proactive steps now to align with GDPR requirements. Key actions include: 

• Establishing clear, documented processes for managing data subject requests. 
• Ensuring compliance with rights such as access and erasure. 
• Simplifying procedures to make them transparent and user-friendly, avoiding unnecessary burdens on data subjects. 

The 2025 CEF will place a spotlight on organizations’ ability to effectively uphold the right to erasure. Those that fail to address past weaknesses or adapt their practices may face stricter regulatory consequences. Now is the time to prioritize robust data protection measures and demonstrate your commitment to safeguarding individuals' rights.