Unlike Simple Minds in their hit song, when exercising their rights under Article 17 GDPR, data subjects hope that the relevant controller will forget all about them.

The right to erasure, also known as the right to be forgotten, was embedded within the GDPR having been established by the Grand Chamber of the CJEU in the case of C-131/12 - Google Spain and Google under the GDPR’s predecessor, Directive 95/46/EC, the Data Protection Directive, which required that “the operator of a search engine is obliged to remove from the list of results displayed following a search made on the basis of a person’s name links to web pages, published by third parties and containing information relating to that person, also in a case where that name or information is not erased beforehand or simultaneously from those web pages, and even, as the case may be, when its publication in itself on those pages is lawful”.

Article 17 GDPR applies to all data controllers and requires the deletion of personal data without undue delay in circumstances where either: the personal data are no longer necessary for the lawful purpose(s) for which they were collected or processed; the lawful basis for processing was consent which is withdrawn and no other lawful basis applies; the lawful basis for processing is legitimate interests and the data subject objects to processing under Article 21(1) GDPR and there are no overriding legitimate grounds for the processing; the processing is for the purposes of direct marketing based on legitimate interests and the data subject objects; the personal data have been processed unlawfully; personal data are required to be erased to comply with legal obligations; or, the personal data was collected in the context of offering information society services to a child.

In July 2020, the EDPB published guidelines on the ‘criteria of the Right to be Forgotten in the search engines cases under the GDPR’, which indicate that search engines must demonstrate compelling legitimate grounds to refuse a request where a data subject objects to processing and, if it is able to do so, must then balance the competing rights and interests giving consideration to factors relevant to ongoing inclusion, including whether it: causes detriment for a data subject when applying for jobs; undermines the data subject’s reputation in their personal life; pertains to the individual’s role in public life; affect the individual’s privacy; includes information which is unlawful, such as hate speech, defamatory content or material prohibited by court order; propagates material which constitutes misinformation or disinformation; and/or, the material relates to a relatively minor criminal offence that happened a long time ago and causes prejudice to the data subject.

While the guidelines recognise that the exercise of the right to freedom of expression and information, including by internet users, can afford a basis to decline a request, it further recognises that this requires a “preponderant interest of the general public in having access to the information in question” and that the continued processing be strictly necessary, and that the right will be strongest in relation to the original publisher rather than the relevant search engine.  

On 05 March 2025, the European Data Protection Board (EDPB) announced that it was launching its Coordinated Enforcement Framework action for 2025 under Article 62 GDPR focusing on the Article 17 GDPR right to erasure or right to be forgotten.

Data protection supervisory authorities across Europe will utilise the enforcement powers that they are required to be afforded under national law by Article 58 GDPR, including the power to require information to be provided and to access all personal data necessary to fulfil their tasks.

Previous sweeps have addressed the use of cloud-based services by the public sector, the designation and position of data protection officers (DPOs) and, the right of access.

We anticipate that, like in previous instances, the co-ordinated enforcement action will comprise three stages:

1. A fact-finding exercise comprised of independent research by supervisory authorities and requests to relevant entities requesting information through a questionnaire;

2. An assessment of the results of the fact-finding exercise to determine whether a formal investigation is warranted;

3. If necessary, commencement of formal enforcement action.

It is likely that the action will result in further enforcement action, such as audits or penalties.

A report will subsequently be published on the outcome of the exercise, which we would expect in early 2026.

We anticipate that the CEF action could target in particular search engines, media publishers and social media and other information society services that process children’s personal data, among others across the EU. These organisations in particular would be well-advised to review their approach to handling such requests 

Since Brexit, the Information Commissioner’s Office no longer participates in the EDPB or its sweeps, but the UK has entered into Memoranda of Understanding with several supervisory authorities including the Irish Data Protection Commission so there is scope for information sharing regarding potential breaches.   

If your organisation receives a questionnaire in the context of the action, you should give it due priority and complete it with care, offering any available context to figures being disclosed.

At Handley Gill, our consultants have advised clients on completing responses to CEF questionnaires. If you require support, contact us.

Find out more about our data protection and data privacy services.