EDPB CEF 2024 & 2025: Data Subject Rights (& Wrongs)

The European Data Protection Board (“EDPB”) has launched its Coordinated Enforcement Framework (“CEF”) action for 2025, which will centre on the right to erasure under Article 17 of the General Data Protection Regulation (“GDPR”). This marks a thematic continuation of the EDPB’s focus on the implementation of data subject rights, following last year’s CEF action on the right of access.

The EDPB is composed of representatives from the various EU Data Protection Authorities (“DPAs”) and its goal is to ensure a consistent application and enforcement of the GDPR across EU Member States. The CEF is an action of the EDPB under its 2024-2027 strategy, which seeks to streamline enforcement and cooperation among DPAs. The reports that the EDPB produces with its findings from a CEF action usually contain key learnings which ought to be implemented by controllers seeking to ensure compliance with the GDPR.

CEF 2025 – The Right to Erasure

According to the EDPB, the right of erasure was chosen as the CEF action for 2025 because it represents one of the most commonly exercised rights under the GDPR and is a frequent source of complaints received by DPAs. Thirty DPAs across Europe, as well as the European Data Protection Supervisor, will take part in this initiative.

CEF 2024 – The Right of Access

Earlier this year, the EDPB adopted a report on the implementation of the right of access by controllers, arising from the 2024 CEF action (the “EDPB Report”). The 2024 CEF action involved 1,185 controllers of varying size, industry and sectors. The EDPB Report provides useful recommendations for controllers on how to comply with the right of access. In particular, it recommends that controllers assess access requests on a case-by-case basis. The EDPB Report further observed that controllers were less aware of the content of the ‘EDPB Guidelines 01/2022 on data subject rights – Right of access’ (the “Guidelines on Access Requests”) which provide extensive guidance to controllers on implementing right of access and the various exemptions available.

Around two-thirds of DPAs rated the compliance level of responding controllers as 'average' to 'high'. Higher compliance was observed among controllers receiving a larger volume of access requests and larger organisations. While a number of positive practices are included in the EDPB Report, there are also challenges identified, for which the EDPB has included non-binding recommendations:

What does this mean for controllers?

The EDPB Report on the right of access contains a plethora of recommendations for controllers on the handling of access requests. Controllers would be well advised to review their practices and policies related to access requests and to consider updating these to take account of the EDPB’s recommendations. The EDPB Report also recommends various updates to its Guidelines on Access Requests, for which controllers should keep an eye out.

Given the EDPB’s continued focus on compliance with data subject rights, particularly the right to erasure, into this year, we encourage clients to carefully assess their practices against rights related obligations more generally.

Register now for your free, tailored, daily legal newsfeed service.

EDPB CEF 2024 & 2025: Data Subject Rights (& Wrongs)

Filed under

Topics

Organisations

Laws

Popular articles from this firm

Ireland as a Location for MiFID Investment Firms 2025 *

EHDS Regulation: Secondary Use of Electronic Health Data *

Life Sciences: Update on National Strategy; Framework Agreements on Pricing and Supply of Medicines *

The Art of Defending - Ireland’s Security in an Uncertain World *

Turning Europe into a Biotech Powerhouse: Commission Unveils Biotech Act and Regulatory Simplification for Devices *

Professional development

Related practical resources PRO

Related research hubs

GDPR

European Union

IT & Data Protection