In many companies, a large amount of personal data is processed in various digital and analog systems. However, companies are subject to a data erasure obligation under the General Data Protection Regulation (GDPR) . This means they are required to erase personal data when it is no longer necessary and there are no legal retention obligations. The revised statutory retention periods that came into effect in 2025 must also be taken into account. This erasure obligation applies regardless of whether the data was used internally or shared with third parties.
A systematic data deletion strategy within the company is therefore essential to fulfill these obligations in a legally compliant and efficient manner.
EU-Wide Audit Initiative on Requests for Erasure
Under certain conditions, pursuant to Article 17 of the GDPR, a data subject has the right to request that the controller erase their personal data. In May 2025, the European Data Protection Board (EDPB) launched a coordinated audit initiative under its "Coordinated Enforcement Framework (CEF) 2025"—focusing on the right to erasure under Article 17 of the GDPR. The initiative aims to assess the effectiveness and practical implementation of erasure requests in companies across Europe.
German data protection supervisory authorities are also actively involved in this audit. Among others, the authorities from Baden-Württemberg, Brandenburg, Mecklenburg-Western Pomerania, Lower Saxony, North Rhine-Westphalia, and Rhineland-Palatinate are participating in the initiative.
Companies across Germany are being contacted and required to complete mandatory questionnaires on the handling of erasure requests—often accompanied by mandatory self-assessments, such as in Baden-Württemberg.
Key Considerations for Companies:
- Establish clear processes within the company: Define procedures for handling erasure requests within your organization. In particular, ensure that the processing of an erasure request is fully documented.
- Review systems:Implement a GDPR-compliant automated erasure process in your company's IT systems.
- Communicating with employees:Existing processes should be communicated to all relevant employees, for example through a company policy on handling erasure requests or via training sessions.
- Regular internal review:The deletion policy should be regularly reviewed to ensure it remains up to date.
Our firm is here to support you throughout this process. We provide practical advice on how to effectively implement such a deletion policy in your company. We assist you with legal expertise in defining tailored requirements, identifying relevant systems, and establishing legally compliant documentation processes within your organization.