Data deletion requests
Throughout 2025, 32 supervisory authorities across the EU/EEA launched coordinated investigations into controllers’ compliance with the right to erasure under the GDPR. Now, the EDPB has published a report of the findings. As the right to deletion is not absolute, some controllers face difficulties in assessing and applying the conditions for exercising this right, including in conducting the balancing tests between the right to erasure and other rights and freedoms. Many regulators raised concerns regarding controllers not having:
- internal procedure or practice in place to handle erasure requests, or having an incomplete or irregularly reviewed procedure,
- specific procedures and measures to handle erasure requests in the context of back-ups,
- staff training,
- information provided to data subjects,
- legal certainty on the exceptions to deny erasure requests, and
- data retention periods, etc.
Multiple regulators found that controllers relying on anonymisation for deletion have varying degrees of success in correctly implementing it. In some cases, they only apply basic pseudonymisation or partial masking, although such a process would not fulfil the requirements of the GDPR regarding deletion.
Stay up to date! Sign up to receive our fortnightly digest via email.
Interestingly, the majority of the polled controllers (out of 764) had not received a single request for erasure in the last two years. While controllers were often chosen due to being in certain particular situations (processing sensitive data, processing a very large amount of data, etc.), about 70% of controllers still received fewer than 10 requests per year. Also, it appears that certain profiles are less likely to exercise their rights (eg, applicants in public services, citizens toward public services, contractors, or job applicants/employees) while others seem less hesitant to do so (eg, potential customers).
Main developments
Digital omnibus and GDPR simplification: The EDPB and EDPS issued a long-awaited statement on simplification of the digital legislative framework in the EU. Among many things, they advised against the proposed changes to the definition of personal data. The changes go far beyond a targeted modification of the GDPR, a ‘technical amendment’ or a mere codification of CJEU jurisprudence.
Defining what is no longer personal data directly affects and narrows the scope of application of EU data protection legislation and should not be addressed in an implementing act, say the regulators. The full opinion in the context of GDPR, AI Act, and ePrivacy Directive can be read here.
UK data reform: Meanwhile, in the UK, on 5 February, the main provisions of the Data Use and Access Act 2025 came into force, amending the UK GDPR and Data Protection Act 2018. These include: new ‘recognised legitimate interests’ legal basis for data controllers, cookie consent exemptions, data reuse permissions, the use of automated decision making, more relaxed transfers of personal data internationally, and sometimes limiting data subject access requests, etc.
Age-appropriate code design
On February 5, South Carolina signed Age-Appropriate Code Design into law, after it was previously adopted by California, Maryland, Nebraska, and Vermont. According to JD Supra analysis, covered online services must exercise “reasonable care” in the use of a minor’s personal data and the design and operation of the covered online service. This includes features that:
- Decrease minors’ time and activity on the service to prevent compulsive usage, severe psychological harm, and privacy intrusions.
- Opt minors out of “personalisation recommendation systems” by default, and
- Set personal data settings to the highest level of protection by default.
- Collect, use, share, or retain the minimum amount of a minor’s personal data “necessary” to provide the specific elements of the covered online service, etc.
More from supervisory authorities
DPO role: Under EU law, all EU institutions, bodies, offices and agencies (EUIs) are required to appoint a data protection officer (DPO). To strengthen the effectiveness and independence of this function, the EDPS has adopted two key documents clarifying the role and protection of DPOs within EUIs:
- Supervisory Guidance on the role of DPOs in EUIs, and
- Rules on the application of the requirement of prior consent by the EDPS for the dismissal of DPOs
They provide practical and up-to-date guidance on the designation of DPOs, their institutional positioning, the guarantees of independence attached to the function, and the responsibilities entrusted to them.
Cybersecurity exercise: The ENISA offers a methodology to an end-to-end theoretical framework for planning, running and evaluating cybersecurity exercises. It ensures the right profiles and stakeholders are involved at the right time, and provides theoretical material based on lessons identified, industry best practices and cybersecurity expertise. Download the guide and the support toolkit templates here.
Games age limitation: The French government, on 4 February, adopted a decree on the experimentation of games with monetisable digital objects. It requires, among other controls, the refusal of the opening of a player account for any minor, or before verification of the identity and the age of the applicant. It requires the enterprise offering a game to document the arrangements used for verification, to carry out regular checks, and to be able to demonstrate the effectiveness and compliance of those arrangements to the National Gaming Authority.
How to deal with data protection complaints
The updated UK ICO guidance reminds organisations what they need to do to meet the new requirements for people to open a data protection complaints process, as set out in the new Data Use and Access Act, although these requirements are not in force until 19 June 2026. At a glance, the law says organisations must:
- Give people a way of making data protection complaints;
- Acknowledge receipt of complaints within 30 days of receiving them;
- Without undue delay, take appropriate steps to respond to complaints, including making appropriate enquiries, and keep people informed;
- Without undue delay, tell people the outcome of their complaints.
Read practical advice on each of these points in the original publication.
In other news
СNIL sanctions statistics: Cookies, employee surveillance and data security were the main subjects of the penalties imposed by the French data protection authority CNIL, in 2025, the cumulative amount of which totalled 486,839,500 euros. Also, insufficient security of personal data, lack of cooperation with the CNIL and non-respect for the rights of individuals were the three main reasons for sanctions under the recently introduced simplified procedures. Numerous formal notices have targeted websites that allowed the deposit of cookies and other trackers without respecting the consent of individuals, either by not allowing them to refuse the deposit in a simple way, or by not taking into account the withdrawal of users’ consent.
In addition, the regulator often sanctioned the non-compliance with the obligations of the subcontractors concerning the data entrusted to them, in particular:
- implementing appropriate technical and organisational measures to ensure an adequate level of security;
- only processing data on the instructions of the data controller;
- deleting the data at the end of their contractual relationship with the data controller.
OpenClaw AI: The Dutch data protection authority AP warns against the use of OpenClaw, an AI agent tool that has become popular since last year. The platform provides users with an AI assistant to install, which can perform tasks autonomously. For that, the user has to give full access to their computer and programs, including email, files and online services. The platform can also be vulnerable to hidden commands in websites, emails and chat messages. That can lead to taking over accounts, reading personal data and stealing access codes.
Receive our digest by email
Sign up to receive our digest by email every 2 weeks
More enforcement decisions
Amazon Italy investigation: On 9 February, the Italian data protection authority Garante and the National Labour Inspectorate announced an investigation into Amazon regarding the processing of workers’ personal data and the use of video surveillance systems. The investigation will examine the company’s logistics hubs, with a particular focus on the distribution centres in Passo Corese and Castel San Giovanni, to determine the extent to which monitoring practices comply with the legal requirements stipulated within the Workers’ Statute, digitalpolicyalert.org reports.
Dutch municipalities fined: The Dutch data protection AP authority fined 10 municipalities 250,000 euros for processing sensitive information without consent, according to DataGuidance. Violations included processing data on religious beliefs, family relationships, political views, and criminal or terrorism-related information. The municipalities processed this sensitive information (from an external research bureau, amid national counter-radicalisation efforts) without valid consent.
Swiss cookie redress case: Digitec Galaxus informed the Swiss privacy regulator FDPIC that it had implemented its formal recommendation that customers be given the option to object to the processing of their personal data for marketing purposes. Following criticism over excessive data processing, users can now disable personalisation with one click (one-click opt-out), whereby the corresponding cookies are automatically disabled. To that end, the registration form now explicitly mentions personalisation and the right to object, and the privacy policy has been updated accordingly.
And Finally
Data brokers warning in the US: The Federal Trade Commission sent letters to 13 data brokers warning them of their responsibility to comply with the Protecting Americans’ Data from Foreign Adversaries Act of 2024. It prohibits data brokers from selling, releasing, disclosing, or providing access to personally identifiable sensitive data about Americans to any foreign adversary, which includes North Korea, China, Russia, and Iran, or any entity controlled by those countries.
The law defines personally identifiable sensitive data to include health, financial, genetic, biometric, geolocation, and sexual behaviour information, etc.