The EDPB's 2025 Enforcement Action
The European Data Protection Board's 2025 Coordinated Enforcement Framework (CEF) action targeted GDPR Article 17 — the right to erasure. Thirty-two Data Protection Authorities across the EU and EEA simultaneously investigated how organizations respond to right-to-erasure requests. The coordinated approach was designed to identify systemic failures rather than individual outlier cases.
The findings identified seven recurring compliance challenges across the investigated organizations:
- Poorly documented internal procedures for processing erasure requests
- Excessively broad rejection of legitimate requests (using permitted exceptions too broadly)
- Undue burdens placed on individuals when they submit erasure requests
- Inability to locate all personal data across systems when processing an erasure request
- Excessive delays in processing requests beyond the GDPR's 30-day response window
- Insufficient communication to data subjects about the outcome of their requests
- Inefficient anonymization techniques used as an alternative to deletion — specifically flagged as organizations using technically defective "anonymization" that leaves data re-identifiable
Nine DPAs initiated formal investigations based on the CEF findings. The seventh recurring challenge — inefficient anonymization — is directly relevant to organizations that use anonymization as their primary data minimization strategy.
The Anonymization Alternative to Deletion
GDPR's right to erasure does not require deletion in all cases. Recital 65 notes that erasure can be accomplished through anonymization where deletion is not technically feasible (for example, in backup tapes or integrated analytics systems where individual record deletion would require system reconstruction).
The EDPB's CEF findings indicate that this alternative is being abused: organizations are claiming "anonymization" for data transformation that leaves the data technically re-identifiable — using the word to avoid the operational burden of actual deletion rather than to achieve the data protection outcome that anonymization is supposed to provide.
The distinction the EDPB is drawing: true anonymization — where the link between the data and the individual cannot be re-established by any means available to the data controller or any third party — removes the data from GDPR's scope and satisfies the erasure request. Pseudonymization — where re-identification is possible with the appropriate key — does not satisfy the erasure request; the data subject's personal data still exists and must be deleted or the key must be destroyed.
Practical Compliance Strategy
For organizations using anonymization as an alternative to deletion in analytics systems:
The correct architecture separates data ingestion (raw personal data) from data analysis (anonymized derivatives). Personal data in the ingestion layer is subject to erasure requests — when a data subject exercises Article 17 rights, the personal data in the ingestion layer is deleted. The anonymized derivatives in the analytics layer — if the anonymization was comprehensive and irreversible — need not be modified because they are no longer personal data.
This architecture requires that the anonymization at the boundary between ingestion and analysis be technically sound: irreversible (not tokenization), comprehensive (all identifier categories addressed), and documented (the organization can demonstrate to a DPA that the anonymization method meets the EDPB's standards). The retail company that anonymizes customer purchase history before analytics processing, replacing names and contact details with tokens under reversible encryption, has pseudonymized (not anonymized) the data — the analytics dataset still contains personal data that is subject to erasure requests.
Sources: