On March 5, 2025, the European Data Protection Board (EDPB) announced its latest initiative focusing on the right to erasure under Article 17 of the General Data Protection Regulation (GDPR). This coordinated enforcement action involves 32 EU Supervisory Authorities (S.As) and aims to strengthen compliance with data protection laws across the European Union.
This year, the EDPB has chosen the right to erasure as the focal point for coordinated enforcement, following 2024's emphasis on the right of access. Each year, the EDPB selects a specific issue to inspect, and this year's enforcement reflects the growing significance of ensuring individuals' rights over their personal data.
According to the EDPB, participating S.As will engage with companies to assess their implementation of the right to erasure. This engagement may include questionnaires or formal investigations, asking how companies apply conditions and exceptions related to exercising this right. The collected findings from these inquiries will be compiled and analyzed, leading to the publication of a comprehensive report.
Adding to the discussion on data protection compliance, the Austrian Data Protection Authority (DSB) imposed a €5,000 fine on a company for appointing its managing director as its Data Protection Officer (DPO). This decision came on the heels of recognizing potential conflicts of interest, as the managing director also served as the company’s shareholder, making it impossible for him to operate independently.
The company, which operates as a diagnostic laboratory, provided testing services during the Covid-19 pandemic, employing around 200 staff members. Despite this large scale of operations involving sensitive health data, the company failed to appropriately report the appointment of its managing director as DPO to the DSB.
Legal mandates under Article 37(1) of GDPR stipulate the required appointment of a DPO when core activities involve extensive processing of sensitive data or necessitate systematic monitoring of data subjects. The DSB emphasized the importance for entities handling large-scale processing to carefully assess potential conflicts of interest associated with the DPO's position.
While defending its decision, the company suggested the arrangement was efficient during the pandemic, arguing the managing director understood both roles well. Nevertheless, the DSB responded sharply, asserting, "Controllers must keep the DPO role free from conflicts of interest.”
These two significant developments highlight the increasing scrutiny over data protection compliance within the EU, stressing the need for regulated institutions to not only adhere to GDPR requirements but also to uphold the integrity of their data protection officers.
Businesses engaged in activities involving significant personal data processing should proactively review their policies to avoid potential pitfalls. Enhancing the independence and authority of the appointed DPO, establishing clear protocols for reporting, and maintaining vigilance against conflict of interest situations can mitigate risks and bolster compliance with GDPR stipulations.
Both the EDPB coordinated enforcement action and the fine imposed by the DSB serve as timely reminders of the essentials of data protection governance. Organizations must take their data responsibilities seriously to protect the rights of data subjects across the EU effectively.