Personal data must not be stored for longer than necessary. Once the purpose has been fulfilled, the data must be deleted or anonymised. Data controllers are responsible for determining when deletion should happen, and retention periods must be documented for each processing activity.
Retention periods are often impacted by various statutory rules, such as rules on bookkeeping or money laundering. As a result, retention periods vary significantly in practice and require substantial effort to ensure compliance. The new report from the European Data Protection Board (EDPB) shows that many companies are struggling with exactly that.
Some of the most common challenges include:
- Absence of documentation for handling erasure requests
- No or inadequate training of employees
- Insufficient information for data subjects
- Misuse of and legal uncertainty on the exceptions to deny erasure
- Issues with defining and implementing retention periods
- Deletion of personal data in the context of back-ups
- Difficulties with anonymisation to respond to erasure requests
On that basis, the EDPB recommends that companies:
- Establish internal procedures with clear deadlines and allocation of responsibilities
- Provide resources to enable role-specific training
- Ensure regular reviews of privacy notices with a focus on the right to erasure
- Clearly specify the statutory basis justifying the retention periods you apply
- Follow established procedures and standards for erasure of data
The report also showed that companies primarily receive erasure requests from customers, job applicants and employees.
iuno's opinion
The right to erasure is not absolute. Companies should therefore clearly understand each of the six grounds for erasure as part of their compliance work. At the same time, it is equally important to understand that you have the right to refuse a request for erasure subject to certain exceptions.
Besides defining retention periods, companies should establish clear procedures to ensure erasure. In this connection, iuno recommends also having internal procedures in place to follow up on whether erasure occurred as expected. Here, most companies will benefit from IT systems that enable them to incorporate retention periods into their ongoing compliance.
[European Data Protection Board’s report “Implementation of the right to erasure by controllers” of 10 February 2026]