What's inside
An operational guide to handling Article 17 erasure requests under the EU GDPR. Built around the EDPB Coordinated Action Report published 18 February 2026, which surveyed 764 controllers across 32 DPAs and identified seven recurring challenges that organisations are failing on. Designed for DPOs, IG leads, privacy counsel, IT operations, and customer service teams who collectively own the end-to-end erasure response process.
35 pages of operational content covering:
Section 2: The EDPB 2025 Coordinated Action Report findings, including the seven recurring challenges, headline statistics (9 DPAs launched formal investigations, 23 conducted fact-finding exercises), and how each finding maps to specific sections of this guide
Section 3: The six substantive grounds for erasure under Article 17(1) including data no longer necessary, consent withdrawn, objection to processing, unlawful processing, legal obligation, and child consent
Section 4: The five exceptions under Article 17(3) including freedom of expression, legal obligation, public interest in public health, archiving and research, and legal claims
Section A: Receiving an erasure request including the nine channels through which requests arrive, recognition without GDPR terminology, identity verification proportionate to risk, and the over-collection trap the EDPB has criticised
Section B: Assessing the request with structured decision logic across substantive grounds and applicable exceptions
Section C: Executing erasure across all systems including production databases, CRM, marketing platforms, analytics, support history, processor systems, archives, and retired IT
Section D: Backups, the hardest part. The EDPB's most-criticised challenge. Includes the 'put beyond use' approach with documented safeguards, backup retention bounds, and architectural responses including pseudonymisation, tokenisation, and crypto-erasure
Section E: Article 17(2) onward notification when data has been made public, including reasonable steps to inform search engines and downstream controllers
Section F: Responding to the data subject within Article 12(3) one-month deadline, with day-by-day timeline and required response content
Section G: Documentation and evidence covering per-request files and aggregate metrics, addressing the EDPB's seventh recurring challenge
Section H: Where erasure touches ITAD, integrating the erasure obligation with retired IT equipment, in-transit devices, and the ITAD vendor relationship under Article 28
Section 14: Seven common EU Article 17 failures drawn directly from the EDPB report findings, with documented prevention steps
Appendix A: Article 17 decision flowchart with six steps from verifying the requester through to responding to the data subject
Appendix B: Three ready-to-use response templates for full erasure, partial erasure, and refusal outcomes that can be customised and used directly
Why this template
The EDPB Coordinated Action Report published on 18 February 2026 transformed Article 17 from a theoretical obligation into an active enforcement priority. 32 DPAs across the EU surveyed 764 controllers. Nine launched formal investigations. The Slovenian DPA reported that Article 17 complaints rose from 4 percent of all complaints in 2020 to 19 percent in 2024, a trajectory likely to accelerate. Erasure compliance is now firmly in regulators' crosshairs.
This template is built specifically around the EDPB findings. Each of the seven recurring challenges identified by the report maps to a dedicated operational section. The single most-criticised challenge, backup systems, has its own substantial section with a documented 'put beyond use' framework that meets EDPB expectations.
The integration with ITAD makes this template distinct from generic Article 17 guidance. Personal data subject to erasure obligations also sits on retired IT equipment, on devices in transit between custody points, and in the ITAD vendor's queue. Section H addresses this integration explicitly, with cross-references to companion templates.
The three response templates in Appendix B are ready to customise and use directly. Full erasure, partial erasure, and refusal outcomes each get a complete response template aligned to the Article 12(3) communication requirements.
Who it's for
DPOs, privacy counsel, Information Governance leads, customer service heads, IT operations leads, and senior management at organisations subject to the EU GDPR. Particularly relevant for organisations operating across multiple EU Member States, organisations preparing for DPA enforcement activity following the February 2026 report, and organisations whose data lifecycle includes regular IT asset disposition where erasure obligations and ITAD scheduling intersect.
Pairs with
EU WEEE Toolkit (NS-TPL-011) for complete Tier 3 EU regulatory coverage across data protection and environmental regimes. Also integrates with UK GDPR ITAD Compliance Checklist (NS-TPL-008) for dual-regime UK and EU operations, and with the foundational ITAD operational templates (NS-TPL-001 through NS-TPL-007).
Format: Microsoft Word (.docx) | 35 pages | Last updated: May 2026