On February 18, 2026, the European Data Protection Board (EDPB) published the final report of the coordinated action on the right to erasure under Article 17 of the GDPR. The survey, conducted in 2025 by 32 supervisory authorities among 764 data controllers—including businesses and public bodies—highlighted seven main critical issues. Among these, the lack of effective internal procedures, insufficient information provided to data subjects, the use of insecure anonymization techniques, and uncertainty regarding retention periods and the deletion of data in backups stand out.

The report highlights the gap that still exists between the technical concept of “erasure” and its correct legal application. In fact, many data controllers consider operations such as hashing (i.e., transforming data into an alphanumeric string via an algorithm), masking (partial obscuring of data, such as hiding part of a tax ID), or other reversible methods (techniques that make the link to the individual less visible but do not eliminate it) to be equivalent to permanent deletion. However, if the data remains traceable to an individual, it continues to be subject to the provisions of the GDPR.

Similarly, the obligation is not considered fulfilled if the information remains in backup or disaster recovery systems, even if it is no longer visible in the operational systems.

The EDPB emphasizes that the right to be forgotten is no longer measured solely in formal terms, but in terms of the actual organizational and technological capacity to ensure the effective and definitive erasure of data.