EU-wide review by data protection authorities: Focus on deletion requests

Data protection supervisory authorities are currently scrutinising the practical handling of deletion requests as part of a Europe-wide coordinated audit campaign.
The measure is part of the ‘Coordinated Enforcement Framework’ (CEF), which was initiated by the European Data Protection Board (EDPB). The aim is to assess the implementation of the right to erasure in accordance with Article 17 GDPR in companies and public authorities and to promote comparable standards across the EU.
The core of the audit is a comprehensive catalogue of questions that is currently being sent to selected organisations by several national supervisory authorities, including in Germany. Among other things, this catalogue covers whether internal erasure concepts exist, how data controllers deal with exceptional cases, which technical procedures are used and how communication with data subjects is organised. Statistical information on the number and processing time of deletion requests is also requested.

It should be noted that although the questionnaire may initially appear to be a standardised survey instrument, it is actually a formalised regulatory measure. The data protection authorities expressly point out that follow-up measures are possible, for example in the event of incomplete, implausible or manifestly inadequate responses. In such cases, further checks, orders or even sanctions may follow.

Especially if you have been the recipient of such a questionnaire, you should review your internal processes in a structured manner. Organisations that process personal data - especially special categories within the meaning of the GDPR - are well advised to seek professional support. The involvement of data protection expertise, for example from external consultants or your own data protection officer, can help to identify weaknesses at an early stage, develop legally compliant erasure concepts and meet the requirements of the supervisory authorities. This not only strengthens your own compliance, but also protects you from legal and financial risks in the event of further audits or complaints.

Further information on the European audit initiative can be found on the website of the EDPB or the State Commissioner for Data Protection and Freedom of Information of North Rhine-Westphalia:

https://www.edpb.europa.eu/coordinated-enforcement-framework_de

https://www.ldi.nrw.de/CEF_2025

Zurück

Name	Zweck	Ablauf	Typ	Anbieter
`CookieConsent`	Speichert Ihre Einwilligung zur Verwendung von Cookies.	1 Jahr	HTML	Website
`fe_typo_user`	Dieser Cookie wird gesetzt, wenn Sie sich im Bereich myGINDAT anmelden.	Session	HTTP	Website
`PHPSESSID`	Kurzzeitiger Cookie, der von PHP zum zwischenzeitlichen Speichern von Daten benötigt wird.	Session	HTTP	Website
`__cfduid`	Wir verwenden eine "Content Security Policy", um die Sicherheit unserer Website zu verbessern. Bei potenziellen Verstößen gegen diese Policy wird ein anonymer Bericht an den Webservice report-uri.com gesendet. Dieser Webservice lässt über seinen Anbieter Cloudflare diesen Cookie setzen, um vertrauenswürdigen Web-Traffic zu identifizieren. Der Cookie wird nur kurzzeitig im Falle einer Bericht-Übermittlung auf der aktuellen Webseite gesetzt.	30 Tage/ Session	HTTP	Cloudflare/ report-uri.com

Name	Zweck	Ablauf	Typ	Anbieter
`_pk_id`	Wird verwendet, um ein paar Details über den Benutzer wie die eindeutige Besucher-ID zu speichern.	13 Monate	HTML	Matomo
`_pk_ref`	Wird verwendet, um die Informationen der Herkunftswebsite des Benutzers zu speichern.	6 Monate	HTML	Matomo
`_pk_ses`	Kurzzeitiger Cookie, um vorübergehende Daten des Besuchs zu speichern.	30 Minuten	HTML	Matomo
`_pk_cvar`	Kurzzeitiger Cookie, um vorübergehende Daten des Besuchs zu speichern.	30 Minuten	HTML	Matomo
`MATOMO_SESSID`	Kurzzeitiger Cookie, der bei Verwendung des Matomo Opt-Out gesetzt wird.	Session	HTTP	Matomo
`_pk_testcookie`	Kurzzeitiger Cookie der prüft, ob der Browser Cookies akzeptiert.	Session	HTML	Matomo