GDPR Consumer Rights Explained: Access, Erasure, and EDPB 2025-2026 Enforcement Trends
Consumers in the EU and beyond have powerful tools under the GDPR to control their personal data. Core rights include the right of access (Article 15), which lets individuals obtain confirmation of whether their data is being processed and access to that data, and the right to erasure (Article 17), often called the "right to be forgotten." Data controllers must respond to access requests within one month--for example, a request received on 5 March requires a response by 5 April at the latest.
These rights come with specific obligations for controllers, such as providing user-friendly channels and secure delivery methods. The European Data Protection Board (EDPB) has intensified scrutiny. Its 2025-2026 focus highlights implementation challenges, including a coordinated enforcement framework (CEF) action on erasure involving 32 data protection authorities (DPAs) and 764 controllers, plus upcoming emphasis on transparency under Articles 12-14.
This guide equips consumers with steps to exercise these rights effectively and helps controllers meet compliance demands amid rising regulatory attention.
Your Right of Access Under GDPR Article 15
The right of access enables consumers to verify the lawfulness of data processing and the accuracy of their personal data. Its purpose centers on providing sufficient, transparent, and easily accessible information about how personal data is handled, as outlined in Ius Laboris guidelines from 2022.
Data controllers bear key duties. They must offer appropriate, user-friendly communication channels that consumers can readily use to submit requests. Upon receiving a request, controllers have one month to respond. For instance, a request dated 5 March must be addressed by 5 April.
Controllers also decide the most suitable delivery method, such as post, encrypted email, or USB drive, ensuring security. These guidelines from Ius Laboris in 2022 underscore the need for straightforward processes.
Consumers can submit requests via email, online forms, or post, clearly stating they seek access under Article 15. Controllers should confirm receipt promptly and provide the data in a concise, intelligible format. This process supports consumers in understanding their data handling while allowing controllers to maintain secure and efficient operations.
The Right to Erasure (Article 17) and 'Right to Be Forgotten'
The right to erasure allows consumers to request deletion of their personal data under certain conditions, extending to data made public in an online environment--known as the "right to be forgotten." This applies when data is no longer necessary for its original purpose, consent is withdrawn, or processing lacks a lawful basis, as noted by the Data Protection Network in 2025.
Scope includes publicly available online data, where controllers must take reasonable steps to inform others processing the data about the erasure request.
The EDPB's 2025 CEF action on erasure implementation revealed significant hurdles. Involving 32 DPAs and reviewing 764 controllers, the 2026 report identified issues like inadequate staff training, misuse of exceptions under Article 17(3), challenges in defining retention periods, and difficulties deleting data from backups. These findings, covered by EDPB and Lexology, highlight ongoing practical barriers.
Consumers exercising this right should specify the grounds, such as withdrawn consent, while controllers must assess exceptions like legal obligations before acting. This right empowers consumers to remove outdated or unnecessary data, particularly online, but controllers face real-world implementation gaps as flagged by the EDPB.
EDPB's 2025-2026 Enforcement Priorities on Access, Erasure, and Transparency
The EDPB has ramped up coordinated efforts to address gaps in GDPR rights implementation. In 2025, it conducted its third coordinated action on the right of access, issuing a report on persistent challenges, as referenced by EDPB.
The 2025 erasure CEF action, detailed in the 2026 report, engaged 32 DPAs across 764 controllers, pinpointing training shortfalls, exception misuse, retention ambiguities, and backup deletion issues.
Looking to 2026, the EDPB's work programme prioritizes transparency and information obligations under Articles 12-14. This CEF action targets controllers' compliance with clear, accessible notices about data processing. Sources like LexisNexis and EDPB emphasize preparing for heightened scrutiny.
Consumers should set realistic expectations, knowing enforcement reveals systemic issues, while controllers can use these insights to strengthen internal processes. These priorities signal continued focus on practical compliance for both sides.
How Data Controllers Should Handle Consumer Rights Requests
Controllers play a pivotal role in upholding GDPR rights through efficient, compliant responses. For access requests, establish user-friendly channels like online portals or dedicated email addresses. Respond within one month, using secure formats such as encrypted email, post, or USB, as outlined in 2022 Ius Laboris guidance.
Erasure requests demand careful evaluation. Address EDPB-noted challenges by investing in staff training, clarifying retention periods, and developing procedures for Article 17(3) exceptions and backup deletions. The 2025 CEF metrics--32 DPAs and 764 controllers--illustrate the scale of these issues.
General best practices include acknowledging requests immediately, verifying identity securely, and documenting decisions. One-month timelines apply broadly, with extensions possible for complex cases if communicated. Proactive preparation aligns with the EDPB's 2026 transparency focus, ensuring layered information meets Articles 12-14 standards. By prioritizing these steps, controllers can reduce compliance risks and support consumer rights effectively.
Choosing the Right GDPR Request: Access vs. Erasure
Consumers and controllers alike benefit from matching the right request to the situation. Access suits scenarios needing verification, while erasure targets permanent removal, subject to exceptions.
Access provides quick insights into processing details for lawfulness checks, with a one-month response. Erasure tackles unnecessary or public data but faces hurdles like backups and legal holds.
| Scenario | Best Right | Timeline/Notes |
|---|---|---|
| Verify if data is accurate and processing is lawful | Access (Article 15) | One month (e.g., 5 March request by 5 April); user-friendly channels, secure delivery |
| Remove personal data no longer needed or made public online | Erasure (Article 17) | One month; exceptions under 17(3), backups challenging per EDPB 2025 CEF |
| Check overall transparency in data handling | Access (Article 15) | Enables review of accuracy/lawfulness; supports broader transparency queries |
Use access first to gather information before pursuing erasure, respecting controller limitations.
FAQ
How long does a company have to respond to a GDPR right of access request?
Companies must respond within one month, such as a 5 March request by 5 April.
What are the main challenges companies face with the right to erasure?
Challenges include inadequate staff training, misuse of Article 17(3) exceptions, defining retention periods, and deleting data from backups, as identified in the EDPB's 2025 CEF action.
Does the right to erasure apply to data I've made public online?
Yes, it applies to personal data made public in an online environment, also known as the "right to be forgotten."
What will the EDPB focus on for GDPR transparency in 2026?
The EDPB's 2026 CEF action will target controllers' compliance with transparency and information obligations under Articles 12-14.
How should controllers deliver personal data in response to an access request?
Controllers choose the most appropriate secure form, such as post, encrypted email, or USB drive.
What happened in the EDPB's 2025 coordinated action on access rights?
The EDPB issued a 2025 report on its third coordinated action, identifying ongoing implementation challenges for the right of access.