Data protection supervisory authorities are currently scrutinising the practical handling of deletion requests as part of a Europe-wide coordinated audit campaign.
The measure is part of the ‘Coordinated Enforcement Framework’ (CEF), which was initiated by the European Data Protection Board (EDPB). The aim is to assess the implementation of the right to erasure in accordance with Article 17 GDPR in companies and public authorities and to promote comparable standards across the EU.
The core of the audit is a comprehensive catalogue of questions that is currently being sent to selected organisations by several national supervisory authorities, including in Germany. Among other things, this catalogue covers whether internal erasure concepts exist, how data controllers deal with exceptional cases, which technical procedures are used and how communication with data subjects is organised. Statistical information on the number and processing time of deletion requests is also requested.
It should be noted that although the questionnaire may initially appear to be a standardised survey instrument, it is actually a formalised regulatory measure. The data protection authorities expressly point out that follow-up measures are possible, for example in the event of incomplete, implausible or manifestly inadequate responses. In such cases, further checks, orders or even sanctions may follow.
Especially if you have been the recipient of such a questionnaire, you should review your internal processes in a structured manner. Organisations that process personal data - especially special categories within the meaning of the GDPR - are well advised to seek professional support. The involvement of data protection expertise, for example from external consultants or your own data protection officer, can help to identify weaknesses at an early stage, develop legally compliant erasure concepts and meet the requirements of the supervisory authorities. This not only strengthens your own compliance, but also protects you from legal and financial risks in the event of further audits or complaints.
Further information on the European audit initiative can be found on the website of the EDPB or the State Commissioner for Data Protection and Freedom of Information of North Rhine-Westphalia:
https://www.edpb.europa.eu/coordinated-enforcement-framework_de