EDPB updates its Objection & Erasure digest and launches a form

On 25 June 2026, the European Data Protection Board (EDPB) released an update to its One‑Stop‑Shop case digest on the rights to object (Art. 21) and to erasure (Art. 17). The day before, it launched a dedicated form to report inconsistencies in GDPR interpretation across national authorities or with the Board’s positions. Two practical tools to reinforce EU‑wide consistency.

Key facts

The digest consolidates hundreds of final decisions under the one‑stop‑shop mechanism (Art. 60 GDPR), highlighting recurrent infringements and corrective measures (e.g., direct marketing objections, account/profile deletion). The 24 June 2026 announcement from Brussels introduces a channel for practitioners to flag perceived divergences.

Legal framework

• Right to object: Article 21 GDPR, with a reinforced regime for direct marketing (immediate cessation; no overriding legitimate grounds).
• Right to erasure: Article 17 GDPR (data no longer necessary, consent withdrawn, unlawful processing, etc.).
• Cooperation/one‑stop‑shop: Article 60 GDPR, the backbone of the digest via the public register of decisions.
• Consistency: the form supports the EDPB’s mission under Article 63 (guidelines, recommendations, Article 64 opinions, Article 65 binding decisions).

For a refresher on obligations and cited provisions, see our overview of the GDPR and its key articles.

What changes for Luxembourg businesses

• Operational visibility: the digest shows how authorities assess internal processes (intake and logging of requests, timelines, coordination with processors/SaaS, backup handling). Luxembourg‑based organisations can align with expected practices: instant stop of marketing upon objection, purge windows, and inactive account management.
• Forthcoming convergence: the new form should accelerate clarifications on grey areas (manifestly unfounded/excessive requests, identity verification, erasure vs. statutory retention, objections to advertising profiling across subsidiaries).
• Lower cross‑border risk: aligning with digest trends (erasure orders, processing limitations, fines, procedural remediation) evidences accountability (Arts. 5(2), 24 GDPR) before the CNPD and peer authorities.

If you are running a programme in the Grand Duchy, explore our focus on GDPR compliance in Luxembourg.

Immediate actions this week

• Map data subject rights flows: define entry points (web, email, DPO, customer service), set timelines (D+0 to stop marketing, under 30 days to complete), log evidence, and propagate to processors/SaaS and backups. Align SOPs with recurring infringement patterns flagged by the EDPB.
• Implement a marketing kill switch: automatically and irrevocably stop all prospecting (email/SMS/retargeting) upon objection, including cross‑channel and across group entities. Test propagation across CDP/CRM and disable look‑alike segments.
• Escalate inconsistencies via the EDPB form: list grey zones (identity checks, legal retention vs. erasure, third‑party unsubscribe APIs, immutable backups) and submit them to inform future guidance.

Need hands‑on support? Our team can design and run your DSAR workflows and dashboards; see our DPO mandate and CNPD support. You can also contact us for a quick discussion.

Sources

• EDPB — One‑Stop‑Shop case digest on right to object and right to erasure updated, 25 June 2026
• EDPB — News: “Supporting GDPR consistency: EDPB launches dedicated form”, 24 June 2026

Article generated by Luxgap regulatory watch. For tailored guidance on this topic, contact us.