- \n
- internal procedure or practice in place<\/strong> to handle erasure requests, or having an incomplete or irregularly reviewed procedure,<\/li>\n\n\n\n
- specific procedures and measures to handle erasure requests in the context of back-ups<\/strong>,<\/li>\n\n\n\n
- staff training<\/strong>,\u00a0\u00a0<\/li>\n\n\n\n
- information<\/strong> provided to data subjects,<\/li>\n\n\n\n
- legal certainty<\/strong> on the exceptions to deny erasure requests, and\u00a0<\/li>\n\n\n\n
- data retention periods<\/strong>, etc.<\/li>\n<\/ul>\n\n\n\n
Multiple regulators found that controllers relying on anonymisation for deletion<\/strong> have varying degrees of success in correctly implementing it. In some cases, they only apply basic pseudonymisation or partial masking, although such a process would not fulfil the requirements of the GDPR regarding deletion.<\/p>\n\n\n\n
Stay up to date! Sign up to receive our fortnightly digest via email. <\/mark><\/a><\/h6>\n\n\n\n
Interestingly, the majority of the polled controllers (out of 764) had not received a single request for erasure in the last two years<\/a>. While controllers were often chosen due to being in certain particular situations (processing sensitive data, processing a very large amount of data, etc.), about 70% of controllers still received fewer than 10 requests per year. Also, it appears that certain profiles are less likely to exercise their rights (eg, applicants in public services, citizens toward public services, contractors, or job applicants\/employees) while others seem less hesitant to do so (eg, potential customers).<\/p>\n\n\n\n
Main developments <\/h4>\n\n\n\n
![\"\"](\"https:\/\/techgdpr.com\/wp-content\/uploads\/2026\/02\/europe-3225257_1280-1024x768.jpg\")
<\/figure>\n<\/p>\n\n\n\n
Digital omnibus and GDPR simplification:<\/strong> The EDPB and EDPS issued a long-awaited statement on simplification of the digital legislative framework in the EU. Among many things, they advised against the proposed changes to the definition of personal data. The changes go far beyond a targeted modification of the GDPR, a \u2018technical amendment\u2019 or a mere codification of CJEU jurisprudence.<\/p>\n<\/div><\/div>\n\n\n\n
Defining what is no longer personal data directly affects and narrows the scope of application of EU data protection legislation and should not be addressed in an implementing act, say the regulators.\u00a0The full opinion in the context of GDPR, AI Act, and ePrivacy Directive can be read here<\/a>.<\/p>\n\n\n\n
UK data reform: <\/strong>Meanwhile, in the UK, on 5 February, the main provisions of the Data Use and Access Act 2025\u00a0 came into force, amending the UK GDPR and Data Protection Act 2018<\/a>. These include: new \u2018recognised legitimate interests\u2019 legal basis for data controllers, cookie consent exemptions, data reuse permissions, the use of automated decision making<\/a>, more relaxed transfers of personal data internationally, and sometimes limiting data subject access requests, etc.\u00a0<\/p>\n\n\n\n
Age-appropriate code design<\/strong><\/h4>\n\n\n\n
![\"deletion\"](\"https:\/\/techgdpr.com\/wp-content\/uploads\/2026\/02\/image-4-1024x683.jpeg\")
<\/figure>\n<\/p>\n\n\n\n
On February 5, South Carolina signed Age-Appropriate Code Design<\/a> into law, after it was previously adopted by California, Maryland, Nebraska, and Vermont. According to JD Supra analysis<\/a>, covered online services must exercise \u201creasonable care\u201d in the use of a minor\u2019s personal data and the design and operation of the covered online service. This includes features that:<\/p>\n<\/div><\/div>\n\n\n\n
- \n
- \u00a0Decrease minors\u2019 time and activity on the service to prevent compulsive usage, severe psychological harm, and privacy intrusions.\u00a0<\/li>\n\n\n\n
- Opt minors out of \u201cpersonalisation recommendation systems\u201d by default, and\u00a0<\/li>\n\n\n\n
- Set personal data settings to the highest level of protection by default.<\/li>\n\n\n\n
- Collect, use, share, or retain the minimum amount of a minor\u2019s personal data \u201cnecessary\u201d to provide the specific elements of the covered online service, etc.<\/li>\n<\/ul>\n\n\n\n
More from supervisory authorities<\/h4>\n\n\n\n
DPO role: <\/strong>Under EU law, all EU institutions, bodies, offices and agencies (EUIs) are required to appoint a data protection officer (DPO). To strengthen the effectiveness and independence of this function, the EDPS has adopted two key documents clarifying the role and protection of DPOs within EUIs:\u00a0<\/p>\n\n\n\n
- \n
- Supervisory Guidance on the role of DPOs in EUIs<\/a>, and <\/li>\n\n\n\n
- Rules on the application of the requirement of prior consent by the EDPS for the dismissal of DPOs<\/a>\u00a0<\/li>\n<\/ul>\n\n\n\n
They provide practical and up-to-date guidance on the designation of DPOs, their institutional positioning, the guarantees of independence attached to the function, and the responsibilities entrusted to them. <\/p>\n\n\n\n
Cybersecurity exercise: <\/strong>The ENISA offers a methodology to an end-to-end theoretical framework for planning, running and evaluating cybersecurity exercises. It ensures the right profiles and stakeholders are involved at the right time, and provides theoretical material based on lessons identified, industry best practices and cybersecurity expertise. Download the guide and the support toolkit templates here<\/a>. <\/p>\n\n\n\n
Games age limitation: <\/strong>The French government, on 4 February, adopted a decree on the experimentation of games with monetisable digital objects. It requires, among other controls, the refusal of the opening of a player account for any minor<\/a>, or before verification of the identity and the age of the applicant. It requires the enterprise offering a game to document the arrangements used for verification, to carry out regular checks, and to be able to demonstrate the effectiveness and compliance of those arrangements to the National Gaming Authority. <\/p>\n\n\n\n
How to deal with data protection complaints<\/strong><\/h4>\n\n\n\n
![\"deletion\"](\"https:\/\/techgdpr.com\/wp-content\/uploads\/2026\/02\/image-2-1024x670.jpeg\")
<\/figure>\n<\/p>\n\n\n\n
The updated UK ICO guidance reminds organisations what they need to do to meet the new requirements for people to open a data protection complaints process, as set out in the new Data Use and Access Act<\/a>, although these requirements are not in force until 19 June 2026. At a glance, the law says organisations must:<\/p>\n<\/div><\/div>\n\n\n\n
- \n
- Give people a way of making data protection complaints;<\/li>\n\n\n\n
- Acknowledge receipt of complaints within 30 days of receiving them;<\/li>\n\n\n\n
- Without undue delay, take appropriate steps to respond to complaints, including making appropriate enquiries, and keep people informed; <\/li>\n\n\n\n
- Without undue delay, tell people the outcome of their complaints.<\/li>\n<\/ul>\n\n\n\n
Read practical advice on each of these points in the original publication<\/a>.<\/p>\n\n\n\n
In other news<\/h4>\n\n\n\n
\u0421NIL sanctions statistics: <\/strong>Cookies, employee surveillance and data security were the main subjects of the penalties imposed by the French data protection authority CNIL, in 2025, the cumulative amount of which totalled 486,839,500 euros<\/a>. Also, insufficient security of personal data, lack of cooperation with the CNIL and non-respect for the rights of individuals were the three main reasons for sanctions under the recently introduced simplified procedures. Numerous formal notices have targeted websites that allowed the deposit of cookies and other trackers without respecting the consent of individuals, either by not allowing them to refuse the deposit in a simple way, or by not taking into account the withdrawal of users’ consent.<\/p>\n\n\n\n
In addition, the regulator often sanctioned the non-compliance with the obligations of the subcontractors <\/strong>concerning the data entrusted to them, in particular:\u00a0<\/p>\n\n\n\n
- \n
- implementing appropriate technical and organisational measures to ensure an adequate level of security;<\/li>\n\n\n\n
- only processing data on the instructions of the data controller;<\/li>\n\n\n\n
- deleting the data at the end of their contractual relationship with the data controller.<\/li>\n<\/ul>\n\n\n\n
OpenClaw AI:<\/strong> The Dutch data protection authority AP warns against the use of OpenClaw<\/a>,\u00a0an AI agent tool that has become popular since last year. The platform provides users with an AI assistant to install, which can perform tasks autonomously<\/strong>. For that, the user has to give full access to their computer and programs, including email, files and online services. The platform can also be vulnerable to hidden commands in websites, emails and chat messages<\/a>. That can lead to taking over accounts, reading personal data and stealing access codes.<\/p>\n\n\n
- Rules on the application of the requirement of prior consent by the EDPS for the dismissal of DPOs<\/a>\u00a0<\/li>\n<\/ul>\n\n\n\n
- Supervisory Guidance on the role of DPOs in EUIs<\/a>, and <\/li>\n\n\n\n
- specific procedures and measures to handle erasure requests in the context of back-ups<\/strong>,<\/li>\n\n\n\n