How do data protection authorities in EU member states handle individual requests to refuse or delete EES data?

1. How an individual starts a deletion or refusal request: use the GDPR playbook

Individuals seeking to refuse or delete EES records typically rely on rights in the GDPR — notably access, rectification and erasure — and must submit a request to the controller or the authority that operates or has custody of the EES data (for example, border authorities). National guidance for users of EES explicitly states you can request access, rectification or deletion if data are incorrect or “unjustly included,” and it points people to the relevant national body (Netherlands example) ^{[1] [4]}. The EU Commission’s plain-language pages likewise set out that you may ask companies or public authorities to delete personal data when lawful grounds for retention no longer apply ^[5].

2. Which bodies decide and what power DPAs exercise

National DPAs do not themselves erase operational EES records on demand in isolation; they oversee compliance and adjudicate disputes between data subjects and controllers. If an individual is dissatisfied with the response from the controller or the authority that handled the request, national guidance says they can submit a complaint to that DPA — the DPA then has investigative and corrective powers under the GDPR to require rectification or deletion where Article 17 applies ^{[1] [5] [3]}.

3. Practical steps DPAs use and coordinated EU scrutiny

Recent and ongoing EU-level activity shows DPAs are sharpening focus on erasure practice. The European Data Protection Board launched coordinated enforcement workstreams emphasizing Article 17 — DPAs across Member States are participating in sweeps and information requests to test whether controllers lawfully apply erasure and its exceptions and whether they act “without undue delay” ^{[2] [6] [7]}. That means national DPAs are likely to evaluate not just whether a deletion request was accepted, but whether the controller followed procedure, verified identity appropriately, and lawfully invoked exceptions.

4. Common legal limits and frequent grounds for refusal

Article 17 does not create an absolute right to delete; deletion is required only where one of the statutory grounds applies (data no longer necessary, consent withdrawn, unlawful processing, etc.), and controllers may refuse where specific exceptions apply (public interest, legal claims, statistical or historical retention, law enforcement access) ^{[3] [8]}. The practical implication: DPAs will weigh whether EES retention rules or legal obligations (for border/security, criminal investigations, or recordkeeping) lawfully override an erasure claim and will expect controllers to document that assessment ^{[3] [8]}.

5. Cross-border, operational and technical realities for EES data

EES is an EU-wide, eu-LISA-operated system that stores biometric and movement data and will replace passport stamps as it rolls out ^[9]. That centralized or shared operational model means deletion is not just a local database operation — controllers must ensure deletion across systems, backups and third-party processors where feasible, and the GDPR requires reasonable technical steps to inform other controllers processing the same data if public dissemination occurred ^{[3] [9]}. National DPAs will expect controllers to show those technical and organisational measures or justify exceptions.

6. Where people go when their request is denied — complaints and enforcement

If a controller refuses erasure or fails to respond, national guidance instructs the data subject to complain to the DPA that handled their request; DPAs can then open investigations and coordinate with other DPAs under the EDPB’s frameworks ^{[1] [2] [6]}. The 2025 coordinated enforcement activities mean complaints on erasure — including those tied to EES data — may trigger cross-border follow-ups and mutual scrutiny ^{[2] [6]}.

7. Conflicting viewpoints and what the reporting does not say

Available reporting emphasises DPAs enforcing GDPR erasure rules and the EDPB’s coordinated action, but sources do not give a step‑by‑step, country‑by‑country breakdown of how each member state’s DPA implements deletion requests specific to EES (available sources do not mention a full pan‑EU procedural map). Some advocacy groups stress stringent enforcement of erasure only where processing is unlawful (NOYB commentary), while legal commentaries and industry analyses note many controllers will resist deletion requests on statutory grounds or operational necessity — both perspectives appear in current reporting ^{[8] [7] [2]}.

8. What a traveller should do now

Follow national DPA or border authority guidance: submit an access/rectification/erasure request to the controller named in EES documentation, keep records of the request, and if unsatisfied, lodge a complaint with the relevant national DPA — the EDPB’s ongoing coordinated focus on erasure increases the chance your complaint will be examined in context of broader compliance checks ^{[1] [2] [6]}.

Limitations: reporting in the provided sources confirms the legal framework, DPA roles and the EDPB’s enforcement focus, but does not list every member state’s operational contact points or give specific case outcomes for EES erasure requests (available sources do not mention detailed national procedures beyond examples) ^{[1] [9] [2]}.