GDPR Article 19 Explained: Your Compliance Guide
GDPR Article 19 stipulates that whoever collected and processed data also holds the responsibility for amending and deleting it, and restricting any processing of it where relevant.
GDPR Article 19 Legal Text
UK GDPR Version
Notification obligation regarding rectification or erasure of personal data or restriction of processing.
The controller shall communicate any rectification or erasure of personal data or restriction of processing carried out in accordance with Article 16, Article 17(1) and Article 18 to each recipient to whom the personal data have been disclosed, unless this proves impossible or involves disproportionate effort. The controller shall inform the data subject about those recipients if the data subject requests it.
EU GDPR Version
Notification obligation regarding rectification or erasure of personal data or restriction of processing.
The controller shall communicate any rectification or erasure of personal data or restriction of processing carried out in accordance with Article 16, Article 17(1) and Article 18 to each recipient to whom the personal data have been disclosed, unless this proves impossible or involves disproportionate effort. The controller shall inform the data subject about those recipients if the data subject requests it.
Manage all your compliance, all in one place
ISMS.online supports over 100 standards and regulations, giving you a single platform for all your compliance needs.
Technical Commentary
Notification Obligations
Article 19 requires the controller to communicate any outcomes of all request for rectification, erasure or restriction of processing to whomever the data subject is.
If organisations face what is deemed as a ‘disproportionate effort’ in conveying the above information, then they are exempt from their obligations as a data controller (relating to notifications).
Communications are deemed not necessary when it is impossible to convey the information to the intended recipient (i.e. they are deceased with no legal successor, or not able to be contacted through reasonable means).
EU GDPR Article 19 and ISO 27701 Clause 7.3.7
Organisations may sometimes need to inform third party companies of requests for rectification or deletion.
Such communication should be conducted in good time, and in accordance with regional legal and/or regulatory requirements.
Supporting Controls From ISO 27701
| GDPR Article | ISO 27701 Clause | ISO 27701 Supporting Clauses |
|---|---|---|
| Article 19 | ISO 27701 7.3.7 | None |
How ISMS.online Helps
Our pre-configured Records of Processing Activity tool makes it simple to record and review data, as well as add your organisation’s details. We provide easy to use templates for recording privacy and legitimate interest assessments.
Whether you’re prepared for the worst or not, we make it simple to plan, communicate, document, and learn from every incident.
Find out more by booking a demo.
