GDPR Article 19 stipulates that whoever collected and processed data also holds the responsibility for amending and deleting it, and restricting any processing of it where relevant.
Notification obligation regarding rectification or erasure of personal data or restriction of processing.
The controller shall communicate any rectification or erasure of personal data or restriction of processing carried out in accordance with Article 16, Article 17(1) and Article 18 to each recipient to whom the personal data have been disclosed, unless this proves impossible or involves disproportionate effort. The controller shall inform the data subject about those recipients if the data subject requests it.
Notification obligation regarding rectification or erasure of personal data or restriction of processing.
The controller shall communicate any rectification or erasure of personal data or restriction of processing carried out in accordance with Article 16, Article 17(1) and Article 18 to each recipient to whom the personal data have been disclosed, unless this proves impossible or involves disproportionate effort. The controller shall inform the data subject about those recipients if the data subject requests it.
Article 19 requires the controller to communicate any outcomes of all request for rectification, erasure or restriction of processing to whomever the data subject is.
If organisations face what is deemed as a ‘disproportionate effort’ in conveying the above information, then they are exempt from their obligations as a data controller (relating to notifications).
Communications are deemed not necessary when it is impossible to convey the information to the intended recipient (i.e. they are deceased with no legal successor, or not able to be contacted through reasonable means).
Organisations may sometimes need to inform third party companies of requests for rectification or deletion.
Such communication should be conducted in good time, and in accordance with regional legal and/or regulatory requirements.
| GDPR Article | ISO 27701 Clause | ISO 27701 Supporting Clauses |
|---|---|---|
| Article 19 | ISO 27701 7.3.7 | None |
Our pre-configured Records of Processing Activity tool makes it simple to record and review data, as well as add your organisation’s details. We provide easy to use templates for recording privacy and legitimate interest assessments.
Whether you’re prepared for the worst or not, we make it simple to plan, communicate, document, and learn from every incident.
Find out more by booking a demo.
Book a tailored hands-on session
based on your needs and goals
Book your demo
We can’t think of any company whose service can hold a candle to ISMS.online.