How to Demonstrate Compliance With GDPR Article 19

GDPR Compliance Software

Book a demo

double,exposure,of,business,man,hand,working,on,blank,screen

GDPR Article 19 stipulates that whoever collected and processed data also holds the responsibility for amending and deleting it, and restricting any processing of it where relevant.

GDPR Article 19 Legal Text

UK GDPR Version

Notification obligation regarding rectification or erasure of personal data or restriction of processing.

The controller shall communicate any rectification or erasure of personal data or restriction of processing carried out in accordance with Article 16, Article 17(1) and Article 18 to each recipient to whom the personal data have been disclosed, unless this proves impossible or involves disproportionate effort. The controller shall inform the data subject about those recipients if the data subject requests it.

EU GDPR Version

Notification obligation regarding rectification or erasure of personal data or restriction of processing.

The controller shall communicate any rectification or erasure of personal data or restriction of processing carried out in accordance with Article 16, Article 17(1) and Article 18 to each recipient to whom the personal data have been disclosed, unless this proves impossible or involves disproportionate effort. The controller shall inform the data subject about those recipients if the data subject requests it.

We’re cost-effective and quick

Discover how that will boost your ROI
Get your quote

Technical Commentary

Notification Obligations

Article 19 requires the controller to communicate any outcomes of all request for rectification, erasure or restriction of processing to whomever the data subject is.

If organisations face what is deemed as a ‘disproportionate effort’ in conveying the above information, then they are exempt from their obligations as a data controller (relating to notifications).

Communications are deemed not necessary when it is impossible to convey the information to the intended recipient (i.e. they are deceased with no legal successor, or not able to be contacted through reasonable means).

EU GDPR Article 19 and ISO 27701 Clause 7.3.7

Organisations may sometimes need to inform third party companies of requests for rectification or deletion.

Such communication should be conducted in good time, and in accordance with regional legal and/or regulatory requirements.

Supporting Controls From ISO 27701

GDPR ArticleISO 27701 ClauseISO 27701 Supporting Clauses
Article 19ISO 27701 7.3.7None

How ISMS.online Helps

Our pre-configured Records of Processing Activity tool makes it simple to record and review data, as well as add your organisation’s details. We provide easy to use templates for recording privacy and legitimate interest assessments.

Whether you’re prepared for the worst or not, we make it simple to plan, communicate, document, and learn from every incident.

Find out more by booking a demo.

See our platform
in action

Book a tailored hands-on session
based on your needs and goals
Book your demo

We can’t think of any company whose service can hold a candle to ISMS.online.
Vivian Kroner
ISO 27001, 27701 and GDPR lead implementer Aperian Global
100% of our users pass certification first time
Book your demo

Explore ISMS.online's platform with a self-guided tour - Start Now