The controller shall communicate any rectification or erasure of personal data or restriction of processing carried out in accordance with Article 16, Article 17(1) and Article 18 to each recipient to whom the personal data have been disclosed, unless this proves impossible or involves disproportionate effort. The controller shall inform the data subject about those recipients if the data subject requests it.
Article 19 requires data controllers to inform all recipients of personal data about any corrections, deletions, or restrictions applied to that data.
This obligation can be waived if it is impossible or requires disproportionate effort, such as technological limitations or when the cost of notification is excessively high compared to the risk to the data subject’s rights.
If you decide not to inform the recipients, you must be able to prove that it was impossible or too difficult to do so.
You must follow Article 19 of the GDPR whenever a data subject’s personal data is corrected, deleted, or restricted.
Data controllers must inform all recipients, including third-party organizations and individuals, who have received the personal data about any changes made.
Notification is only required if these recipients are still processing the data. In practice, it may be difficult to know whether recipients have stopped processing the data subject’s data.
When a data subject requests their data to be corrected, deleted, or restricted, you should review your records to identify the recipients of this data. Then, communicate the data subject’s request to these recipients.
Having an internal template for these notifications can streamline the process whenever you need to inform third parties:
Keep detailed records of all notifications sent to third parties, including dates, recipient details, and the nature of the changes communicated. This documentation is crucial for demonstrating compliance.
If a third party cannot be reached, document your attempts to contact them, the reasons why it was not possible, and keep this documentation as proof of your efforts.
If a recipient disputes the notification, handle it promptly and professionally. Ensure you have all necessary documentation to support your notification, such as records of communications and justifications for any waivers, and be prepared to provide further information if required.
Ensure that your entire company is equipped with the necessary awareness training on the basics of GDPR and IT security.
Once you have submitted your details, you’ll be our top priority!
