Article 19 GDPR - Notification of Rectification, Erasure or Restriction
This specific GDPR provision addresses the controller's obligation to notify data subjects and third parties about rectification, erasure, or restriction of processing. It is a distinct procedural requirement that deserves its own dedicated topic for comprehensive coverage of notification obligations under Article 19.
Article 19 GDPR notification obligation rectification notification erasure notification restriction notification data subject notification recipient notification notification procedures
Overview
Legal Framework
Article 19 GDPR establishes the controller's obligation to communicate any rectification, erasure, or restriction of processing to each recipient to whom the personal data have been disclosed. This notification must be provided unless doing so proves impossible or involves disproportionate effort. The controller must also inform the data subject about these recipients if the data subject requests it. This provision serves as a critical procedural safeguard, ensuring that the effects of a data subject's exercise of their rights under Articles 16, 17, and 18 are propagated through the data processing ecosystem.
Practical Application
The obligation under Article 19 is triggered whenever a controller acts on a request for rectification, erasure, or restriction of processing. The controller must identify all recipients who have received the affected data. The commentary clarifies that the term "recipient" is interpreted broadly, encompassing any natural or legal person, public authority, agency, or other body to which the data are disclosed, whether a third party or not. The assessment of what constitutes "disproportionate effort" is a fact-specific determination that must be documented by the controller. While there is no prescribed method, the notification should be sufficiently clear to enable the recipient to identify the data concerned and the action taken. In practice, this often necessitates maintaining accurate records of data disclosures.
Key Considerations
- Maintain Data Flow Maps: Implement and maintain records of processing activities that specifically track disclosures of personal data to recipients, as this is essential for fulfilling the Article 19 notification obligation.
- Document the "Disproportionate Effort" Assessment: If a controller decides not to notify recipients, it must document the reasoning behind its conclusion that notification is impossible or involves disproportionate effort, as this may be scrutinized by a supervisory authority.
- Proactively Inform Data Subjects: Controllers should establish a process to inform data subjects, upon their request, of the specific recipients to whom their data was disclosed, as this is a separate requirement under Article 19(2).
Laws (4)
Case Law (2)
Artikel :
Gerechtshof
Verklaring voor recht gevorderd dat Politie onrechtmatig heeft gehandeld door gegevens over verdachte te verzamelen en te delen met derden. Hof verklaart verklaart verdachte grotendeels niet-ontvankelijk omdat in verband met de tegen hem lopende strafzaak voor de burgerlijke rechter (nog) geen taak is weggelegd.
ECLI:NL:RVS:2006:AY0333 Raad van State , 05-07-2006 / 200508877/1
Raad van State
Bij besluit van 21 oktober 2004 heeft het college van burgemeester en wethouders van Rotterdam (hierna: het college) geweigerd appellant in te schrijven in de gemeentelijke basisadministratie persoonsgegevens van Rotterdam.
Guidance (11)
Guidelines 3/2019 on processing of personal data through video devices
Guidelines on processing of personal data through video devices
Guidelines 10/2020 on restrictions under Article 23 GDPR
Guidelines on restrictions under Article 23 GDPR
Guidelines 04/2022 on the calculation of administrative fines under the GDPR
Guidelines on the calculation of administrative fines under the GDPR
The European Data Protection Board (EDPB) has adopted these guidelines to harmonise the methodology supervisory authorities use when calculating of the amount of the fine. These Guidelines complement the previously adopted Guidelines on the application and setting of administrative fines for the purpose of the Regulation 2016/679 (WP253), which focus on the circumstances in which to impose a fine. The calculation of the amount of the fine is at the discretion of the supervisory authority, ...
Guidelines 07/2020 on the concepts of controller and processor in the GDPR
Guidelines on the concepts of controller and processor in the GDPR
The concepts of controller, joint controller and processor play a crucial role in the application of the General Data Protection Regulation 2016/679 (GDPR), since they determine who shall be responsible for compliance with different data protection rules, and how data subjects can exercise their rights in practice. The precise meaning of these concepts and the criteria for their correct interpretation must be sufficiently clear and consistent throughout the European Economic Area (EEA). The conc...
Richtsnoeren 04/2022 voor de berekening van administratieve geldboeten krachtens de AVG
guidelines berekenen administratieve boetes
Het Europees Comité voor gegevensbescherming (EDPB) heeft deze richtsnoeren vastgesteld met het oog op de harmonisatie van de methode die de toezichthoudende autoriteiten gebruiken om het bedrag van de geldboete te berekenen. Deze richtsnoeren vormen een aanvulling op de eerder vastgestelde Richtsnoeren voor de toepassing en vaststelling van administratieve geldboeten in de zin van Verordening (EU) 2016/679 (WP 253), die betrekking hebben op de omstandigheden waarin een geldboete moet worden opg...
Versiegeschiedenis
guidelines meldplicht datalekken
Richtsnoeren 4/2019 inzake artikel 25 Gegevensbescherming door ontwerp en door standaardinstellingen
guidelines privacy by design en default
Richtsnoeren 06/2020 inzake de wisselwerking tussen de tweede richtlijn betalingsdiensten en de AVG
guidelines wisselwerking toepassing artikel 3 en hoofdstuk V AVG
Version history
Guidelines on articles 46 (2) (a) and 46 (3) (b) of Regulation 2016/679 for transfers of personal data between EEA and non-EEA public authorities and bodies
Guidelines 4/2019 on Article 25 Data Protection by Design and by Default Version 2.0 Adopted on 20 October 2020
Guidelines on data protection by design and by default
Guidelines 9/2022 on personal data breach notification under GDPR
Guidelines on personal data breach notification under GDPR
Enforcement (55)
View all 55Gynecological Center: Insufficient fulfilment of data breach notification obligations
€9,450 fine - Polish National Personal Data Protection Office (UODO)
The Polish DPA has imposed a fine of EUR 9,450 on a Gynecological Center. The controller sufferd a data breach and failed to report this to the DPO.
Court Bailiff: Insufficient fulfilment of data breach notification obligations
€5,000 fine - Polish National Personal Data Protection Office (UODO)
The Polish DPA has imposed a fine of EUR 5,000 on a court bailiff. The controller forwarded a letter containing personal data to the wrong person, failing to inform either the affected data subjects or the DPA.
Company: Insufficient fulfilment of data breach notification obligations
€870 fine - Austrian Data Protection Authority (dsb)
The Austrian DPA has imposed a fine of EUR 870 on a company. After being informed of a data breach, the controller took adequate measures to close it but failed to inform the DPA.
ADMINISTRACIONES BENIPON, S.L.: Insufficient fulfilment of data breach notification obligations
€1,100 fine - Spanish Data Protection Authority (aepd)
The Spanish DPA has imposed a fine of EUR 1,100 on ADMINISTRACIONES BENIPON, S.L. The processor failed to notify the controller of a data breach and also used a sub-processor without prior consent and without an legal agreement.
Dante International SA: Onvoldoende naleving van de rechten van betrokkenen bij de verwerking van persoonsgegevens.
Een boete van €10.000 - De Roemeense nationale toezichthoudende autoriteit voor de verwerking van persoonsgegevens (ANSPDCP).
De Roemeense autoriteit voor gegevensbescherming (DPA) heeft een boete van 10.000 euro opgelegd aan Dante International SA. De verantwoordelijke partij heeft niet adequaat gereageerd op een verzoek van een betrokkene om gebruik te maken van zijn of haar rechten.
Hospital: Insufficient fulfilment of data breach notification obligations
€6,900 fine - Polish National Personal Data Protection Office (UODO)
The Polish DPA has fined a district hospital in Września EUR 6,900 for failing to report a data breach to the DPA and data subjects in a timely manner. A patient had accidentally received another individual's medical records and was able to access their personal data.
mBank: Insufficient fulfilment of data breach notification obligations
€940,000 fine - Polish National Personal Data Protection Office (UODO)
The Polish DPA has fined mBank EUR 940,000. The bank had suffered a data breach in which an employee of the controller sent documents containing customer data to the wrong recipient. The documents contained information such as names, account numbers, dates of birth and ID card numbers. Although the documents were returned to mBank, the envelope had been opened , meaning that third parties may have had access to the documents. During its investigation, the DPA found that, although the controller
Association: Insufficient fulfilment of data breach notification obligations
€210 fine - Polish National Personal Data Protection Office (UODO)
The Polish DPA has fined an association EUR 210 for failing to report a data breach to the DPA in a timely manner.
Azienda sanitaria locale Roma 3: Insufficient fulfilment of data breach notification obligations
€10,000 fine - Italian Data Protection Authority (Garante)
The Italian DPA has fined Azienda sanitaria locale Roma 3 EUR 10,000 for failing to report a data breach to the DPA in a timely manner and to properly document the data breach.
Toyota Bank Polska S.A.: Insufficient fulfilment of data breach notification obligations
€18,000 fine - Polish National Personal Data Protection Office (UODO)
The Polish DPA has fined Toyota Bank Polska S.A. EUR 18,000 for failing to report a data breach to the DPA in a timely manner.
Santander Bank Polska S.A.: Insufficient fulfilment of data breach notification obligations
€326,000 fine - Polish National Personal Data Protection Office (UODO)
The Polish DPA has fined Santander Bank Polska S.A. EUR 326,000 for failing to report a data breach to the DPA and data subjects in a timely manner.
NTT Data Italia S.P.A: Insufficient fulfilment of data breach notification obligations
€800,000 fine - Italian Data Protection Authority (Garante)
The Italian DPA has imposed a fine of EUR 800,000 on NTT Data Italia S.P.A. The fine is related to the fine imposed on UniCredit (ETid-2227). UniCredit had contracted NTT to carry out vulnerability analyses and penetration tests. During its investigation, the DPA found that NTT had not notified UniCredit of a data breach in a timely manner. In addition, NTT had contracted another company to carry out vulnerability assessments and penetration tests without prior authorization from the bank as the
HISPAPOST, S.A.: Insufficient fulfilment of data breach notification obligations
€36,000 fine - Spanish Data Protection Authority (aepd)
The Spanish DPA has imposed a fine on HISPAPOST, S.A.. The police had found over a thousand abandoned letters containing the Hispapost logo. Hispapost had been contracted by several companies to deliver the letters. During its investigation, the DPA found that Hispapost, as a processor, had failed to report the data protection incident to the data controllers in a timely manner. The original fine of EUR 60,000 was reduced to EUR 36,000 due to admission of responsibility and voluntary payment.
POLAND DPA: Insufficient fulfilment of data breach notification obligations
€2,300 fine - Polish National Personal Data Protection Office (UODO)
The Polish DPA has fined a data controller EUR 2,300 for failing to report a data breach to the DPA and data subjects in a timely manner.
Online retailer: Insufficient fulfilment of data breach notification obligations
€6,000 fine - Data Protection Authority of Hamburg
The DPA of Hamburg has imposed a fine of EUR 6,000 on an online retailer for failing to report a data breach in a timely manner.
District Court Krakow: Insufficient fulfilment of data breach notification obligations
€2,300 fine - Polish National Personal Data Protection Office (UODO)
The Polish DPA has fined the District Court in Krakow EUR 2,300 for failing to report a data breach to the DPA and data subjects in a timely manner.
AUSTRIA DPA: Insufficient fulfilment of data breach notification obligations
€5,900 fine - Austrian Data Protection Authority (dsb)
The Austrian DPA fined a controller EUR 5,900 for failing to report a data breach in a timely manner and for not cooperating with the DPA.
Insurance company: Insufficient fulfilment of data breach notification obligations
€24,000 fine - Polish National Personal Data Protection Office (UODO)
The Polish DPA has fined an insurance company EUR 24,000 for failing to report a data breach to the DPA in a timely manner.
Link4 Towarzystwo Ubezpieczeń S. A.: Insufficient fulfilment of data breach notification obligations
€24,000 fine - Polish National Personal Data Protection Office (UODO)
The Polish DPA has fined Link4 Towarzystwo Ubezpieczeń S. A. EUR 24,000 for failing to report a data breach to the DPA in a timely manner.
Company: Insufficient fulfilment of data breach notification obligations
€2,500 fine - Polish National Personal Data Protection Office (UODO)
The Polish DPA has fined a company EUR 2,500 for failing to report a data breach to the DPA and data subjects.