Notification Obligation Regarding Rectification or Erasure of Personal Data or Restriction of Processing : iCompaas Support

Overview

This article requires controllers to notify recipients of personal data about any rectification, erasure, or restriction of processing. Notifications must be sent unless it is impossible or requires disproportionate effort. Data subjects must also be informed about the recipients of their personal data upon request.

Key Principles

Accountability: Controllers must ensure that all relevant recipients are aware of rectifications, erasures, or restrictions.
Transparency: Data subjects have the right to know who has received their personal data.
Proportionality: Notifications are required unless they are impossible or impose disproportionate effort.
Rights Protection: Ensures that the data subject’s rights are respected throughout the data lifecycle.

Organizational Applicability

This article applies to all organizations processing personal data within the EU:

Controllers managing personal data of EU/EEA data subjects.
Public and private sector entities responsible for sharing data with third parties.
Teams handling data processing, records management, IT systems, or compliance.

Implementation Requirements

Implement procedures to notify recipients of personal data about any rectification, erasure, or restriction.
Maintain records of notifications sent and any recipients exempted due to impossibility or disproportionate effort.
Provide data subjects with information on the recipients upon request.
Ensure that notifications are delivered securely to prevent unauthorized access.

Implementation Guidance

Use automated tracking or manual logs to identify recipients requiring notification.
Develop standardized notification templates for rectification, erasure, or restriction actions.
Train staff to determine when disproportionate effort applies and document the justification.
Coordinate with third-party processors to ensure timely notification.

Periodic Review

Frequency: Annually or when new data-sharing arrangements are introduced.
Responsible Role: Data Protection Officer (DPO) or Compliance Team.
Outcome: Confirm that notification obligations are met and records are accurate and complete.

Non-Compliance Risks

Fines: Up to €20 million or 4% of global annual turnover.
Legal Exposure: Enforcement actions or complaints for failure to notify recipients.
Reputational Damage: Loss of trust from data subjects and partners.
Operational Risk: Inadequate notification processes may lead to data misuse or regulatory scrutiny.

GDPR Article 19: Notification Obligation Regarding Rectification or Erasure of Personal Data or Restriction of Processing Print