Article 19 GDPR
Legal Text
The controller shall communicate any rectification or erasure of personal data or restriction of processing carried out in accordance with Article 16, Article 17(1) and Article 18 to each recipient to whom the personal data have been disclosed, unless this proves impossible or involves disproportionate effort. The controller shall inform the data subject about those recipients if the data subject requests it.
Relevant Recitals
Commentary on Article 19
The controller who collected and processed the personal data for the first time is primarily obliged to correct, delete and restrict processing. However, this implementation of the rights of data subjects remains limited or ineffective if the data has already been passed on to third parties. This why after data subjects exercise their right to rectification (Article 16 GDPR), erasure (Article 17 GDPR) or restriction (Article 18 GDPR), Article 19 GDPR requires controllers, subject to certain exceptions, to communicate this to recipients in the sense of Article 4(9) GDPR.
Notification Obligation
The first sentence of Article 19 requires the controller to notify the outcome of the request for rectification, erasure or restriction of processing to all recipients of personal data included in the definition set out inArticle 4(9) GDPR.[1] It follows that, in case of publication on the web towards an unspecified list of recipients, the more specific rules of Article 17(2) GDPR apply.[2]
The notification according to p. 1 shall be made in writing or in another form, if necessary also electronically (Article 12(1) GDPR). An extension of the maximum period of one month under Article 12(3) will hardly ever be justified, because, under Article 24 and 32 GDPR, controllers are obliged to ensure disclosures can be traced and recipients can be swiftly identified.
The controller is not obliged to ensure the correction, deletion or restriction of the processing of the data in question by the recipient. However, under Article 5(1)(d) and 17(1) GDPR, each recipient is itself responsible for correcting, deleting or restricting the data processing. This is always the case unless other legal basis under Article 6 are available or certain exceptions apply (for example, Article 17(3) GDPR).[3]
Exceptions to the Notification Obligation
The controller is exempted from the communication obligation if the communication itself is impossible or would require disproportionate effort.
A communication is impossible only if it is factually impossible to determine the recipients. For example, when a recipient is not reachable or no longer exists and has no legal successor. In this context, the use of a data protection management system is recommended in so far as it keeps track of each recipient and enables the rapid implementation of the notification obligation after each correction, deletion and restriction of processing.[4] Financial or other practical difficulties are irrelevant. They may only be considered when evaluating disproportionate effort.[5]
Disproportionate effort must be evaluated on a case by case basis. The financial and time interests of the controller and the recipients will need to be assessed against the interests of the data subject. To evaluate the interests of the data subject, consideration should be given to the impact of the processing on their rights and freedoms, the likelihood that the recipients will still be processing the data contrary to the exercise of the data subject's rights, and whether the communication is actually in the interest of the data subject.[6]
Exceptions to the notification requirement shall be interpreted narrowly, and therefore only apply to communication to recipients and not to any preparatory measures for communication, such as compiling a list of all recipients of the data subject's data. The controller bears the burden of proof for claiming an exception.
Information Obligation Towards the Data Subject
The data subject has a right to be informed about which other parties received the personal data. This information should permit the data subject to exercise their rights to rectification, erasure, and restriction of processing directly against the recipients.[7]
The information given to the data subject should comply with the general requirements set forth in Article 12 GDPR.
The information obligation towards the data subject does not apply if it is factually impossible to determine the recipients. However, because the disproportionate effort exception applies only to the communication itself and not to any preparatory measures (see above), the data subject has an otherwise absolute right to be informed about the recipients. This understanding is supported by the purpose of Article 19 GDPR, which is to ensure the already exercised rights to rectification, erasure, and restriction. The data subject can only do so if they know the actual recipients of their personal data. This also explains why the information obligation under Article 19 GDPR is stricter than the similar provision of Article 15(1)(c) GDPR, which permits in certain cases that the information provided is limited to "categories of recipient[s]": Article 15 GDPR is a prerequisite for the exercise of all of the data subject's rights; in contrast, Article 19 GDPR permits the data subject to verify that already exercised rights have been complied with.
Member State restrictions
→ See Article 23 GDPR.
Decisions
→ You can find all related decisions in Category:Article 19 GDPR.
References
- ↑ "Disclosure" can be "by transmission, dissemination or otherwise making available" (cf. also the definition for "processing" in Article 4(2) GDPR).
- ↑ Dix, in Simitis, Hornung, Spiecker gen. Döhmann, Datenschutzrecht, Article 19 GDPR, margin number 5 (1st ed., Beck 2019) (accessed 13 February 2022).
- ↑ Dix, in Simitis, Hornung, Spiecker gen. Döhmann, Datenschutzrecht, Article 19 GDPR, margin number 8 (1st ed., Beck 2019) (accessed 13 February 2022).
- ↑ Dix, in Simitis, Hornung, Spiecker gen. Döhmann, Datenschutzrecht, Article 19 GDPR, margin number 7 (1st ed., Beck 2019) (accessed 13 February 2022).
- ↑ Kamann, Braun, in Ehmann, Selmayr, Datenschutz-Grundverordnung, Article 19 GDPR, margin number 12 (Beck, 2nd edition 2018) (accessed 17 January 2020).
- ↑ Kamann, Braun, in Ehmann, Selmayr, Datenschutz-Grundverordnung, Article 19 GDPR, margin number 12 (Beck, 2nd edition 2018) (accessed 17 January 2020).
- ↑ Peuker, in Sydow, Europäische Datenschutzgrundverordnung, Article 19 GDPR, margin number 14 (Beck, 2nd edition 2018) (accessed 17 January 2020).