Author: Alexander Dix

The controller shall communicate any rectification or erasure of personal data or restriction of processing carried out in accordance with Article 16, Article 17(1) and Article 18 to each recipient to whom the personal data have been disclosed, unless this proves impossible or involves disproportionate effort. The controller shall inform the data subject about those recipients if the data subject requests it.

A. Preliminary remarks

The primary addressee of the obligations to rectify, delete and restrict the processing is the controller who collected the data and processed them. This implementation of the data subject’s rights remains however limited and ineffective if the data have been transferred to third parties. Therefore the controller is obliged to notify the recipients of the data to a certain extent about any corrections, deletions or restrictions of processing which he carried out and to inform the data subject about the recipients. This strengthens the position of the data subject further since he does not have to make inquiries who might have received his data and make multiple separate requests for rectification, erasure or restriction of processing. At the same time the provision at least limits the spreading of inaccurate information, the illegal storage of data stored or the unrestricted processing by recipients.[1]

B. Legislative history

Already the Directive 95/46 in Art. 12 lit. c contained an obligation of the controller to notify about corrections, deletions and restrictions of processing as far as this was possible and not causing a  disproportionate effort. This provision was integrated by the Commission in their proposal for a Regulation (Art. 13). The European Parliament added the right of the data subject to be informed about the recipients. During trilogue the obligation was extended to the restriction of processing.

The Directive on Police and Justice ((EU) 2016/680) interestingly goes beyond the provisions of the Regulation in two respects, even if it first has to be implemented by the Member States. Art. 16 para. 4 obliges the Member States to provide that the controller also has to notify the authority where the inaccurate data originated from about the correction of the data. Furthermore the recipients themselves are under an obligation to rectify, delete or restrict processing of the data.

 

C. Notification obligation regarding the exercise of rights under Articles 16, 17 and 18

The scope of Art. 19 is limited to cases of direct disclosure of data to recipients within the meaning of Art. 4 No. 9. In the case of publication of such data (online or offline) Art. 19 is superseded. by the special provision of Art. 17 para. 2 (→ Art. 17).[2] Therefore Art. 19, 1st sentence, only refers to Art. 17 para. 1. The notification according to Art. 19, 1st sentence, has to be done in writing or in another form, e.g. electronically (Art. 12 para. 1, 2nd sentence). The notification of the data subject under Art. 19, 2nd sentence may be done orally provided that the identity of the data subject is proven by other means (Art. 12 para. 1, 3rd sentence)[3].

I. Obligation to notify (Art. 19, 1st sentence)

The controller is obliged to notify on his own initiative the recipient within the meaning of Art. 4 No. 9, which includes processors but excludes certain public authorities[4], of any correction, deletion or restriction of processing which he has implemented. A request by the data subject is not necessary in this case (unlike in the case of Art. 19, 2nd sentence). The obligation to notify recipients only arises under Art. 19 if the data subject has requested either rectification, erasure or the restricted processing of his data in the first place. If the controller has corrected data at his own initiative to comply with his obligations under Art 5 para. 1 lit. d Art. 19 does not apply directly. However, the controller would still be obliged to notify recipients in such cases to comply with the principles of fair processing and accuracy (Art. 5 para. 1 lit. a and d).[5] Art. 19 furthermore requires the direct disclosure of personal data by the controller to recipients. In cases where the controller has published the data, the special provision of Art. 17 para. 2 takes precedence over Art. 19.[6] The Court of Justice held in Proximus that in a chain of consecutive controllers each of them is obliged to forward the information that the data subject has withdrawn his consent.[7] This follows from the obligation under Art. 12 para. 2 that controllers shall facilitate the exercise of data subjects rights. The same obligation should therefore apply to the notifications under Art. 19. Notifications under this provision have to be made without undue delay after the correction, deletion or restriction of processing. There is no legal requirement to notify before the correction, deletion or restriction of processing but in the interest of protecting the data subject effectively it may be advisable for the processor to consider such an notification in advance. An extension of the maximum time limit of one month (Art. 12 para. 3, 2nd sentence) will hardly ever be justified for the controller is obliged under Art. 24 para. 1 and Art. 32 to take technical and organisational measures (e.g. by keeping records) to make sure that disclosures may be reproduced and recipients may be traced. The controller has to store this information as long as the exercise of rectification and deletion rights and the continued processing by the recipients can be expected.[8] Here again the use of a data protection management system is highly recommended, which would allow the speedy compliance with the duty to notify under Art. 19, 1st sentence after each correction, deletion and restriction of processing.

 

 

 

[…]

 

 

 

 

[1]Cf. de Terwangne, ‘Art. 16’, in Kuner/Bygrave/Docksey, C.

[2]Hornung/Hofmann, JZ 2013, 163 (166).

[3]Dissenting Piltz, K&R 2016, 629, 633, who takes the view that oral notifications are generally admissible.

[4]Public authorities which may receive personal data in the framework of a particular inquiry in accordance with Union of Member State law (Art. 4 No. 9, 2nd sentence).

[5]Schantz in BeckOK DatenschutzR, Art. 5 mn. 30.

[6]González Fuster, ‘Art. 19’, in Kuner/Bygrave/Docksey, C 1.

[7] ECJ Judgment of 27.10.2022 – C-129/21 ECLI:​EU:​C:​2022:833, (Proximus NV) mn. 85 et seq.

[8]Herbst in Kühling/Buchner, DSGVO, Art. 19 mn. 13.