Skip to content
AuditFront
Art.19 GDPR

GDPR Art.19: Notification Obligation Regarding Rectification, Erasure or Restriction

What This Control Requires

The controller shall communicate any rectification or erasure of personal data or restriction of processing carried out in accordance with Article 16, Article 17(1) and Article 18 to each recipient to whom the personal data have been disclosed, unless this proves impossible or involves disproportionate effort. The controller shall inform the data subject about those recipients if the data subject requests it.

In Plain Language

Correcting or deleting data in your own systems is only half the job. If you've shared that data with anyone else - processors, partners, other controllers - they're still working with the old version. Article 19 says you need to tell them about the change so they can act on it too. Whenever you carry out a rectification, erasure, or restriction under Articles 16, 17, or 18, you must notify every recipient who received that data. The only exception is where notification is genuinely impossible or would involve disproportionate effort, and that's a high bar. You need to assess it case by case, considering how many recipients there are, whether you have their contact details, and whether automated notification is feasible. There's a transparency angle here as well. If the data subject asks, you must tell them exactly which recipients you notified. This lets them verify that the correction or deletion actually propagated beyond your own systems and follow up directly if it didn't.

How to Implement

Keep a proper registry of every recipient you've disclosed personal data to. Link it to your Records of Processing Activities and include who the recipient is, what data categories were shared, when and why the sharing happened, and a current contact for privacy notifications. Update it every time you start sharing with someone new. Create standardised notification templates for each type of change. A rectification notice should include the corrected data. An erasure notice should clearly identify what needs deleting. A restriction notice should spell out the scope and expected duration. Always include clear instructions on what the recipient needs to do. Automate notifications wherever you can, especially for recipients you exchange data with regularly through APIs or data feeds. Set up triggers so that when data is corrected, deleted, or restricted in your system, the relevant notifications fire automatically. For recipients without automated channels, build a manual workflow with tracking so nothing falls through the cracks. Log every notification you send - date, recipient, notification type, and content. You'll need this both for accountability and to answer data subjects who ask which recipients were told. Keep these logs alongside your data subject request records. Put escalation procedures in place for when recipients don't respond or can't action the notification. Your data sharing agreements and processor contracts should require cooperation with downstream notifications and confirmation of actions taken. If a recipient consistently fails to comply, enforce it through your contractual mechanisms.

Evidence Your Auditor Will Request

  • Registry of data recipients linked to categories of personal data shared
  • Notification templates for rectification, erasure, and restriction communications
  • Log of notifications sent to recipients with dates, content, and confirmation of receipt
  • Contractual clauses requiring recipients to cooperate with downstream notifications
  • Procedure for informing data subjects about notified recipients upon request

Common Mistakes

  • No record of recipients to whom personal data has been disclosed, making notification impossible
  • Notifications not sent to recipients after rectification, erasure, or restriction of data
  • No tracking system to confirm that recipients have actioned the notification
  • Inability to inform data subjects which recipients were notified when requested
  • Data sharing agreements lacking provisions for downstream notification cooperation

Related Controls Across Frameworks

Framework Control ID Relationship
ISO 27001 A.5.34 Related

Frequently Asked Questions

Do we need to notify all recipients, including processors?
Yes, every recipient counts - including processors acting on your behalf. The good news is that processor notifications should be straightforward since you already have a direct contractual relationship. Make sure your processor agreements include a clause requiring cooperation with these notifications.
When does the 'disproportionate effort' exception apply?
Very rarely, and regulators interpret it narrowly. It might apply if you've shared data with a huge number of recipients and genuinely can't track them all down. It definitely doesn't apply just because notification is inconvenient or time-consuming. If you rely on this exception, document your reasoning thoroughly for each case.
How quickly must we notify recipients?
Article 19 doesn't set a specific deadline, but the obligation kicks in the moment you carry out the rectification, erasure, or restriction. In practice, the best approach is to bake notification into the same workflow that handles the data subject's request, so it happens as part of the same process rather than as an afterthought.

Track GDPR compliance in one place

AuditFront helps you manage every GDPR control, collect evidence, and stay audit-ready.

Start Free Assessment