GRCWatch
Sign inStart free trial

GDPR A19-01: Notification Obligation for Rectification or Erasure

When you rectify, erase, or restrict personal data, you're legally required to notify every recipient who received that data—unless it's impossible or disproportionately burdensome. This control ensures your data subjects' rights cascade to third parties, not just your organization. GRCWatch helps you track disclosures and automate notification workflows so compliance becomes repeatable, not chaotic.

What this means

GDPR A19-01 mandates that controllers communicate any rectification, erasure, or processing restriction of personal data to all recipients (processors, joint controllers, third parties) who previously received that data. The obligation applies unless: (1) notification proves impossible, (2) it requires disproportionate effort, or (3) the data subject explicitly objects. This ensures data integrity extends beyond your walls and recipients can update their own records.

How to comply

  1. 1.Maintain a detailed disclosure log documenting every recipient who received personal data, including date, scope, and recipient identity
  2. 2.Define your process for determining when notification is 'impossible' or 'disproportionate' (e.g., lost contact info, dissolved organizations) and document these decisions
  3. 3.Create notification templates for rectification, erasure, and processing restriction scenarios that clearly explain the change and its impact
  4. 4.Establish a tracking mechanism to confirm notification receipt and document any rejected or undeliverable communications
  5. 5.Train your data handling teams to flag rectification, erasure, or restriction requests immediately so notifications can be triggered
  6. 6.Review and test your notification workflow quarterly to ensure no recipients slip through the process

Evidence auditors look for

  • Disclosure registry or data mapping showing all third-party recipients and dates of disclosure
  • Documented assessment of impossibility or disproportionality (e.g., analysis of recipient contact info, communication cost-benefit)
  • Copies of notification communications sent to recipients with timestamps and delivery confirmation
  • Audit log of rectification/erasure requests and corresponding recipient notifications
  • Retention records of notification status (sent, failed, acknowledged, rejected)
  • Data subject consent records if notification was waived at their explicit request

Frequently asked questions

When will FAQs be available?

The FAQ for this control is currently being prepared.

GRCWatch's automated disclosure tracking and notification engine logs every recipient, flags data changes in real time, and generates audit-ready notification records—eliminating manual spreadsheets and notification gaps.

See how GRCWatch handles this control automatically

Start free trial