act legal Germany (AC Tischendorf Rechtsanwälte) 22. Maggio 2023

ECJ obliges companies to comply with comprehensive information obligations and organisational measures in the event of data protection deletion requests – Need for action and implementation in corporate practice

Overview

The European Court of Justice (ECJ) has ruled that companies which process personal data
(= data controllers in the sense of the GDPR) to take appropriate technical and organisational measures to ensure that they inform other data controllers about the assertion of data subject rights (Chapter 3 of the GDPR).

Previous practice

So far, the obligations under Art. 19 GDPR (notification obligation in connection with the rectification or erasure of personal data) have been interpreted rather restrictively and assumed to impose only a limited obligation on controllers.

Interpretation in accordance with the ECJ ruling

According to the ECJ ruling of 27 October 2022, the notification obligation of Art. 19 GDPR also extends to those controllers from whom personal data have been received. It is then the responsibility of this controller to take appropriate technical and organisational measures to inform both recipients of data and the original source about the revocation. The controller therefore has a comprehensive duty to inform about a data subject’s request for deletion. They must practically involve all other parties in the information chain about the request for deletion or a revocation of data protection consent to the processing and disclosure of personal data.

Conversely, data subjects have the right to choose which controller they address a request to within a processing chain.

Implementation

This broad interpretation of the ECJ means that data controllers must ensure compliance with data subjects’ rights in “all directions”. In fact, this means a comprehensive record of where personal data comes from and to whom it is disclosed.

These requirements can only be ensured and proven through precise and up-to-date documentation of the processes in question (data mapping) in a directory of processing activities (Art. 30 GDPR) and an accompanying organisational guideline.

We have extensive experience in the design of the prescribed documents and know how to implement them in a legally compliant and effective manner – in line with your corporate culture.

Feel free to contact us at any time.

Per maggiori informazioni si prega di contattare

Dr. Florian Wäßle, LL.M.

Attorney at law
act legal Germany AC Tischendorf Rechtsanwälte Frankfurt, Germany
Telefono: +49 69 24 70 97 46

Marcus Columbu

Attorney at law
act legal Germany AC Tischendorf Rechtsanwälte Frankfurt, Germany
Telefono: +49 69 24 70 97 32