§ 58 Right to rectification and erasure and to restriction of processing

  1. The data subject shall have the right to obtain from the controller without delay the rectification of inaccurate data concerning him or her. In particular in the case of statements or assessments, the question of accuracy is not relevant for the content of the statement or assessment. If the accuracy or inaccuracy of the data cannot be ascertained, the controller shall restrict processing instead of erasing the data. In this case, the controller shall inform the data subject before lifting the restriction of processing. The data subject may also ask to have incomplete personal data completed, if doing so is appropriate when taking into account the purposes of processing.
  2.  The data subject shall have the right to obtain from the controller the erasure of personal data concerning him or her without delay where processing such data is unlawful, knowledge of the data is no longer necessary for the performance of tasks, or the data must be erased to comply with a legal obligation.
  3. Instead of erasure, the controller may restrict processing where
    1. there is reason to assume that erasure would adversely affect legitimate interests of the data subject,
    2. the data must be retained for the purposes of evidence in proceedings serving the purposes of Section 45, or
    3. erasure would be impossible or would involve a disproportionate effort due to the specific mode of storage.

    Data subject to restricted processing pursuant to the first sentence may be processed only for the purpose which prevented their erasure.

  4. In automated filing systems, technical measures shall ensure that the restriction of processing is clearly recognizable and processing for other purposes is not possible without further examination.
  5. If the controller has rectified inaccurate data, he or she shall communicate the rectification to the body from which he or she received the personal data. In cases of rectification, erasure or restriction of processing pursuant to subsections 1 to 3, the controller shall inform recipients to whom the data were transferred about these measures. The recipient shall rectify or erase the data or restrict their processing.
  6. The controller shall inform the data subject in writing of any refusal to rectify or erase personal data or restrict its processing. This shall not apply if providing this information would entail a threat as referred to in Section 56 (2). The information pursuant to the first sentence shall include the reasons for the refusal unless providing the reasons would undermine the intended purpose of the refusal.
  7. Section 57 (7) and (8) shall apply accordingly.

Content of the FDPA (new)

Part 1 – Common provisions (§§ 1 - 21)

Part 2 – Implementing provisions for processing for purposes in accordance with Article 2 of Regulation (EU) 2016/679 (§§ 22-44)

Chapter 1 – Legal basis for processing personal data
Sub-chapter 1 – Processing of special categories of personal data and processing for other purposes

Sub-chapter 2 – Special processing situations

Chapter 2 – Rights of the data subject

Chapter 3 – Obligations of controllers and processors

Chapter 4 – Supervisory authorities for data processing by private bodies

Chapter 5 – Penalties

Chapter 6 – Legal remedies

Part 3 – Implementing provisions for processing for purposes in accordance with Article 1 (1) of Directive (EU) 2016/680 (§§ 45-84)

Chapter 1 – Scope, definitions and general principles for processing personal data

Chapter 2 – Legal basis for processing personal data

Chapter 3 – Rights of the data subject

Chapter 4 – Obligations of controllers and processors

Chapter 6 – Cooperation among supervisory authorities

Chapter 7 – Liability and penalties

Part 4 – Special provisions for processing in the context of activities outside the scope of Regulation (EU) 2016/679 und Directive (EU) 2016/680 (§ 85)