From the ‘Regulation’ link under Commission Proposals on the data protection reform: legislative texts (which downloads this PDF document):
126.96.36.199. Section 3 – Rectification and erasure
Article 16 sets out the data subject’s right to rectification, based on Article 12(b) of Directive
Article 17 provides the data subject’s right to be forgotten and to erasure. It further elaborates
and specifies the right of erasure provided for in Article 12(b) of Directive 95/46/EC and
provides the conditions of the right to be forgotten, including the obligation of the controller
which has made the personal data public to inform third parties on the data subject’s request to
erase any links to, or copy or replication of that personal data. It also integrates the right to
have the processing restricted in certain cases, avoiding the ambiguous terminology
Article 18 introduces the data subject’s right to data portability, i.e. to transfer data from one
electronic processing system to and into another, without being prevented from doing so by
the controller. As a precondition and in order to further improve access of individuals to their
personal data, it provides the right to obtain from the controller those data in a structured and
commonly used electronic format.
If anyone can find these articles, we should be able to find out what the specifics are. There are articles starting about half-way down this page (the ‘Directive’ link directly under the previous link), but they don’t seem to accord with the text above. Article 16 is about erasure, but 17 and 18 are about other matters).
Article 16 Right to erasure
Member States shall provide for the right of the data subject to obtain from the controller the erasure of personal data relating to them where the processing does not comply with the provisions adopted pursuant to Articles 4 (a) to (e), 7 and 8 of this Directive.
The controller shall carry out the erasure without delay.
Instead of erasure, the controller shall mark the personal data where:
(a) their accuracy is contested by the data subject, for a period enabling the controller to verify the accuracy of the data;
(b) the personal data have to be maintained for purposes of proof;
© the data subject opposes their erasure and requests the restriction of their use instead.
- Member States shall provide that the controller informs the data subject in writing of any refusal of erasure or marking of the processing, the reasons for the refusal and the possibilities of lodging a complaint to the supervisory authority and seeking a judicial remedy.
Article 17 Rights of the data subject in criminal investigations and proceedings
Member States may provide that the rights of information, access, rectification, erasure and restriction of processing referred to in Articles 11 to 16 are carried out in accordance with national rules on judicial proceedings where the personal data are contained in a judicial decision or record processed in the course of criminal investigations and proceedings.
CHAPTER IV CONTROLLER AND PROCESSOR
SECTION 1 GENERAL OBLIGATIONS
Article 18 Responsibility of the controller
Member States shall provide that the controller adopts policies and implements appropriate measures to ensure that the processing of personal data is performed in compliance with the provisions adopted pursuant to this Directive.
The measures referred to in paragraph 1 shall in particular include:
(a) keeping the documentation referred to in Article 23;
(b) complying with the requirements for prior consultation pursuant to Article 26;
© implementing the data security requirements laid down in Article 27;
(d) designating a data protection officer pursuant to Article 30.
The controller shall implement mechanisms to ensure the verification of the effectiveness of the measures referred to in paragraph 1 of this Article. If proportionate, this verification shall be carried out by independent internal or external auditors.