Contact us Today!

The Right to Rectification (Correction) Under GDPR Article 16

The GDPR provides EU citizens (known as data subjects) the right to correct inaccurate personal data as well as the ability to complete or supplement incomplete personal data. GDPR Article 16, where this right to rectification or correction is set forth, dovetails closely with the accuracy principle set forth in GDPR Article 5(1)(d).

One goal of the GDPR is to ensure that personal data collected and processed by organizations is accurate. The GDPR requires organizations keep personal data accurate and up to data (where necessary). Article 5 requires “every reasonable step” to ensure that inaccurate personal data is erased or rectified. This principle is facilitated by the right to rectification which is given to data subjects in Article 16.

The Accuracy Decision

Organizations are required to update the personal information of the data subject if it is inaccurate or incomplete. There are a number of situations that might arise where the individual may consider the information problematic but the organization does not believe that the request is valid. This includes, among other things, historical records of mistakes and disputed opinions.

Historical Records of Mistakes: If information records a historical mistake that has been corrected, the ICO currently says that it “may be possible to argue” that the record of the mistake is accurate. Nevertheless, the record needs to indicate that there was a mistake and include the correct personal data of the individual.

Disputed Opinions: The ICO permits the maintenance of a subjective opinion if it is difficult to conclude from the available record that the opinion is wrong. The record must, at a minimum, show that the information is an opinion and whose opinion it is.

What does the ICO recommend if the information is accurate? If an organization deems the information accurate, the individual should be informed. The basis of the decision should be explained and they should be informed of their right to complain to the appropriate supervisory authority or to seek enforcement of their right through the judiciary.

Restrictions of Processing After a Correction Request

Article 18 of the GDPR provides the ability to request restriction of the processing of personal data while they are contesting its accuracy. As a result, the ICO has said it is a best practice to halt processing whether or not the individual exercises this right.

Identity Verification

The organization may request documentation where the identity of the individual making the request is in doubt, according to the ICO. The request must be used only to confirm the individual’s identity and must be proportional to the nature of the data that the organization holds.

Correction Time Frame

The GDPR requires organizations to correct inaccurate personal data “without undue delay”. The UK ICO has set forth guidance on what this means in the context of the right to correction. The ICO says that organizations have at the latest one calendar month from the time of receipt to respond to a request for correction.

According to the ICO, the time starts on the next day after the request is received. It does not matter whether the day after the request is received is a working day or not.

The ICO says the organization has until the corresponding day in the next calendar month to respond, unless the date falls on a weekend or a public holiday and then the business is provided until the next working day. If there is no corresponding day in the next month because the time frame for compliance starts on the 31st of the month and the next month only has thirty days, then the compliance date is the last day of the month – the 30th, for example.

The effect of this interpretation is that the precise number of days that a business has to respond to requests varies. The ICO suggests that organizations can adopt a 28 day period for compliance purposes if it assist them with operational or system planning purposes.

Extensions of Time

The ICO will permit an extension of time by up to two months if there are a number of requests from the person or it is a complex request. The individual must be notified of the extension without undue delay and the organization must explain why the extended time is necessary.

However, the ICO warns that there are three circumstances where an extension of time is unlikely to be reasonable. First, if the organization believe the request unfounded or excessive. Second, if an exemption applies and the organization believes that it is not required to comply with it. Finally, the organization may not delay the determination of whether it will respond to the request by requesting the data subjects confirmation of identity while seeking an extension of time. According to the ICO guidance, if the organization is going to extend the deadline in order to await receipt of the documents, it must have already decided to complete the request once they have been received. It cannot subsequently decide that the request is unwarranted.

Notification of Other Organizations

The ICO says that organizations which have distributed personal data to others must inform the other organizations of the rectification or completion of the individual’s personal data. Notification is not required, according to the ICO, only where it requires disproportionate effort or proves impossible. If the organization is asked by the individual where the inaccurate or incomplete data has been distributed, the organization must disclose this information.


Other Data Subject Access Rights

GDPR Article 15: Right of Access
GDPR Article 17: Right to Erasure (“Right to be Forgotten”)
GDPR Article 20: Right to Data Portability

Data Subject Access Requests

Consider the Clarip DSAR Portal. To schedule a demo, call 1-888-252-5653.

Contact Clarip Today for Help with CCPA and GPDR

The Clarip team and data privacy software are prepared to help your organization improve its privacy practices. Click here to contact us (return messages within 24 hours) or call 1-888-252-5653 to schedule a demo or speak to a member of the Clarip team.

If your challenge right now is CCPA compliance for your California operations, allow us to show you our CCPA software. From consent management software to offer the option to opt-out of the sale of personal data, to a powerful DSAR Portal to facilitate the right to access and delete, Clarip offers enterprise privacy management at an affordable price.

If you are preparing your European operations for GDPR compliance, we can help through our modular GDPR software. Whether you are looking to start the process with GDPR data mapping software, increase automation in your privacy program with DPIA software, or handle ePrivacy with a cookie consent manager, Clarip has the privacy platform that you need to bolster your program.

Click here to contact us (return messages within 24 hours) or call 1-888-252-5653 to schedule a demo and speak to a member of the Clarip team.