what is the right to rectification?
article 16 of the gdpr gives individuals the ‘right to rectification’. this right allows people to request that any inaccurate personal data concerning them that businesses or other organisations hold be corrected.
under the right to rectification, you can challenge the accuracy of any personal data that an organisation holds about you. you can ask for it to be corrected or, if it’s incomplete, completed with the addition of more detail.
what are data rectification requests?
a data rectification request is a formal request you can use to exercise your right to rectification. in other words, it’s the document you send to an organisation if you want your data to be corrected.
how can my data be corrected?
you should contact the organisation that holds the inaccurate or incomplete personal data and inform them that you are challenging the accuracy of your data and that you wish for it to be corrected. you should:
-
clearly state what information you consider to be inaccurate or incomplete
-
explain how it should be corrected
-
provide evidence of the inaccuracy, if such is available
you can make a request to have your data corrected verbally or in writing. however, it is recommended that you make such a request in writing so that you have a record of the request. if you make a verbal request, you should follow up in writing to explain your concern, give evidence, and state your desired solution.
you can use the information commissioner’s office’s (ico’s) data rectification request template to make a request.
what if the data records a mistake or an opinion?
determining whether data is inaccurate can be difficult if the data refers to a mistake that has subsequently been corrected. it may be argued that the record of the mistake, in itself, is accurate and should be maintained (as well as the correct version of the data). where this is the case, the fact that a mistake was made should also be included in the individual's data. for example, a medical record should reflect any incorrect diagnoses given to a patient along with the correct diagnosis and information about the correction made, to provide an accurate record of the patient’s medical treatment.
similarly, if data is about an opinion, it can be difficult to determine whether the data records an inaccurate opinion as opinions are inherently subjective. provided that the record clearly shows that the information is an opinion and whose opinion it is (where appropriate), it may be difficult to require an opinion to be corrected for being inaccurate.
what will organisations do after receiving a data rectification request?
when organisations are asked to correct your data, they should take reasonable steps to investigate whether the data is accurate, considering your arguments and any evidence you provide. they should be able to show that they have done this.
once the organisation has investigated, they should contact you and they should either:
-
confirm that your data has been corrected, deleted or amended, or
-
inform you that they will not correct the data, explaining why they believe the data to be accurate
if an organisation does not correct the data, they should record that you have challenged the data’s accuracy and the reasons for your challenge.
if an organisation has disclosed your data to others, they must contact them and inform them that the data has been corrected or completed, unless this is impossible or involves a disproportionate effort. you can ask an organisation to tell you which recipients have received your data.
can organisations refuse a data rectification request?
organisations can refuse to comply with a request for correction if they believe that the request is ‘manifestly unfounded or excessive’. for example, a request may be manifestly unfounded if you have no intention to exercise your right to rectification and are just hassling the organisation. a request may be excessive if it repeats the substance of previous requests.
where this is the case, organisations can:
-
request that you pay a reasonable fee for them to deal with the request, or
-
refuse to deal with the request
they will need to inform you of this and justify their decision.
how long do organisations have to respond and can they charge a fee?
organisations typically have one month to respond to your request. in some circumstances (eg if you’ve made several requests), organisations can take up to an extra 2 months to respond substantially to your request. organisations must inform you within one month if they require more time and explain why.
data requests should generally be dealt with and provided free of charge. however, a fee may be charged in certain limited circumstances (eg if the organisation finds the request is manifestly unfounded or excessive).
for more information, read data protection requests.
what if an organisation doesn’t respond or its response is unsatisfactory?
if, after sending a data rectification request, an organisation doesn’t respond or their response is unsatisfactory, you should first contact the organisation to attempt to resolve the situation. if, after contacting the organisation, you do not receive a response or remain dissatisfied with the response, you can complain directly to the ico. you can also consider attempting to enforce your data protection rights through the courts (however, this can be expensive and time-consuming). for more information, read data protection requests.
ask a lawyer if you have any questions about your right to rectification. to find out more about your data protection rights in general, read data protection and privacy.
if you are a business or other organisation and want to find out more about how to handle data rectification requests, read data protection requests. for more general information about data protection, read data protection for businesses.