Right to Rectify Data: Your GDPR Power to Correct Inaccurate Personal Information

The right to rectify data, established in GDPR Article 16, allows individuals to obtain rectification of inaccurate personal data concerning them and completion of incomplete personal data, including through a supplementary statement. Data controllers must respond to such requests within one month and notify recipients of any rectification, as outlined by authorities like the ICO.

This right supports the accuracy principle in Article 5(1)(d), ensuring personal data remains accurate and up to date. For individuals, it provides a mechanism to enforce data accuracy in scenarios like employment records or medical files. Data controllers, such as employers or HR departments, have duties to verify and update data promptly, avoiding compliance gaps. In 2026, with ICO guidance under review following post-2025 developments, these principles remain foundational for data handling.

What Is the Right to Rectify Data Under GDPR?

GDPR Article 16 grants individuals the right to have inaccurate personal data rectified and incomplete personal data completed, often by providing a supplementary statement. This right ties directly to the accuracy principle in Article 5(1)(d), which requires personal data to be accurate and kept up to date, with reasonable steps taken to erase or rectify inaccurate data without delay.

The Data Protection Commission in Ireland highlights its foundation in the Charter of Fundamental Rights, Article 8(2), which recognizes the right of access to personal data and the right to have such data rectified, though limitations may apply under Article 52. Together, these elements support data subjects in maintaining control over their information's integrity, ensuring it reflects reality across processing activities. As per ICO guidance, this right applies whenever personal data processed by a controller fails to meet these standards, giving individuals a targeted tool to challenge and correct records held by organizations.

When Can You Exercise the Right to Rectify Your Data?

Individuals can exercise the right to rectify data when they challenge the accuracy of their personal data or request completion of incomplete information. According to ICO guidance, a valid request arises if the individual contests the data's correctness, prompting the controller to verify it.

This often links to the right of restriction under Article 18, where an individual contests accuracy pending verification, allowing the controller time to check without further processing. In medical contexts, patients can seek rectification of inaccurate or incomplete data in their medical files, including by submitting an additional statement to the doctor as the data controller, as noted in patient rights resources from Ginestie.

Such triggers ensure rectification addresses discrepancies, whether in health records or other personal data holdings. For instance, if an individual's details in a controller's database are outdated or erroneous, they can invoke Article 16 directly, supported by evidence of the correct information, to prompt the necessary review.

Data Controller Obligations When Handling Rectification Requests

Data controllers must respond to rectification requests without undue delay and at the latest within one month of receipt. For example, a request received on 30 March is due by 30 April, or the next working day if 30 April falls on a weekend or holiday, per ICO guidance.

Controllers also need to communicate any rectification to each recipient to whom the personal data has been disclosed, unless this proves impossible or involves disproportionate effort, as detailed by CNIL under Article 19. For employers and HR teams handling employee data, this means reviewing records, updating them if warranted, and informing relevant parties like payroll systems or third-party providers. This process aligns with the accuracy principle in Article 5(1)(d), requiring controllers to take reasonable steps to ensure data correctness every time a valid challenge is raised.

These steps promote transparency and accuracy in data management, with controllers evaluating the request's specifics--such as the evidence provided--to determine if rectification is required.

Individual vs. Controller: Guidance on Rectifying Data Requests

For Individuals: How and When to Request Rectification

If you identify inaccurate or incomplete personal data, submit a rectification request to the controller, specifying the data in question and providing evidence of the correct information. Challenge accuracy directly or request completion via a supplementary statement, particularly when the data affects decisions about you, such as in employment or health contexts. ICO resources confirm validity when contesting accuracy, and linking to restriction under Article 18 can pause processing during verification. This approach ensures your request is clear and evidence-based, increasing the likelihood of a timely controller response within the one-month limit.

For Controllers: Verifying, Responding, and Notifying

Upon receiving a request, verify the data's accuracy using available evidence. Respond within the one-month timeline, rectifying if confirmed inaccurate or incomplete. Notify recipients as per Article 19, balancing effort against impossibility. Factors like request clarity and supporting evidence guide decisions--valid challenges warrant action, while controllers assess proportionality. Employers and HR should document these processes to align with accuracy duties under Article 5(1)(d), maintaining records of verification steps, responses, and any notifications to third parties like service providers.

This role-based approach ensures handling from both sides, with individuals empowered to act and controllers equipped to comply systematically.

FAQ

What is the right to rectify data under GDPR Article 16?

The right to rectify data under GDPR Article 16 allows individuals to obtain rectification of inaccurate personal data and completion of incomplete personal data, including by means of providing a supplementary statement.

How long does a data controller have to respond to a rectification request?

A data controller must respond within one month of receipt, such as a request on 30 March being due by 30 April or the next working day if that date is a weekend or holiday.

Does the right to rectification apply to medical or health data?

Yes, patients can exercise the right to rectify inaccurate or incomplete personal data in their medical files, including by providing an additional statement to the doctor as data controller.

What happens if a controller rectifies data--do they notify others?

Controllers must notify each recipient to whom the personal data has been disclosed of the rectification, unless impossible or involving disproportionate effort.

How does the right to rectification connect to data restriction?

The right to rectification links to the right of restriction under Article 18, where an individual contests accuracy while the controller verifies the data.

Can the right to rectification be limited or refused?

The right stems from Charter Article 8(2), which is not absolute and may be subject to limitations under Article 52, with controllers assessing request validity based on evidence.

To apply this knowledge, individuals should review their data holdings and contact controllers with specific requests, while controllers can update internal procedures to meet timelines and notification duties.