Art.16 GDPR

GDPR Art.16: Right to Rectification

What This Control Requires

The data subject shall have the right to obtain from the controller without undue delay the rectification of inaccurate personal data concerning him or her. Taking into account the purposes of the processing, the data subject shall have the right to have incomplete personal data completed, including by means of providing a supplementary statement.

In Plain Language

People have the right to fix their own data when it is wrong or incomplete. It sounds simple, but the operational reality trips up many organisations - especially the requirement to propagate corrections across every system where the data lives.

The right covers two situations: correcting factually wrong data (wrong date of birth, misspelled name, outdated address) and completing data that is incomplete in a way that matters for the processing purpose. Individuals can provide supplementary information to make their records more accurate.

There is also a downstream obligation under Article 19. When you correct data, you must notify every third party you have shared that data with, unless doing so is impossible or disproportionately difficult. That means you need to know who you have shared data with - which ties directly back to your data mapping and processing records.

How to Implement

Set up a clear intake and workflow for rectification requests. Define how requests come in, who handles them, and how corrections get made. Keep it simple for the data subject - if correcting a misspelled name takes three weeks and a notarised affidavit, you have a problem. Meet the one-month Article 12 deadline.

Verify identity before making changes, but keep it proportionate. You can ask for evidence supporting the correction (e.g., a document showing the correct information), but do not create barriers that effectively block people from exercising this right. Document your reasoning for accepting or declining each request.

Propagate corrections across every system where the data exists. Data typically lives in the CRM, billing, marketing tools, HR systems, analytics platforms, and third-party services simultaneously. Map where rectified data might be stored and build workflows - automated where possible, manual checklists where not - to ensure consistent updates everywhere.

Notify third parties who received the inaccurate data, per Article 19. This requires knowing who you shared data with, so maintain disclosure records. Create notification templates, execute them promptly, and be ready to tell the data subject which recipients were notified.

Offer self-service correction where it makes sense. Let people update their name, address, and contact details through their account settings. It reduces your administrative load and gives individuals direct control. For data with legal or financial implications, keep a manual review step.

Evidence Your Auditor Will Request

Documented rectification request handling procedure
Rectification request log showing requests received, actions taken, and response timelines
Evidence of data corrections propagated across multiple systems
Records of third-party notifications following rectification (Article 19)
Self-service data correction capabilities in customer-facing systems

Common Mistakes

Corrections made in one system but not propagated to other systems holding the same data
No process for notifying third-party recipients of rectified data as required by Article 19
Excessive evidence requirements that effectively prevent data subjects from exercising rectification rights
No mechanism for data subjects to request completion of incomplete data
Failure to respond to rectification requests within the one-month deadline

Related Controls Across Frameworks

Framework	Control ID	Relationship
ISO 27001	A.5.33	Related

Frequently Asked Questions

Can we refuse a rectification request if we believe our data is accurate?

Yes, if your investigation confirms the data is actually correct. Explain your reasoning to the data subject and document how you reached that conclusion. The individual can add a supplementary statement to their record presenting their side, and they can take the matter to a supervisory authority if they disagree with your decision.

Does the right to rectification apply to opinions or subjective assessments?

Generally no. Factual data (names, dates, addresses) can be corrected. Opinions and subjective assessments - like a manager's performance review - are inherently subjective and are not "inaccurate" in the Article 16 sense. But the data subject can request that a supplementary statement be added to their record to put their perspective on file.

How quickly must we action a rectification request?

The Article 12 deadline is one month, but "without undue delay" is the standard in Article 16 itself. For a straightforward correction like fixing a misspelled name, there is no good reason to wait a month. Fix it in days if you can. Reserve the full timeframe for cases that genuinely require investigation.

Track GDPR compliance in one place

AuditFront helps you manage every GDPR control, collect evidence, and stay audit-ready.

Start Free Assessment