GDPR: The Right to Rectification
12 februari 2020 
in Privacy

GDPR: The Right to Rectification

Processing accurate and up-to-date personal data is an important aspect of the GDPR. This is important both for your business as well as for the data subject. But how do you make sure the personal data you have on file is still accurate? And do you have a procedure in place to handle rectification requests? By ensuring your organization corrects and updates data efficiently you manage an important risk.

The right to rectification allows data subjects to request a correction or completion of the personal data you process. Thus, this right is mainly aimed at correcting factual inaccuracies and filling in the blanks. It is not a tool to change analyses or opinions and the conclusions drawn from these.  For example: an organization keeps records of whether customers pay their outstanding payments on time. When a person repeatedly does not pay on time, this information is shared with credit rating agency. The organization receives a request for rectification of personal data, since a person has been unrightfully marked as not paying their bills on time. The organization is now obligated to research this and, if relevantrectify the inaccurate data. Since the request for rectification was found to be just, it was also the responsibility of the organization to inform all recipients of the data of the rectification and to ask them to remove the inaccurate data from their systemsIt also lies within the obligation of the organization to inform the data subject of the completed rectification.  

Your Obligations 

Organizations are obligated to ensure the data they process is correct, complete and up to date. Processes involving personal data both within the organization as well as with data processors (third parties) should contribute to this. Are new or rectified records of personal data processed properly? How are data streams within the organization organized and can different departments access the updated files? How easily can the third parties you share information with process rectifications? What happens when a request for rectification is submitted to a third party processor instead of the data controller?  A pitfall in the quest for accurate data management is the collection of too much personal data. An important principle of the GDPR is data minimization. This means that all personal data you process should have a clear purpose based on one of the six lawful grounds defined in the GDPRAlthough organizations should strive to maintain an accurate, up- to- date and complete database, it is important to always keep the principle of data minimization top of mind.  

Automated Compliance

 How data is stored influences how easily personal data can be rectified, should such a request be made. When you receive a request for rectification you are obligated to respond within one month. Would you be able to do this? What other benefits would optimizing your data storing processes have? By storing your information management system in some form of tooling you take an important step towards enhanced efficiency. To a certain extent organizations are able to make do with a data processing register in Excel. However, when an increasing number of people need to work with the file and edit it, it will become increasingly difficult to maintain one proper overview. This is when the use of software becomes necessary, for example to avoid back-up overwrites or other loss of data. Regarding the rectification process specifically, it is always our advice to define a protocol or clear step-by-step plan for your employees, to facilitate a timely response to the request. 

The Audittrail Answer 

A critical assessment of your information management system boosts your corporate efficiency. You will be able to communicate faster and more effectively with your data subjects. This means an overall improvement in service and quality.   The Audittrail team has extensive experience with InfoSec, specifically in relation to privacy compliance. If you are interested in our products and services that would be of use to your organization, we invite you to send an email to  

About the author
Joyce is active at Audittrail as Director of Consultancy and senior privacy lawyer. Before Audittrail she held several positions, all in the (international) legal field. She mainly supports and advises companies on the implementation of privacy.
Place comment