Article 16 of the GDPR
Right to rectification of personal data according to the GDPR
Right to rectification of personal data under the GDPR, means that personal data shall be rectified if they are incorrect or incomplete. Data subjects have the right to request that their personal data shall be rectified. In addition, data subjects have the right to have their personal data completed if they are incomplete.
Data subject's right to rectification of personal data under the GDPR
The right to rectification of personal data is one of the eight (8) fundamental rights that data subjects have under the GDPR. Article 16 of the GDPR governs the right to rectification of personal data.
Timeframe for implementing a rectification upon receipt of the data subject's request
When a company receives a request for rectification from the data subject, the company shall reply within a reasonable time. According to the general rule, the company must handle the case within one month.
However, the company may extend this deadline in certain cases. If the company needs an extension of the deadline, the company shall inform the data subject thereof within the first month. Including stating the reasons for the extension. The company may extend the time limit for a maximum of two more months.
Please note that the company must justify its decision to extend the period. One reason why it may be permissible to extend the time is if it relates to a complex request. Alternatively, if the company has received a large number of requests in a short period of time.
Charge a fee for rectification of personal data
In some cases, a company may charge a fee for correcting personal data. However, in the vast majority of cases, a company does not have the right to charge a fee. An example of when it may be permissible to charge is if it relates to an unreasonable or unfounded request. For example, if a person requests a correction or other right every week. In such cases, the fee must be reasonable and thus must not be too high.
Refusal to comply with a data subject's request to rectify personal data under the GDPR
Companies shall correct personal data that is incorrect, either upon request or upon the company’s own discovery of incorrect personal data. However, in some cases, a company may consider the personal data to be correct or complete, even if the data subject does not.
The company must inform the data subject if they refuse to rectify the personal data. The information shall include, inter alia, the justification for the refusal. In addition, the company shall inform the data subject about their right to lodge a complaint to the national supervisory authority for GDPR matters.
A company did not facilitate the customer's right to rectification of personal data
The Swedish data protection authority noted that an internationally well-known company did not facilitate the customer's right to rectification when the customer wanted to have its email address corrected. In addition, the company in question lacked technical measures to enable the customer to change its own email address. As a result, the company did not meet the requirements of the GDPR. The consequence for the company was a reprimand instead of a fine (see Recital 148 of the GDPR). A reprimand is a form of written warning. This is often issued by the supervisory authority in case of a minor infringement.
Companies should verify the identity of the data subject before the company starts processing the request
A company receiving a request to fulfill a right, first needs to verify the data subject’s identity. For example, regarding requests about the right to rectification and other rights. Here are some examples of rights that data subjects cannot exercise if they cannot be identified by the company:
The right to:
Access personal data.
Get personal data corrected or completed.
Have personal data deleted.
Have the company restrict the processing of personal data.
Transfer personal data between different systems (dataportability).
Companies must inform about a completed rectification
If personal data is rectified at the request of the data subject, the company shall inform about the rectification. The company shall provide information about the rectification to any third parties to whom the company has disclosed the personal data. This shall be done to ensure that such third parties also correct the personal data accordingly.
However, this information requirement does not apply if such notification would be too burdensome for the company. Nor does it apply if the company can show that it would be impossible for them to do so. Furthermore, the data subject has the right to receive information from the company about the third parties to whom the company has disclosed the data subject’s personal data.
Other data subjects' rights under the GDPR
Right to erasure
Data subjects have the right under the GDPR to ask a company to delete their personal data that they process. However, this does not always mean that the company must do so, as there are certain exceptions under the law. Companies must, among other things, delete personal data if they are no longer necessary for the purpose for which they were collected or if the legal basis is consent and the data subject withdraws it.