What is the right to rectification under the General Data Protection Regulation?
How can a person exercise this right and what is a company’s obligation?
What are the possible sanctions for infringing the right to rectification?
In this article, we will look over the right to rectification in detail and provide you all the information that you need to know to comply with GDPR.
Are you ready?
Let’s get started!
What is the right to rectification?
The right to rectification is the right granted to an individual to request the correction of inaccurate information held about them.
The right to rectification covers instances when a company may have incomplete information about an individual as well, although accurate, and the person wishes to complete the company’s records.
On the one hand, an individual has the right to rectification and, on the other hand, a company has the obligation to process accurate information about a data subject further to the GDPR principle of accuracy.
How does a data subject request the rectification of personal data?
A data subject can request the rectification of their personal data in any way.
GDPR does not provide any specific method for submitting a rectification request.
A request can be sent to the company by email, letter, fax, through social media platforms or any other effective way.
Provided the request is clear and properly received, the company will need to comply with it.
How long does a company have to respond to a rectification request?
A company has an obligation to respond to the data subject without undue delay or by no later than one month following the receipt of the request.
Similar to any data subject access request, if the request is complex or will require more time to process, a data controller or data processor can extend the response delay by an additional two months.
If a company wishes to extend the delay, it must respond to the data subject within the one month period initially granted and inform the data subject of the extension along with the reasons why.
What should a company do when it receives a rectification request?
When a company receives a request from a data subject to rectify inaccurate information or complete its records, it must take the necessary steps to achieve that goal.
In some cases, the data subject may need to provide additional information for the company to properly assess the nature of the request and understand what needs to be corrected.
Personal data actively used by a company and having a greater impact on the data subject should be kept accurate and complete with more emphasis than information that is not used.
This is not to say a company should keep inaccurate data but it becomes a decision on priority.
Even without a data subject’s exercise of the right to rectification, a company must exercise prudence and diligence with respect to commonly used personal data to ensure it is using correct and accurate data.
Every request must be evaluated by the company in light of what is requested by the data subject, what measures had the company taken to ensure the accuracy, the level of effort required to correct the data and so on.
How to determine that data is inaccurate?
GDPR does not provide any specific details as to who to determine that data is inaccurate.
A company should evaluate what is the right balance to achieve between its obligation of complying with the principle of accuracy and rectifying personal data when requested by a data subject.
Will a mistake in company records be considered inaccurate?
A company mistake in the record is not necessarily inaccurate data.
A company mistake should be kept as a factual record of the mistake.
If a company had made a mistake in the shipping of a product, then corrected the mistake and shipped the product, it’s reasonable for the company to keep a record of the mistake for audit purposes and to have a proper factual history of its operations.
A person could not ask the correct the record that the company had used by mistake.
That mistake is a correct factual record from the company’s vantage point.
How to rectify subjective data like an opinion?
What do you do when a person asks that you rectify the record of an opinion?
Dealing with a rectification request on opinion will not be easy.
Was the opinion that of the same person?
Was it really an opinion?
What part of the opinion is not accurate?
Companies should exercise great care in evaluating the rectification of an opinion.
There is no cookie-cutter answer here, it’s a matter of reasonably evaluating the request.
Subject access request and right to rectification
In most cases, a person’s right to rectification may be exercised following a subject access request.
A subject access request is a person’s right to access his or her personal data used by a company.
When a person obtains a copy of the records held by a company about them, they may notice incorrect information or missing relevant information.
In such cases, the data subject may most likely submit a right to rectification request to resolve any issues perceived with their personal data.
A company with proper governance and good compliance procedures should have a process in place where such requests are handled in a streamlined and simple manner.
A data subject should be able to access their personal data without too much difficulty or red tape and when a data rectification request is submitted, an organization should diligently review the request and handle it.
Restriction of processing while rectifying data
A company must restrict the processing of personal data when a request for rectification has been submitted.
That’s an obligation stemming from Article 18 GDPR.
When the accuracy of the personal data is contested by a data subject, the company must restrict the processing of a period of time allowing it to verify the accuracy of the personal data.
Can a company refuse to rectify a person’s data?
A company should consider correcting or completing data held on a data subject to comply with GDPR.
However, Article 12(5) GDPR states that:
“where requests from a data subject are manifestly unfounded or excessive, in particular because of their repetitive character, the controller may either: (a) charge a reasonable fee taking into account the administrative costs of providing the information or communication or taking the action requested; or (b) refuse to act on the request”.
Based on this article, a data controller or data process has the right to refuse or reject a subject request provided it has the ability to demonstrate that the request is excessive or unfounded.
What is a manifestly unfounded request?
GDPR allows a data controller or data processor to either charge a fee or reject a data subject’s right to rectification of personal data if the request is manifestly unfounded.
The term ‘manifestly’ refers to a request that is obvious or leaves no doubt that it is unfounded.
Companies should carefully assess a subject access request before rejecting it to ensure that the request is indeed manifestly unfounded.
Here are some examples of manifestly unfounded requests:
- A person has filed a request to get monetary advantages from the company
- The person’s request clearly shows that the objective is to disrupt the company operations
- The request is a person’s way to attack an employee of your company
- The person’s request is malicious
- The person is using the SAR as a means to harass the organization
What is an excessive request?
A data subject request can also be excessive in nature justifying its rejection.
An excessive request is when a person’s demands are excessive in nature or repetitive.
Companies should carefully assess a request before qualifying it as an excessive request though.
The burden to demonstrate that a request was excessive is on the organization’s shoulder.
Here are some examples of an excessive request:
- Repeatedly requesting the same thing over and over
- Requesting rectification that was already communicated
- Submitting the same requests through multiple channels
What’s advisable is that a company assesses the request carefully before rejecting it.
It may be a good practice to reach out to the data subject in order to clarify the request or better scope the request in such a way to eliminate its excessive nature.
If a data subject is unaware of the excessive nature of the request, they may request information in good faith not knowing any better.
Granted, some other individuals may know exactly what they are doing.
Rather than rejecting a request outright, it may be worth considering the option to have the request clarified.
Rectification request impossible to handle or disproportionate
GDPR recognizes that it may be a significant obligation for a company to correct data when a company may have thousands, if not millions, of processes.
Also, the nature of the personal data is quite relevant.
Correcting non-sensitive data versus correcting special categories of data will impose different obligations on a company.
Article 19 GDPR states the following:
“The controller shall communicate any rectification or erasure of personal data or restriction of processing carried out in accordance with Article 16, Article 17(1) and Article 18 to each recipient to whom the personal data have been disclosed, unless this proves impossible or involves disproportionate effort. The controller shall inform the data subject about those recipients if the data subject requests it”
A company may refuse to rectify personal data when it proves to be impossible or involves a disproportionate level of effort.
The burden of proof is on the company to demonstrate that it’s impossible or disproportionate.
Companies should carefully assess the request and make sure they can justify a refusal based on Article 19 GDPR.
Infringement of data subject’s right to rectification
Article 83 GDPR allows the supervisory authorities to issue administrative fines in the event of non-compliance or the infringement of GDPR.
Depending on the nature of the infringement, GDPR classifies it in two categories.
One category is for serious infringement to GDPR whereby the fines can reach the greater of €20,000,000 or 4% of a company’s global annual turnover.
The other category is for less serious infringement cases where fines can reach the greater of €10,000,000 or 2% of a company’s global annual turnover.
The violation of Article 16 GDPR having to do with the data subject’s right to rectification is a serious breach under GDPR (Article 83(5)(a) GDPR) exposing a company to GDPR fines in the amount of the greater of €20,000,000 or 4% of a company’s global annual turnover.
Failure to observe GDPR requirements with regards to the response to a data subject exercising his or her right of access under Article 12 GDPR is considered a serious breach of GDPR (Article 83(5)(b) GDPR) and as such will expose the company to fines in the amount of the greater of €20,000,000 or 4% of a company’s global annual turnover.
GDPR Article on right to rectification
Article 16 GDPR is the article providing data subjects with the right to rectify, correct or complete their personal data.
In summary, the right to rectification means:
- A person can request that personal data held about them be rectified
- A person can complete incomplete records of a company
- A person can make the request either verbally, electronically or letter
- A company must provide an explanation of what records were corrected and what was not
- A company must respond without undue delay but should not take more than one month to respond