As laid down in Article 16 GDPR, data subjects hold the right to have their personal data rectified (see the section “Right to Rectification” in the “Rights” part of these Guidelines). This is particularly relevant in the case of IoT, since any inaccuracy in the collected data might have dramatic consequences in terms of profiling (see the “human agency” section in this part of the Guidelines). Indeed, “IoT developers face a significant challenge to curate and update their datasets to meet this requirement. Verification of user identity is critical to ensure accuracy, particularly when multiple people can potentially use the same device.”^[1] The main problem here is that data are often stored in different servers and the IoT developers are not always aware of the existence of some concrete backup copies. This should be carefully examined in the contracts between controllers and joint-controllers or processors.

Controllers are obliged to communicate the rectified data to each recipient to whom the personal data has been disclosed, unless this proves impossible or involves disproportionate effort. Controllers could hardly argue that the sharing information and storage system is too complex to ensure rectification to avoid this requirement.
 

References

¹Wachter, Sandra, (2018) The GDPR and the Internet of Things: a three-step transparency model, Law, Innovation and Technology, 10:2, 266-294, DOI: 10.1080/17579961.2018.1527479. ↑