As laid down in Article 16 GDPR, data subjects hold the right to have their personal data rectified. Such right derives from the need to ensure the accuracy of personal data (see the “Accuracy” subsection in the Principles section of the General Part of these Guidelines) and, consequently, a higher level of protection for data subjects[1]. Personal data are inaccurate, insofar as they are incorrect, incomplete and/or misleading[2]. In other words, they misrepresent the reality. Accordingly, the right to rectification only deals with objective and factual data, including the spelling of the research participant’s name.
When it comes to value judgements that are fact-related (e.g., the personal evaluation of a research participants based on their life conditions), controllers must perform a balancing test (see “Balancing test” subsection in the “Main Tools and Actions” Section of these Guidelines) in between their freedom of expression and the data subjects’ right under scrutiny. The aim of the balancing is to understand whether a rectification is reasonable for the controller and necessary for the data subjects. For example, whenever the value judgement results in anincorrect impression of the data subjects that can be proven, the interest of the data subjects will prevail[3].
The request can be made in writing or orally. As regards its essence, it will sometimes be sufficient for the data subject to simply request rectification, such as in the case of misspelling. It is nonetheless the case that the controller might request proof of the inaccuracy, without placing an unreasonable burden of proof on the data subjects and thereby refraining their from exercising the right under scrutiny[4].Moreover, it is important to emphasize that any addition of information must be necessary for the purpose(s) of the processing and the controller’s effort must be proportionate in the specific context situation[5]. As a matter of good practice, the controller should restrict the data processing, while verifying the accuracy of the information[6].
A data subject can only exercise the right to rectification for its own information, given that Article 16 GDPR does not grant a right relating to the rectification of personal data of a third party. This means that the scope of the data subject’s right is constrained, whenever personal data also related to other individuals (e.g. relationship with another person)[7].
Checklist for complying with a rectification request:Is the exercise of the right to rectificationcompliant with the GDPR? ☐ Did you receive a rectification request from a legal entity? If yes, please indicate that the request was not lodged by an individual; ☐ Have the data subjects correctly identified themselves? If not, please ask for further information to confirm identity; ☐ Can the request be fulfilled within one month? If no, please inform why and how long will it take to process the request? ☐ Do you need a proof of inaccuracy or additional information to rectify the data? If yes, please ask for further information to the data subject. Remember not to place an unreasonable burden of proof on the data subject ☐ The request needs to be fulfilled. How to further comply with all the GDPR obligations: ☐ Communicate the data to each recipient to whom the personal data has been disclosed, unless this proves impossible or involves disproportionate effort. |
References
1Recital 65, GDPR and Article 5.1 (d) GDPR ↑
2Information Commissioner’s Office (ed.), op. cit., pp. 115-116 ↑
3P. Voigt & A. von demBussche, op. cit., p. 155 ↑
4Fundamental Rights Agency (ed.), op. cit., p. 220 ↑
5P. Voigt & A. von dem Bussche, op. cit., p. 156 ↑
6Information Commissioner’s Office (ed.), op. cit., p. 115 ↑
7P. Voigt & A. von dem Bussche, op. cit., p. 155 ↑