Right to Rectification GDPR: Guide for Data Controllers
What does the right to rectification require under GDPR?
The right to rectification under GDPR Article 16 requires data controllers to correct inaccurate personal data and ensure incomplete personal data is completed without undue delay. For any organisation processing EU residents’ personal data, understanding and implementing compliant rectification procedures is a core legal obligation, not an optional add-on. It directly affects data quality, individual rights, and regulatory risk.
Individuals can request the rectification of inaccurate personal data, and this right is also defined in Article 16 of the UK GDPR. Data controllers must respond to requests within one month, correcting factual errors or completing incomplete data, including by means of a supplementary statement. This guide covers the legal framework, how to handle requests operationally, response timelines, third-party notification duties, and how to navigate common compliance challenges, including the landmark CJEU Deldits (C-247/23) ruling.
What is the legal basis for the right to rectification?
Article 16 GDPR grants every data subject the right to obtain from the controller, without undue delay, the rectification of inaccurate personal data concerning them. This right is closely linked to the accuracy principle in Article 5(1)(d), which requires that personal data must be accurate and, where necessary, kept up to date. The same link exists under Article 5(1)(d) of UK GDPR, meaning controllers operating under both frameworks must take every reasonable step to erase or rectify inaccurate or incomplete data without delay.
This is not a procedural formality. Inaccurate stored data can lead to flawed decision-making, discrimination, financial loss for individuals, and significant regulatory penalties for controllers.
What counts as inaccurate personal data?
Inaccurate data under GDPR refers to any personal data that is factually wrong. Common examples include misspelt names, incorrect dates of birth, outdated addresses, or wrong account numbers. Organisations should verify the accuracy of data if challenged by individuals, assessing the information against evidence provided and the context in which it is processed.
An important nuance: opinions and subjective assessments are generally not considered inaccurate under the Data Protection Act or GDPR unless they are based on demonstrably false facts. A case officer’s note that a customer “seemed dissatisfied” is an opinion, and ICO guidance makes clear that such opinions are unlikely to qualify as inaccurate unless the underlying facts are wrong. However, controllers should be especially careful when opinions influence significant decisions about individuals, such as credit assessments or employment evaluations.
The standard for accuracy also depends on purpose. If data is used for identification, for instance in public registers, the threshold for what counts as correct information is higher. The CJEU confirmed this in the Deldits case (C-247/23, decided March 2025), holding that gender identity data in an asylum register must reflect a person’s lived identity when the data serves an identification purpose.
What counts as incomplete personal data?
Data is incomplete when essential elements are missing in a way that prevents the processing from achieving its purpose or leads to misleading outcomes. Examples include missing middle names, absent previous legal names, or partial addresses. GDPR explicitly provides the right to have incomplete data completed, including by means of a supplementary statement.
The relationship between incomplete data and the data minimisation principle matters: while controllers should collect only the data necessary for the intended purpose, any data collected must be sufficiently complete to fulfil that purpose fairly. When an individual identifies that their record is incomplete, the controller must assess whether the gap materially affects processing and, if so, take action to complete the record.
How should organisations handle rectification requests in practice?
Requests can be made verbally or in writing without specific wording. There is no requirement for a formal template or specific language, which means an informal email, a phone call to customer support, or a message through a web form can all constitute valid requests.
What makes a rectification request valid?
A rectification request is valid when it clearly identifies the person making it, specifies which data is inaccurate or incomplete, and indicates what the correct information should be. The individual making the request does not need to use the phrase “right to rectification” or cite GDPR article numbers.
Training for customer-facing staff is essential, since front-line teams in customer service, HR, or branch offices are often the first to receive these requests. According to ICO guidance, organisations should have clear policies for recording verbal requests, including what was asked, when, and by whom. Every request should be logged with the date of receipt, a description of the claimed inaccuracy, and any supporting evidence provided.
When can organisations verify identity before acting on a request?
Controllers may verify the data subject’s identity before acting on a request, but only when there are reasonable doubts about the person’s identity. Verification must be proportionate; excessive identity checks that delay or discourage legitimate requests can themselves become a compliance issue.
If identity cannot be confirmed, the controller may pause the process until verification is obtained, but must promptly inform the individual of any additional information needed and why. The response timeline effectively pauses until identity is confirmed.
The CJEU’s ruling in Deldits (C-247/23) is instructive here. The Court held that requiring proof of surgery as a condition for rectifying gender identity data in a public register was disproportionate, and that medical certificates from relevant specialists were sufficient. Evidence required must be “relevant and sufficient” in light of the circumstances, not maximally invasive.
How should organisations assess a rectification request?
Once identity is confirmed and the request is logged, the controller must evaluate the claim. This involves:
• Retrieving the current stored data and reviewing its context.
• Examining the evidence submitted by the data subject. Individuals can provide supporting documentation to speed up rectification requests.
• Considering the purpose of processing and whether the alleged inaccuracy materially affects outcomes.
• Documenting the assessment: what evidence was reviewed, what was accepted or rejected, and why.
Where evidence is conflicting, or a dispute cannot be resolved, options include adding a supplementary statement to the record noting the data subject’s position, or restricting processing until the matter is settled. Document all rectification requests and responses for accountability; this record is critical if a supervisory authority or court later reviews the decision.
What is the step-by-step process for handling a rectification request?
A systematic, documented approach to rectification ensures consistency, reduces risk, and makes compliance auditable. Below is a recommended process aligned with GDPR Articles 12, 16, and 19.
What is the response timeline for rectification requests?
Respond to rectification requests within one month. Personal data must be accurate and up to date, and data controllers must rectify inaccuracies without delay. The one-calendar-month deadline runs from the date the request is received. If that date falls on a public holiday or weekend, the last day for response is the next working day. You cannot charge a fee for rectification requests in most cases; a reasonable fee may apply only in limited circumstances, such as when a request is manifestly unfounded or excessive.
You can extend the response time by two additional months for complex requests. Still, you must inform the individual within the first month and explain why the extension is needed.
The recommended workflow:
1. Acknowledge receipt within a reasonable timeframe (same day recommended). Log the date, the individual making the request, and the nature of the claimed inaccuracy or incompleteness.
2. Verify identity if necessary. Pause the timeline until confirmation is received, but communicate promptly about what is needed.
3. Assess data accuracy and completeness against available evidence. Consider the purpose of processing and the potential impact of the inaccuracy.
4. Implement rectification across all systems where the data is held: CRM, marketing platforms, billing, HR records, or prepare a justified refusal with documented reasoning.
5. Respond to the data subject within one month with the outcome: confirm what was corrected, explain any refusal, and include information about the right to lodge a complaint with a supervisory authority or seek a judicial remedy.
6. Notify third parties of rectifications per Article 19 requirements. Organisations must notify third parties if they have shared corrected data, unless doing so is impossible or would involve disproportionate effort.
Controllers must document any rectification of personal data and maintain an audit trail of every change, notification, and communication.
When should a request be rectified versus refused?
| Situation | Action Required | Communication |
|---|---|---|
| Clear factual error identified | Immediate rectification | Confirm correction and third-party notifications |
| Disputed but unverifiable claim | Add supplementary statement | Explain approach and ongoing dispute notation |
| Manifestly unfounded request | Refusal with documentation | Detailed reasoning and complaint rights |
| Incomplete but purpose-adequate data | Assessment based on processing needs | Explain purpose-based decision |
In most cases, clear factual errors should be corrected promptly and all downstream systems updated. Where disputes concern opinions or subjective assessments, for example an employee contesting a manager’s performance note, the controller is generally not required to remove the opinion but may add a supplementary statement recording the individual’s disagreement. If a request is manifestly unfounded or excessive, for instance, repeated identical requests with no new evidence, the controller may refuse or charge a reasonable fee, but the burden of proving this lies with the controller.
Each case must be assessed individually. Blanket refusal policies risk enforcement action, as the Deldits ruling demonstrated when Hungarian authorities applied a rigid surgery-proof requirement.
What common challenges arise when handling rectification requests?
Even with well-designed procedures, controllers regularly encounter difficult scenarios when processing rectification requests. Below are the most frequent challenges and practical solutions.
When can organisations refuse excessive or repetitive requests?
Controllers may refuse requests that are manifestly unfounded or excessive, for example where a person submits the same request repeatedly without any change in circumstances, or where requests are clearly vexatious. However, the threshold is high. To refuse, the controller must document why the request meets this standard, provide the data subject with detailed reasoning, and inform them of their right to lodge a complaint with a supervisory authority or pursue a judicial remedy. Where exemptions apply, such as for national security or the prevention of criminal offences, controllers must still follow proper procedure and keep records.
How should organisations notify third parties of a rectification?
Under Article 19 GDPR, once rectification is implemented, the controller must inform each recipient to whom the incorrect data was previously disclosed. This is straightforward when data has only been shared with one or two processors, but in complex vendor ecosystems involving marketing platforms, analytics providers, and data brokers, identifying all recipients can be difficult.
Practical strategies include maintaining comprehensive data flow maps, ensuring vendor contracts include cooperation clauses for notification, and documenting when disproportionate effort genuinely applies. If it proves impossible to notify a particular recipient, record the reason. If the data subject asks who received their data, the controller must provide that information.
How should organisations manage rectification deadlines at scale?
Managing the one-calendar-month response window amid high request volumes requires systematic tracking. Best practices include:
• Using a centralised log or case management system to record each request, its receipt date, the deadline, and current status.
• Flagging requests approaching their deadline for escalation.
• Tracking extension requests separately with documented justification.
• Ensuring that when a date falls on a weekend or public holiday, the response deadline moves to the next working day.
For organisations subject to both the EU GDPR and the UK GDPR, local procedural details may differ, particularly as the UK’s Data (Use and Access) Act reshapes certain procedural requirements for individual rights.
What happens when rectification conflicts with other legal obligations?
In some circumstances, rectification requests conflict with legal retention requirements or evidential obligations. A financial institution, for example, may be required by law to retain original transaction records even if the data subject’s personal details have since changed. In such cases, the controller may use restriction of processing as an alternative, marking the data as restricted while retaining the original record, and must explain this approach to the individual.
Where automated decision-making or AI and machine learning models are involved, the challenge deepens. Correcting a person’s base record does not automatically update inferences already embedded in a trained model; that typically requires retraining the model or a feedback loop that propagates the correction through. Machine unlearning research has documented how difficult it is to remove or correct the influence of specific training examples once a model has learned from them. Controllers processing data through AI systems should assess this risk and build correction propagation into their data management practices.
Building a systematic compliance approach, with documented policies, trained staff, auditable systems, and awareness of evolving case law, is the most reliable way to manage these challenges at scale.
Conclúid
Effective rectification procedures protect both individual rights and organisational compliance. The right to rectification lies at the heart of the GDPR’s accuracy principle and applies to every system in which personal data is stored, shared, or processed. Inaccurate data must be corrected within one month of request, third parties must be notified, and every decision must be documented.
To strengthen your rectification compliance:
1. Audit current procedures. Confirm you have a documented process covering receipt, verification, assessment, implementation, notification, and response.
2. Train staff. Ensure customer-facing teams and HR can recognise and log rectification requests, including verbal ones.
3. Implement tracking systems. Use centralised logs to monitor deadlines, extensions, and outcomes.
4. Establish third-party notification processes. Map data flows and maintain up-to-date recipient records.
5. Review evidence requirements. Ensure you are not imposing disproportionate burdens on data subjects, particularly in light of the Deldits ruling.
For related compliance areas, consider reviewing your processes for data subject access requests, the right to restriction, and your broader GDPR compliance framework.
About the Author
Zlatko Delev
Country Manager & Head of Commercial — GDPRLocal
Zlatko specialises in data protection compliance, ISMS strategy, and AI law. With a legal background and hands-on experience supporting organisations globally, he helps businesses navigate GDPR, the EU AI Act, and international privacy frameworks.