Overview

This article grants data subjects the right to request prompt correction of inaccurate personal data and the completion of incomplete data. Organizations must ensure that rectification is performed efficiently and, where applicable, allow for supplementary statements to provide additional context or clarification.


Key Principles

  • Accuracy: Personal data must be accurate and up to date.

  • Completeness: Incomplete data should be supplemented to reflect the correct information.

  • Timely Rectification: Organizations must act promptly on rectification requests.

  • Transparency: Data subjects should be informed of the actions taken to rectify their data.

Organizational Applicability

This article applies to all organizations processing personal data within the EU:

  • Controllers managing data of EU/EEA data subjects.

  • Public and private sector entities responsible for maintaining accurate personal data.

  • Teams handling customer records, employee data, or other personal data repositories.

Implementation Requirements

  • Implement processes for receiving and validating rectification requests.

  • Update personal data records to correct inaccuracies or complete missing information.

  • Allow for supplementary statements where additional context is required.

  • Maintain records demonstrating that rectification requests have been addressed.

Implementation Guidance

  • Establish standard procedures or forms for data subject rectification requests.

  • Train staff to recognize inaccuracies and properly update records.

  • Notify relevant internal departments to ensure data consistency.

  • Periodically review rectification procedures to ensure compliance with GDPR.

Periodic Review

  • Frequency: Annually or upon changes to data processing systems or policies.

  • Responsible Role: Data Protection Officer (DPO) or Compliance Team.

  • Outcome: Confirm that personal data is accurate, complete, and rectification processes are functioning correctly.

Non-Compliance Risks

  • Fines: Up to €20 million or 4% of global annual turnover.

  • Legal Exposure: Complaints or enforcement actions due to failure to rectify data.

  • Reputational Damage: Loss of trust from data subjects and stakeholders.

  • Operational Risk: Inaccurate or incomplete data can affect decision-making and compliance.