Exercise Your Rights – Article 16 GDPR – Correct inaccurate data!

Have you ever received a gym membership card or payslip with your name misspelled? Has an organisation tried to contact you at the incorrect address? If companies or other entities use or keep information about you, then the GDPR gives you a right for that information to be accurate and up to date; it also gives you the right to rectify it if it is not.

Read on to find how you can rectify your inaccurate data…

Your Right to Rectification

What is inaccurate data?

Any information that is objectively not correct (an email address, a name, your date of birth,…). Other subjective information and opinions like the grades on an exam, or your performance report at work, can therefore not be rectified.

Correcting accurate data is particularly important where an entity uses that information to make significant decisions about you, whether it is used as an isolated decision-making factor or in consideration with other categories of your personal data.

Step 1: How to contact the controller

Step 2: Drafting your Request

Step 3: Controller Reply

Step 4: What can I do if I am unsatisfied with the controller’s response?

What does it mean to “rectify” my data?

“Rectifying” data generally means replacing incorrect data with the correct information. This can also include correcting an incomplete data set by updating it with the missing information.

The controller should also contact each recipient to whom the personal data have been disclosed, unless this proves impossible or involves disproportionate efforts. For example, if your gym gave your data to commercial partners to offer you discounts on gym equipment, they should inform them of the correction of your data.

Rectification does not mean removing or deleting data. Removal or “erasure” of data is dealt with by another part of the GDPR.

Can I request rectification in all cases?

Some exemptions exist, depending on the country. The most common exemptions exist in the field of law enforcement and police, national security, or taxation.

The controller can also refuse to rectify your data if the request is excessive (eg several similar requests on the same matter) of manifestly unfounded (eg with the intention of causing disruption).

Is it free ?

Yes! The controller must rectify your data free of charge, unless your request is excessive or manifestly unfounded. In this case, the controller can charge a reasonable fee for the administrative costs of handling your request.

How do I exercise this right? Making a data rectification request

Step 1: How to contact the controller

Your request to rectify your data should be addressed to the controller (the organisation/entity/administration/company processing your data).

Your request can be done by email, letter, fax or through a form, as long as you have a written record of the request.

The relevant email address can usually be found in the “privacy policy” or “contact us” section of the controller’s website. It will generally have a name like privacy@company.com or legal@publicauthority.eu. If this is difficult to find, or if there is no specific address to which you can send your request, that’s the fault of the controller, not yours - the GDPR requires controllers to make this information easily accessible. Where there is no specific email address, you can use the general contact details of the controller.

Step 2: Drafting your Request

Inform the controller that you are asking to the rectification of your data and ask a confirmation that the controller has rectified it.
Specify your name or other identifier used by the controller (eg an account username). To help the controller address your request more efficiently, include some information that would help to identify your account, such as your phone number (if you gave it when you signed up), username or account name, or IP address. This will be particularly helpful if you have a common first name and surname.
Specify the data that is incorrect and what should replace it (eg “the telephone number you have on file for me is 1234568; this should be 1234567”.) If information is missing, then specify which information is missing (eg your date of birth). If necessary, attach proof of the new information to be replaced or complemented (an invoice, a new registration document within your city).
If the controller has disclosed the inaccurate data to other parties (known as “recipients”), ask the controller to inform any recipients of the personal data about the rectification. (Want to find out who these recipients are? See Access your Data).
Include the date in the text if you put your request in an attachment to the email or in a letter. This clarifies the controller’s deadline for providing the information.
Specify how you would like to receive the information (eg electronically, via an email address).
You can ask the controller to confirm that they will refrain from processing the contested data while they are handling your request. In such a case, specify that you want to exercise your right of restriction of your data under Article 18(1)(d) GDPR.

If you prefer, you can also use the tools provided by mydatadoneright.eu. Their system will write and send the access request for you. Your Data Your Rights also has a sample draft of a letter requesting rectification.

Step 3: Controller Reply

Once the controller receives your request, they have one month to respond. This period can only be extended once by a maximum of two further months, in cases of complex or multiple requests.

The controller can ask you additional information to confirm your identity in case of doubt. However, such a request should be limited to the additional information necessary to confirm who you are. The additional information cannot be disproportionate, having considered the context of the processing of your data (eg a shop asking you for a copy of your passport to change the address of a loyalty card would be disproportionate).

Generally, this information must be provided to you in writing, but it can be communicated to you via electronic means such as email, or it can be provided orally if you request it.

Step 4: What can I do if I am unsatisfied with the controller’s response?

If the controller:

rejects your request without a satisfactory explanation,
tries to unjustifiably charge you for your request,
does not:
- inform you of the rectification,
- restrict the processing while handling your request (if you asked of it),
- respond after a month or (an extended period of maximum 3 months),

you are entitled to file a complaint with a data protection authority (eg the DPA where you live or work), and the controller should inform you about that.

If you need assistance in assessing the legal elements of a controller’s reply, you can contact us at info@noyb.eu to discuss further steps.

Back to Exercise Your Rights

Support us!

noyb funding goal

73.29 %

Invest in privacy!

Follow us!

Media Coverage

Apple hits back at European activist complaints against tracking tool

An Austrian privacy advocacy group drew a strongly critical response from Apple on Monday after it said an online tracking tool used in its devices breached European law.

101 Unternehmen leiten noch immer Daten an die USA weiter

Der Datenschutz-Verein noyb brachte 101 Beschwerden gegen den Datentransfer in die USA ein.

ZDF Magazin Royale vom 10. Dezember 2021

Expertentalk mit Datenschützer und Facebookbezwinger Max Schrems

Irish regulator proposes 36 mln euro Facebook privacy fine - document

The complaint, lodged by Austrian privacy activist Max Schrems, concerned the lawfulness of Facebook's processing of personal data, specifically around its terms of service.

DPC seeking penalty of up to €36m against Facebook

The Data Protection Commission (DPC) has suggested a penalty of between €28 million and €36 million for Facebook in a draft decision made against the company. Austrian privacy and data rights campaigner Max Schrems’s NOYB organisation, which filed the original complaint against the technology giant, has published the commission’s draft decision online.