The right to rectification

Data subjects have the right to demand the rectification of inaccurate personal data concerning them and to have incomplete personal data completed.

How quickly is the controller required to reply to the data subject’s request?

The controller must respond to the data subject without undue delay and not later than in one month from receiving the request. In the reply, the controller shall indicate the measures it has taken due to the request.

If the requests are numerous or complex, the controller can reply that it needs more time to process them. In such cases, the deadline can be extended by a maximum of two months. Justifications must be provided for the extension.

If the controller refuses the data subject's request, it must notify the data subject of this within one month of receiving the request. The refusal must be justified to the data subject. In addition, the controller must also inform the data subject of the possibility of lodging a complaint with the supervisory authority and the availability of judicial remedies.

Is it possible to charge a fee from the data subject?

As a rule, the exercise of rights is free of charge.

If the data subject’s requests for rectification are manifestly unfounded or excessive, the controller can either charge a reasonable fee or refuse the request.

Requests can be considered manifestly unfounded or excessive particularly if they are made repeatedly. The controller bears the burden of demonstrating the manifestly unfounded or excessive nature of the request.

The administrative costs of supplying the information or messages or carrying out the requested measure must be taken into account when determining the amount of possible fee.

Can the request be refused?

The controller is responsible for ensuring that the data processed by it is accurate and updated when necessary. The controller must take every reasonable step to ensure that personal data that is inaccurate, having regard to the purposes for which they are processed, is erased or rectified without delay.

When a request for the rectification of data is made by a data subject, the controller must evaluate whether the data in question is incomplete or inaccurate with regard to the purposes of processing.

If the controller finds that, despite the views of the data subject, the data is not inaccurate with regard to the purposes of processing, it does not have to rectify the data. In such cases, the controller must reply to the data subject with a justified reason for not rectifying the data, and the data subject can then refer the matter to the Data Protection Ombudsman.

If the controller does not consider the rectification of the data to the form suggested by the data subject to be justified, taking into account the purposes of the processing, the data subject shall have the right to have incomplete personal data completed, such as by providing a supplementary statement.

If the data subject’s requests are manifestly unfounded or excessive, the controller can either refuse the request or charge a reasonable fee for fulfilling it.

If the controller refuses the data subject's request, it must notify the data subject of this within one month of receiving the request. The refusal must be justified to the data subject. In addition, the controller must also inform the data subject of the possibility of lodging a complaint with the supervisory authority and the availability of judicial remedies.

In addition, it is possible to derogate from the right to access data under certain conditions in connection with carrying out scientific or historical research or preparing statistics.

Further information about derogating from the rights of the data subjects

Inform recipients of the rectification of personal data

Where viable, the controller must inform each recipient to whom the personal data has been disclosed of the rectification of the personal data. The controller is required to notify the data subject of these recipients if so requested by the data subject.

Confirming the identity of the data subject

The controller must be able to confirm the identity of the data subject exercising his or her data protection rights. If the controller has reasonable doubts concerning the identity of the person who made the request, it can request the provision of additional information necessary to confirm his or her identity.

The GDPR does not provide for the methods of confirming the data subject’s identity. Many controllers already have suitable procedures in place. For example, the controller may have verified the data subject's identity before entering into the agreement or obtaining consent for the processing. This personal data can then be used to confirm the data subject's identity also in connection with fulfilling the rights of the data subject.

If the controller requests additional information for confirming the data subject’s identity, this may not cause unreasonable demands or the collection of personal data that is not relevant or necessary.

If the controller is unable to identify the data subject, it must notify him or her of this if viable.

If the controller refuses the data subject’s request due to not being able to identify the data subject, it must demonstrate that it is unable to confirm the identity of the data subject.

If the data subject cannot be identified, he or she cannot exercise the right

  • of access to data
  • to rectification of data
  • to erasure of data
  • to restrict the processing of data or
  • to data portability.

The data subject can provide additional information for the purposes of identification, however.

When is confirming the data subject's identity not necessary?

Personal data may be kept in a form which permits identification of data subjects for no longer than is necessary for the purposes of processing.

If the personal data that permit the identification of the data subject is not necessary for the purpose of processing, the GDPR does not obligate controllers to keep, obtain or process such additional data solely for the purpose of compliance with the GDPR.

Read more:
GDPR: Articles 16 and 19 (EUR-Lex)