21# Data Subject Rights – The right to rectification

Welcome back to our series on GDPR Requirements and our posts on data subject rights in these last days of 2022! Last week, we discussed the right to access – the obligation to confirm if and how the data subject’s personal data is processed, and to provide the data subject with a copy of their data. Today, we’re moving on to the right to rectification which entails that the data subject shall have the right both to rectify inaccurate personal data as well as have incomplete personal data completed.

At the data subject’s request, you as the controller should assess if the data is accurate, let the individual know if you’re satisfied with the accuracy of the personal data, whether it’s to be amended and inform the data subject of their right to lodge a complaint to the relevant supervisory authority and seek to enforce the rights through a judicial remedy. This should be done without undue delay and within one month. Whether or not the individual has exercised their right to restriction, as a matter of best practice, you’re encouraged to restrict the processing of the personal data while you are verifying its accuracy.

There are also two specific circumstances according to the GDPR where you should tell other organisations about the erasure, rectification or restriction of processing of personal data. The first one is if you have disclosed the data to other recipients. If you have disclosed the personal data to other recipients, you must contact and inform them of any request for rectification, erasure or restriction of processing of the personal data. The objective of this rule is to facilitate the exercise of the data subjects’ rights by removing the need for further communication with the relevant recipients to, for example, erase or restrict the processing of data. However, there are two exceptions to the obligation to notify other recipients about the request, namely if it proves impossible or involves a disproportionate effort for you to contact the recipients.

• ‘Impossibility’ refers to that there is at least one factor that absolutely prevents you from contacting the recipients. For example, this might be the case if the recipient is not reachable or no longer exists and has no legal successor. Generally, there is no degree of impossibility, it is either impossible or not.
• Relying on ‘disproportionate effort’ implies weighing the interest between you, the controller, and the impact and effect on the data subjects – the individual’s interest regarding their privacy, and the controller’s burdens and efforts, financial and time investments. Remember that this should be a case-by-case assessment.

In addition to the above, if you are asked to, you must also inform the data subject about those recipients to whom their personal data have been disclosed.

When responding to a ‘right to rectification’ request, DPOrganizer’s tool makes it easy by having your processing operations mapped, which would be a time-saver in identifying what data are processed, where, and how. You can also create a case and have a case log readily available for responding to the request. Don’t hesitate to contact our Professional Service team if you have any questions about responding to data subject requests – or anything else for that matter! Meanwhile, you can learn more about the right to rectification in the WP29 Guidelines and the ICO Guidelines on the matter.

Thank you for taking part in this post. Next time, we’re going to dig deeper into the right to erasure – also known as “the right to be forgotten”. Until then, happy new year!