GDPR Article 16: Right to Rectification — Compliance Guide
GDPR Article 16 requires organizations to correct inaccurate personal data and complete incomplete records upon request from data subjects. Failing to establish a rectification process exposes you to regulatory fines and erodes customer trust. Learn how to build a compliant process that handles data correction requests efficiently.
What this means
Data subjects have the right to request correction of inaccurate personal data and completion of incomplete information held by your organization. You must implement a documented process to handle these requests without undue delay—typically within 30 days. This applies to all personal data you process, regardless of how it was collected. The rectification right is distinct from erasure; it focuses on accuracy and completeness rather than deletion.
How to comply
- 1.Document a formal process for receiving and managing rectification requests from data subjects (email, web form, support portal)
- 2.Define 'undue delay' in your internal policy—establish a 30-day response target aligned with broader GDPR timelines
- 3.Train staff on data subject request procedures, including how to verify identity and accept requests across all communication channels
- 4.Create a data inventory mapping where personal data is stored and who owns each dataset to enable quick location of inaccurate records
- 5.Implement a review procedure to assess whether data is genuinely inaccurate or incomplete before making changes
- 6.Establish a correction workflow that updates inaccurate data across all systems and notifies third parties where legally required
- 7.Maintain audit logs of all rectification requests, decisions, and actions taken for evidence of compliance
- 8.Communicate outcomes to the data subject in writing, including confirmation of corrections made or reasons for refusal
Evidence auditors look for
- Documented rectification request policy and procedure manual
- Data subject request form or intake template with date-received timestamp
- Internal decision log showing assessment of accuracy claims and actions taken
- Audit trail or system logs proving data was corrected across all processing systems
- Written notification to data subject confirming rectification completed within 30 days
- Records of third-party notifications when data was shared and has been corrected
- Staff training records demonstrating team understands rectification obligations
- Data inventory or mapping document linking datasets to responsible parties
Frequently asked questions
When will FAQs be available?
The FAQ for this control is currently being prepared.
GRCWatch automates data subject request intake, tracks rectification workflows across your systems, and generates audit-ready evidence of corrections—eliminating manual tracking and ensuring you never miss the 30-day deadline.
See how GRCWatch handles this control automatically
Start free trial