Right to Rectification: How to Handle Requests to Correct Personal Data

Someone Says Your Data About Them Is Wrong

The right to rectification is one of the most straightforward rights in data protection law. If you hold inaccurate personal data about someone, they can ask you to fix it. If their data is incomplete, they can ask you to complete it. That is essentially the entire right in two sentences.

But straightforward does not mean simple to implement. Rectification requests raise practical questions that trip up businesses: How do you verify that the "correction" is actually correct? What about opinions -- can someone demand you change a performance review? And what happens to the incorrect data you already shared with third parties?

This guide covers how the right to rectification works under GDPR, CCPA, and PIPEDA, walks through the practical workflow for handling requests, and explains the edge cases that cause the most confusion.

What the Right to Rectification Covers

GDPR Article 16 states:

The data subject shall have the right to obtain from the controller without undue delay the rectification of inaccurate personal data concerning him or her.

The article goes on to add a second element:

Taking into account the purposes of the processing, the data subject shall have the right to have incomplete personal data completed, including by means of providing a supplementary statement.

So there are two distinct aspects to rectification:

1. Correction of Inaccurate Data

If personal data you hold is factually wrong, the individual has the right to have it corrected. Common examples:

• Wrong postal address or email address
• Incorrect date of birth
• Misspelled name
• Wrong employment dates or job title
• Incorrect account balance or transaction history
• Outdated marital status or nationality

The standard here is factual accuracy. The data is either correct or it is not, and if it is not, you fix it.

2. Completion of Incomplete Data

If personal data is accurate but incomplete in a way that is misleading or inadequate given the purpose of processing, the individual can request that it be supplemented. This can be done either by adding the missing information or by attaching a supplementary statement.

Example: An employer's records show that an employee was subject to a disciplinary investigation, but do not record the outcome -- that the employee was cleared of all allegations. The employee can request that the outcome be added to make the record complete.

Example: A medical record notes a diagnosis but omits relevant context about the circumstances. The patient can request a supplementary statement be added.

No Grounds Required

Unlike some other data subject rights (such as erasure, which requires one of six specific grounds), rectification is unconditional. The individual does not need to provide a reason beyond "this data is wrong" or "this data is incomplete." If they can demonstrate inaccuracy or incompleteness, you must act on it.

This makes rectification one of the easiest rights to exercise and one of the hardest to refuse. There is no balancing test, no legitimate interests assessment, and no list of exemptions to work through. Wrong data gets fixed.

The Tricky Question: What About Opinions?

This is where rectification gets interesting. Personal data does not only include facts -- it also includes opinions about the individual. Performance reviews, risk assessments, customer notes, and subjective evaluations are all personal data.

But can someone demand you change an opinion?

The ICO's Position

The UK's Information Commissioner's Office has provided clear guidance on this: opinions are not "inaccurate" in the factual sense. An opinion is someone's subjective view, and the fact that the data subject disagrees with it does not make it inaccurate.

However, the ICO distinguishes between two scenarios:

1. An opinion presented as fact -- if a performance review states "this employee has poor attendance" but their attendance record shows zero absences, the factual claim is wrong and should be corrected, even though it appears in a subjective document.

2. A genuinely subjective opinion -- if a manager writes "I have concerns about this employee's communication skills," the employee cannot demand that this opinion be changed. But they can request that a supplementary statement be added noting their disagreement.

Practical Approach

When you receive a rectification request about an opinion:

• Check whether the opinion contains factual claims. If so, verify those facts and correct any that are wrong.
• If the opinion itself is purely subjective, you are not required to change it, but you should offer to add a supplementary note recording the individual's disagreement.
• Document your reasoning either way.

Verifying the Correction

Here is something many businesses overlook: you have both a right and a duty to verify that a requested correction is actually correct before making it. Article 16 gives individuals the right to have inaccurate data corrected -- it does not require you to accept every correction request at face value.

When Verification Is Straightforward

For many corrections, verification is simple:

• Change of address: Ask for a utility bill or official document showing the new address.
• Name change: Ask for a deed poll, marriage certificate, or other legal documentation.
• Date of birth error: Ask for a passport or birth certificate.
• Wrong email address: Send a verification email to the claimed correct address.

When Verification Is More Complex

Some corrections are harder to verify:

• Employment dates or history: You may need to check your own records and compare with the individual's claim.
• Transaction history: Cross-reference with your financial records.
• Health or medical data: You may need input from the relevant healthcare professional.

The Rule of Thumb

The level of verification should be proportionate to the significance of the correction and the sensitivity of the data. Correcting a misspelled surname requires less verification than changing a date of birth in a financial services context.

Do not use verification as a stalling tactic. If the correction is obviously right (you misspelled their name), fix it without demanding three forms of ID. But equally, do not make corrections blindly -- especially to data that affects legal rights, financial records, or official documents.

Timeline for Responding

GDPR and UK GDPR

You must respond to a rectification request without undue delay and in any event within one calendar month of receiving the request (Article 12(3)). This is the same timeline that applies to access requests and other DSARs.

If the request is complex or you have received a large number of requests, you can extend by up to two additional months (three months total). If you extend, you must notify the individual within the first month, explaining the reason for the delay.

CCPA / CPRA

Under the CPRA amendments to the CCPA, businesses must respond to a request to correct inaccurate personal information within 45 calendar days (Cal. Civ. Code Section 1798.106, read with Section 1798.130(a)(2)). This can be extended by an additional 45 days (90 days total) with notice to the consumer.

PIPEDA

Under PIPEDA Principle 9.5, organizations must investigate a challenge to accuracy "with due dispatch" and amend the information as appropriate. There is no fixed deadline in the same way as GDPR, but the Office of the Privacy Commissioner of Canada expects organizations to act promptly -- generally within 30 days.

Your Obligation to Notify Third Parties

This is the part that catches many businesses off guard. Under GDPR Article 19:

The controller shall communicate any rectification of personal data to each recipient to whom the personal data have been disclosed, unless this proves impossible or involves disproportionate effort.

This means that if you corrected data that you had previously shared with third parties -- partners, processors, service providers, other controllers -- you must inform them of the correction so they can update their records too.

What This Looks Like in Practice

1. Check your records for who you disclosed the data to. If you maintain a proper data inventory, this should be straightforward. If you do not, this is a good reason to start.
2. Contact each recipient and inform them of the correction.
3. Document the notifications you sent.
4. Tell the individual which recipients you notified (they have the right to ask under Article 19).

The "Disproportionate Effort" Exception

You do not have to notify recipients if doing so is impossible or involves disproportionate effort. But this exception is narrow. "We do not know who we shared the data with" is not disproportionate effort -- it is poor record-keeping, and a regulator is unlikely to be sympathetic. The exception is more relevant in cases where data was made public (posted on a website, for example) and notifying every person who may have seen it is genuinely impractical.

CCPA: The Right to Correct Inaccurate Personal Information

The California Privacy Rights Act (CPRA), which amended the CCPA effective January 1, 2023, added a right to correction that did not exist in the original CCPA. Under Cal. Civ. Code Section 1798.106:

A consumer shall have the right to request a business that maintains inaccurate personal information about the consumer correct that inaccurate personal information, taking into account the nature of the personal information and the purposes of the processing of the personal information.

Key Features of the CCPA Right to Correct

• Applies to all personal information the business maintains about the consumer -- no legal basis restriction like GDPR portability
• Verification required -- businesses must verify the identity of the consumer making the request
• Must use commercially reasonable efforts to correct the information in their systems
• Must instruct service providers and contractors to make the same corrections
• The consumer may need to provide documentation supporting the correction -- the CCPA regulations allow businesses to request this
• Timeline: 45 days, extendable to 90

Differences From GDPR Rectification

The CCPA right to correct is broadly similar to GDPR Article 16, but there are a few differences:

• CCPA explicitly allows businesses to require documentation supporting the correction
• CCPA requires businesses to use "commercially reasonable efforts" to correct, rather than an absolute obligation
• CCPA does not include the separate concept of "completing" incomplete data with a supplementary statement

PIPEDA: Principle 9.5

Under PIPEDA Principle 9.5, when an individual "successfully demonstrates the inaccuracy or incompleteness of personal information, the organization shall amend the information as required." If the organization disagrees with the challenge, it must record the substance of the unresolved challenge and, where appropriate, transmit the existence of the challenge to third parties with access to the information.

This is functionally similar to the GDPR approach, including the requirement to note disagreements and to inform third parties.

Practical Workflow for Handling a Rectification Request

Here is the step-by-step process for responding to a rectification request. For general DSAR handling procedures, see our guide to responding to DSARs.

1. Receive and Log the Request

Record when you received the request and start the deadline clock. The individual does not need to use the word "rectification" -- any request to correct or update personal data qualifies. Requests can arrive by email, letter, phone, or any other channel.

2. Verify the Requester's Identity

Before making any corrections, confirm that the request is coming from the person the data is about (or their authorized representative). Use proportionate identity verification methods.

3. Assess the Accuracy Claim

This is the critical step. Review the data the individual says is inaccurate and determine whether they are right:

• Compare the existing data with the correction requested
• Check your sources -- where did the original data come from?
• Request evidence if necessary -- ask the individual to provide documentation supporting the correction
• Consult relevant colleagues -- if the data was recorded by a specific team member, ask them about it
• Consider whether it is a fact or an opinion -- apply the fact/opinion distinction discussed above

4. Make the Correction (or Refuse)

If the data is genuinely inaccurate, correct it in all systems where it is held. Do not just update the primary database and forget about copies in email, backups, paper files, or third-party systems.

If you believe the data is accurate and the correction is not warranted:

• You can refuse the request
• You must explain to the individual why you are refusing
• You should offer to add a supplementary note recording their disagreement
• Inform them of their right to complain to the supervisory authority (ICO in the UK, relevant DPA in the EU)

5. Notify Third Parties

If you corrected the data, identify everyone you shared it with and notify them of the correction (Article 19). Document the notifications.

6. Respond to the Individual

Send a response to the individual confirming:

• What correction was made (or why it was refused)
• That third parties have been notified (or why they were not)
• Their right to complain to the supervisory authority if they are not satisfied

Respond within the applicable deadline (one month under GDPR, 45 days under CCPA).

7. Update Your Records

Log the request, your investigation, the outcome, and any notifications sent to third parties. Good record-keeping is essential both for demonstrating compliance and for handling any future disputes about the same data. See our guide on DSAR record-keeping.

When You Can Refuse a Rectification Request

You can refuse if:

1. The data is accurate -- if you have verified the data and believe it is correct, you can refuse the correction. But you must explain your reasoning and offer to add a note recording the disagreement.
2. The request is manifestly unfounded or excessive -- under Article 12(5), you can refuse (or charge a fee) if the request is clearly without basis or is repetitive. The bar for this is high.
3. You cannot verify the requester's identity -- if you cannot confirm that the person making the request is the data subject, you should not make the correction.

In every case of refusal, you must:

• Inform the individual of the reasons for refusal
• Inform them of their right to complain to the supervisory authority
• Inform them of their right to seek a judicial remedy

Common Scenarios

Customer Updates Their Address

A customer emails to say their address on file is wrong. This is the simplest rectification scenario. Verify their identity (matching their email address to the account may be sufficient), update the address in your CRM and all other systems, and confirm the change. If you had shared the old address with delivery partners or other processors, notify them.

Employee Disputes Performance Review Content

An employee says their annual review contains factual errors -- for example, it states they missed three project deadlines when they actually missed one. Check the project records. If the review contains verifiable factual errors, correct them. If the employee disagrees with subjective assessments ("lacks leadership potential"), explain that this is an opinion, not a factual claim, and offer to add their rebuttal as a supplementary statement.

Former Customer Requests Date Correction on Financial Records

A former customer says their account opening date is wrong in your system. This matters because it affects regulatory reporting. Verify the correct date against original documentation (application forms, contracts). If the date is wrong, correct it and notify any regulatory bodies or partners you reported the incorrect date to.

Individual Disputes Data Obtained From a Third Party

You hold data about an individual that you obtained from a data broker, and the individual says it is wrong. You need to verify the claim, but you also need to consider your source. If the data came from a third party, correcting it in your system does not fix the source. You should correct your own records and inform the individual that the original source may also hold incorrect data, so they may want to contact them separately.

Record-Keeping Best Practices

Every rectification request should result in a record that includes:

• Date received and how the request was submitted
• Identity verification method and outcome
• The data in question -- what was alleged to be inaccurate
• Your investigation -- what you checked and what you found
• The outcome -- what was corrected, what was refused, and why
• Third-party notifications -- who was notified and when
• Response sent to the individual -- date and content
• Any supplementary statements added

This documentation protects you if the individual complains to a regulator or challenges your decision. It also helps you track patterns -- if you are receiving multiple rectification requests about the same data field, that suggests a systemic data quality issue worth investigating.

References

• GDPR Article 16: Right to rectification. Article 16
• GDPR Article 19: Notification obligation regarding rectification or erasure. Article 19
• GDPR Article 12: Transparent information, communication, and modalities. Article 12
• ICO: Right to rectification guidance. ICO guidance
• CCPA / CPRA: Cal. Civ. Code Section 1798.106 -- Right to correct inaccurate personal information. Full text
• PIPEDA: Principle 9.5 -- Challenging compliance. PIPEDA