1. what is the right of rectification?
The data subject shall have the right to obtain from the controller the rectification and/or completion of inaccurate and/or incomplete personal data concerning him or her.
This right is closely related to the right of access under Art. 15, since without the right of access, the data subject cannot exercise his or her right of rectification.
2 Two components of the right of rectification
The right to rectification has two components:
I. Correction of incorrect data
"Inaccurate" data is data that is inaccurate in content and therefore does not correspond to reality. Some examples are change of name or address, wrong telephone number, wrong date of birth. It does not matter whether the data was incorrect from the beginning or whether it became incorrect at a later point in time.
II. Supplementation / completion of incomplete data
Incomplete data is data that is incomplete and therefore the purpose of processing can no longer be achieved.
3. deadline
If the data subject asserts his/her right to rectification/completion, the controller must respond without delay. The term "without delay" does not mean "immediately" in every case, but can also take a little more time depending on the individual case. However, the correction / completion should be made within two weeks of receipt of the request. If the request cannot be completed within this period or if it is incomplete, a fine may be imposed. If the deadline cannot be met, this should be communicated to the applicant, giving reasons and additional information.
4. what to look out for
- Before processing a request from the data subject, his/her identity must be appropriately verified. If the identity cannot be confirmed in an appropriate manner, the data subject must be informed of this and additional evidence must be requested to confirm the identity. If this evidence is not sufficient, the execution of the request may be refused.
- It must also be checked whether the data in question are actually incorrect / incomplete. During this time, it must be ensured that these data are not further processed.
- A request for rectification/completion may also be refused. The applicant must be informed of the reasons for the refusal within one month of receipt of the request. He must also be informed that he has the right to complain to the supervisory authority about this decision or to appeal against it.
- Any modification, processing or deletion of personal data must be documented in order to meet the accountability requirements of the GDPR.
