GDPR Article 16 Explained: The Right to Rectification

Dec 5, 2025

The General Data Protection Regulation (GDPR) is one of the most influential privacy laws in the world—designed to put control over personal data back into the hands of individuals. Among its core protections is the Right to Rectification, outlined in Article 16, which ensures that individuals (data subjects) can request corrections to their personal data held by organizations (data controllers). Mistakes in personal information can lead to serious consequences—from denied services to lost opportunities—so the right to rectification plays a crucial role in maintaining fairness, accuracy, and trust in digital ecosystems.

1. What Is the Right to Rectification?

Article 16 of the GDPR states that:

Data subjects have the right to obtain from the controller the rectification of inaccurate personal data concerning them without undue delay. They also have the right to have incomplete personal data completed, including by providing a supplementary statement.

In other words, individuals can ask companies to:

  • Correct incorrect data
  • Update outdated information
  • Complete missing details that are necessary for processing
  • Remove information that creates inaccuracies

The goal is to ensure that the personal information used to make decisions about a person is both accurate and complete.

2. Why Is This Right Important?

Incorrect personal data can directly impact a person’s life. Examples:

  • Wrong address may result in lost deliveries or legal notices not being received
  • Incorrect medical records can lead to wrong treatments
  • Outdated credit history may cause loan rejections
  • Errors in employment records could affect salary or benefits
  • Incorrect identity details may trigger fraud suspicion

Article 16 ensures individuals can prevent or fix such harms quickly.

3. What Counts as “Inaccurate” or “Incomplete” Personal Data?

Organizations must ensure that personal data is:

  • Accurate – free from errors or false information
  • Up-to-date – regularly verified and updated when necessary
  • Complete – enough information to reflect the person correctly and fairly
  • Not misleading – data gaps should not create wrong assumptions

Data accuracy depends on the purpose of processing. For example:

  • A bank must have up-to-date contact details to send notifications
  • A historical news article may not need to update details if they reflect the facts at the time

Thus, the context decides whether data is accurate and adequate.

4. Who Must Comply With GDPR Article 16?

The obligation applies to:

  • Public authorities
  • Private companies
  • Non-profits
  • Any organization processing personal data of EU residents

This includes businesses located outside the EU if they offer goods/services to or monitor data subjects in the EU.

5. How Can Data Subjects Exercise the Right to Rectification?

Individuals can make rectification requests:

  • Orally
  • In writing (email, web form, support request)
  • Through self-service tools (e.g., account settings)

Organizations should:

  • Provide a simple and accessible mechanism for requests
  • Verify the requester’s identity to avoid unauthorized changes
  • Confirm the type of data to be corrected and the reason

The company may ask for supporting evidence in cases involving sensitive changes (e.g., legal name update).

6. How Quickly Must Organizations Respond?

The corrections must be made “without undue delay” — typically:

  • Within one month of receiving the request

However:

  • If the request is complex or numerous, the deadline may be extended by two additional months
  • The organization must inform the individual of the extension and justify it

Rectification request handling must be free of charge, unless requests are repetitive or clearly unfounded.

7. Informing Third Parties

When personal data has been shared with other organizations (e.g., partners, data processors), the controller must:

  • Notify all third parties about the rectification, unless impossible or disproportionately difficult
  • Inform the data subject about those recipients upon request

This ensures consistency and prevents further harms caused by inaccurate data.

8. Restrictions and Exceptions

While Article 16 is a strong right, there are limited exceptions:

  1. Freedom of expression and information
    • Journalism, academic or artistic publications may retain original content for legitimate reporting.
  2. Archiving in the public interest
    • Historical records may remain unchanged to preserve accuracy at the time of recording.
  3. Legal compliance
    • Some data cannot be modified due to regulatory requirements (e.g., tax records during retention periods).
  4. When data is not personal data
    • Anonymous or aggregated information is excluded.

If an organization refuses rectification, they must:

  • Provide a justified explanation
  • Inform the individual about the right to complain to a supervisory authority

9. Responsibilities of Data Controllers

To comply with Article 16, controllers must:

  • Implement processes to review and update data accuracy
  • Encourage users to self-check information (e.g., online accounts)
  • Maintain audit trails of rectification actions
  • Train staff on GDPR compliance
  • Include accuracy obligations in data-processing agreements with processors

Keeping data accurate is a proactive responsibility — it cannot rely solely on data subject requests.

10. Article 16 and Relationship With Other GDPR Rights

GDPR Article Right How It Relates
Article 15 Right of access Individuals may discover inaccuracies through access requests
Article 17 Right to erasure If rectification is not enough, individuals can request deletion
Article 18 Right to restriction Processing may be paused while data accuracy is verified
Article 21 Right to object Individuals can challenge incorrect profiling

Together, these articles strengthen personal control over data and prevent misuse.

11. Real-World Examples of GDPR Article 16

Example 1 — Wrong email address in a bank system

A bank has an outdated email for a customer, causing missed payment alerts. The customer requests rectification, and the bank updates the data immediately.

Example 2 — Incorrect medical history

A clinic has an allergy incorrectly recorded in a patient’s file. The patient provides documentation to correct the record to avoid health risk.

Example 3 — Incomplete employment data

A company records that a contractor worked part-time, but forgets to include two full-time months. The worker asks to complete the record to calculate correct benefits.

Example 4 — Profiling based on outdated information

A marketing platform uses a wrong location to deliver irrelevant content. The user can update preferences to ensure accuracy.

Example 5 — Social network using old name

After a legal name change, a user requests a profile update to prevent identity confusion.

These examples show how Article 16 protects individuals from both minor inconvenience and major harm.

12. Best Practices for Organizations

To reduce rectification requests and GDPR risks, companies should:

  • Allow personal data editing via secure customer portals
  • Conduct regular accuracy audits
  • Use automated verification tools (e.g., mailing address validators)
  • Confirm changes through double-verification
  • Keep clear communication records
  • Establish a process for data correction across databases and third parties

Good data governance supports trust and reduces operational problems.

13. What Happens if a Company Violates This Right?

Non-compliance with GDPR Article 16 can lead to:

  • Regulatory investigations
  • Compensation claims from affected individuals
  • Administrative fines up to €20 million or 4% of global annual revenue (whichever is higher)

Supervisory authorities treat data accuracy failures seriously when harm is involved.

Conclusion

The Right to Rectification under GDPR Article 16 empowers individuals to ensure that organizations hold personal data that is accurate, current, and complete. This right is essential for fairness, security, and informed decision-making in a data-driven world. Businesses must establish clear processes to promptly correct errors, inform third-party recipients, and maintain reliable information systems. When implemented properly, Article 16 not only protects individuals’ rights but also enhances the integrity and efficiency of business operations.

Maintaining accurate data is not just a legal requirement—it builds trust and improves the overall quality of digital services.