Article 16 gives a data subject the right to obtain, "without undue delay," rectification of inaccurate personal data concerning them — and, having regard to processing purposes, to have incomplete personal data completed, including through a supplementary statement.
Article 16 operationalises the GDPR's accuracy principle in Article 5(1)(d), which requires personal data to be accurate and, where necessary, kept up to date.
Rectification is not merely "editing a field." It is a governed correction process covering:
- Intake and identity verification
- Factual assessment and system remediation
- Downstream notification
- Audit evidence and post-completion monitoring
Article 16 applies to personal data processed by a controller. It does not require a controller to rewrite non-personal records, change genuinely subjective opinions, or alter historically accurate records simply because the data subject dislikes them.
A customer's date of birth is wrong in a banking CRM system.
A former employee's home address is outdated in payroll records.
A patient record omits a supplementary statement correcting an incomplete allergy history.
A credit-risk system uses a wrongly linked account belonging to another person.
A manager's contemporaneous performance opinion is disputed but honestly recorded as an opinion.
A disciplinary record accurately records that an allegation was made, even if later unproven; the remedy may be contextual annotation, not deletion.
A legal record must preserve the original entry for evidential integrity, but may need a correction note or supplementary statement.
Article 16 does not operate in isolation. A robust rectification programme must account for the full web of intersecting obligations across the Regulation.
Each intersecting article creates a distinct governance obligation — from processor coordination under Article 28 to breach notification considerations under Articles 33 and 34.
Centralised channels for web, email, call-centre, branch, app, postal, and third-party requests.
Distinguish rectification, access, erasure, restriction, objection, portability, complaint, and mixed requests.
Risk-based identity verification before disclosure or correction, with escalation for high-risk accounts.
Verify representatives, guardians, powers of attorney, employee delegates, or litigation agents.
Locate all relevant personal data across master data, transactional systems, archives, data lakes, backups, logs, models, and third-party platforms.
Compare contested data against authoritative sources and processing purposes.
Determine whether data is incomplete "taking into account the purposes of processing."
Record evidence supplied by the individual and evidence relied on by the controller.
Pause contested use where Article 18 is triggered.
Define authoritative source systems and prevent conflicting corrections across business units.
Map upstream origin and downstream propagation of corrected data.
Notify internal and external recipients under Article 19 unless impossible or disproportionate.
Require processors to assist with rectification under Article 28.
Track one-month response deadlines and lawful extensions under Article 12.
Preserve who changed what, when, why, on what authority, and with what evidence.
Attach contextual statements where overwriting is legally or technically inappropriate.
Ensure corrected data flows into profiling, risk, fraud, marketing, and AI systems.
Prevent restored data from reintroducing inaccuracies.
Trend repeated rectification requests to identify systemic data-quality defects.
Report volumes, timeliness, refusal grounds, escalations, complaints, root causes, and remediation actions.
How large companies manage the full lifecycle of a rectification request — from first contact to case closure.
Capture requests from all channels. Do not require magic words such as "Article 16." Record date of receipt immediately, create a rights-management case, and send acknowledgement explaining next steps.
Identify whether the request is rectification-only or mixed. Check urgency, vulnerability, regulatory risk, litigation hold, fraud risk, and safety implications. Assign to the appropriate owner.
Verify identity proportionately. Request only necessary extra information. Confirm authority of representatives. Suspend the clock only where lawful and necessary clarification is genuinely required.
Identify the data item challenged. Identify systems, products, entities, regions, processors, and recipients involved. Determine whether the organisation is controller, joint controller, processor, or recipient.
Mark data as disputed. Restrict non-essential processing where accuracy is contested. Prevent adverse automated decisions while the dispute is unresolved where risk is material.
Compare contested data against source documents. Interview accountable data owners where needed. Review provenance, timestamps, system logs, and prior corrections. Separate objective facts from opinions, predictions, classifications, and legal records.
Approve correction where data is inaccurate. Complete incomplete data where required by processing purpose. Add supplementary statement where the original record must remain. Refuse only where a lawful basis exists.
Correct master data first. Cascade changes to dependent systems — analytics, fraud, CRM, HRIS, ERP, billing, support, and marketing platforms. Issue processor instructions. Apply compensating controls where legacy systems cannot be updated directly.
Identify recipients of inaccurate data. Notify them of rectification unless impossible or disproportionate. Record why any recipient notification was not made.
Confirm rectification, completion, restriction, or refusal. Explain what was changed and what was not changed and why. Inform the individual of complaint rights and supervisory authority routes where required.
Store evidence, decision rationale, communications, timestamps, system confirmations, and recipient notifications. Close the case only when implementation evidence is complete.
Test whether corrected data reappears. Monitor downstream feeds. Review recurring request themes. Feed defects into data-quality remediation, DPIAs, product governance, vendor management, and internal audit.
Disproportionality is most relevant to Article 19 recipient notification, not to the basic duty to rectify inaccurate data. When assessing disproportionality, consider:
- Number of recipients and age of disclosure
- Risk to the individual and feasibility of contact
- Available automation and sensitivity of data
- Likely harm if notification is not made
Document the assessment. Prefer targeted notification over blanket refusal. Large companies should require DPO or senior privacy approval before relying on disproportionality.
The requester cannot be identified after reasonable verification.
The organisation does not process the relevant personal data.
The organisation is only a processor and must refer the request to the controller.
The request is manifestly unfounded or excessive under Article 12(5).
The data is accurate as recorded.
The disputed entry is a genuinely subjective opinion, though a supplementary statement may still be appropriate.
The record is historically accurate and must be preserved for legal, audit, regulatory, or evidential purposes.
Completion is not required for the relevant processing purpose.
A statutory restriction under Article 23 applies.
Rectification would impair legal claims, regulatory investigations, fraud prevention, or public-interest functions, where supported by law.
The request seeks deletion rather than correction and should be assessed under Article 17 instead.
The correction would create inaccuracy for another individual.
Article 16 is best taught as a data-governance obligation, not a narrow privacy ticket.
Mature compliance depends on a constellation of interconnected disciplines working in concert:
Building systems that prevent inaccuracy at source, not merely correcting it after the fact.
Clear accountability for authoritative data records across all business units and platforms.
Contractual and operational mechanisms ensuring processors assist with rectification obligations.
Comprehensive records of every correction decision, evidence relied upon, and action taken.
Operational capability to pause contested data use while accuracy disputes are resolved.
Systematic identification and notification of all recipients of inaccurate data.
A scholarly guide to the governed correction process — from core doctrine to operational excellence across large organisations.