Request For Rectification Procedure
Updated: 24th January 2019
Request for Rectification Procedure
What is the right to rectification?
Under Article 16 of the GDPR individuals have the right to have inaccurate personal data rectified. An individual may also be able to have incomplete personal data completed.
What do we need to do?
If we receive a request for rectification, we will take reasonable steps to satisfy ourselves that the data is accurate and to rectify the data if necessary. You should take into account the arguments and evidence provided by the data subject (the individual).
We may also take into account any steps already taken to verify the accuracy of the data prior to the challenge by the data subject.
What should we do about data that records a mistake?
Determining whether personal data is inaccurate can be more complex if the data refers to a mistake that has subsequently been resolved. It may be possible to argue that the record of the mistake is, in itself, accurate and should be kept. In such circumstances, the fact that a mistake was made and the correct information should also be included in the individuals data.
What should we do about data that records a disputed opinion?
It is also complex if the data in question records an opinion. Opinions are, by their very nature, subjective, and it can be difficult to conclude that the record of an opinion is inaccurate. As long as the record shows clearly that the information is an opinion and, where appropriate, whose opinion it is, it may be difficult to say that it is inaccurate and needs to be rectified.
What should we do while we are considering the accuracy?
Under Article 18 an individual has the right to request restriction of the processing of their personal data where they contest its accuracy and we are checking it. As a matter of good practice, we will restrict the processing of the personal data in question whilst verifying its accuracy, whether or not the individual has exercised their right to restriction.
What should we do if we are satisfied that the data is accurate?
We will let the individual know if you are satisfied that the personal data is accurate, and tell them that you will not be amending the data. We will explain your decision, and inform them of their right to make a complaint to the ICO or another supervisory authority; and their ability to seek to enforce their rights through a judicial remedy.
Can we refuse to comply with the request for rectification for other reasons?
We can refuse to comply with a request for rectification if the request is manifestly unfounded or excessive, taking into account whether the request is repetitive in nature.
If you consider that a request is manifestly unfounded or excessive you can:
- request a “reasonable fee” to deal with the request; or
- refuse to deal with the request.
In either case we will need to justify your decision.
What should we do if we refuse to comply with a request for rectification?
We will inform the individual without undue delay and within one month of receipt of the request about:
- the reasons you are not taking action;
- their right to make a complaint to the ICO or another supervisory authority; and
- their ability to seek to enforce this right through a judicial remedy.
You should also provide this information if you request a reasonable fee or need additional information to identify the individual.
How can we recognise a request?
An individual can make a request for rectification verbally or in writing. It can also be made to any part of your organisation and does not have to be to a specific person or contact point.
A request to rectify personal data does not need to mention the phrase ‘request for rectification’ or Article 16 of the GDPR to be a valid request. As long as the individual has challenged the accuracy of their data and has asked you to correct it, or has asked that you take steps to complete data held about them that is incomplete, this will be a valid request under Article 16.
However, we have a legal responsibility to identify that an individual has made a request verbally and handle it accordingly.
We will be recording details of the requests we receive, particularly those made by telephone or in person and keep a log of verbal requests. We may wish to check with the requester that you have understood their request.
Record the request in the Data Request Record Form
How long do we have to comply?
We must act upon the request without undue delay and at the latest within one month of receipt.
We will calculate the time limit from the day after you receive the request (whether the day after is a working day or not) until the corresponding calendar date in the next month.
We can extend the time to respond by a further two months if the request is complex or you have received a number of requests from the individual. We will let the individual know without undue delay and within one month of receiving their request and explain why the extension is necessary.
Can we ask an individual for ID?
If we have doubts about the identity of the person making the request, we will ask for more information. However, we will only request information that is necessary to confirm who they are.