Artikel 16
Last onder bestuursdwang
Right to Rectification
Right to have inaccurate personal data corrected
rectification correction accuracy article 16
Overview
Legal Framework
Article 16 of the General Data Protection Regulation (GDPR) establishes the data subject's right to rectification. It creates a dual obligation for controllers: first, to correct inaccurate personal data without undue delay upon request, and second, to complete incomplete personal data, considering the purposes of the processing. This right is fundamental to ensuring data accuracy, a core principle under Article 5(1)(d) GDPR. The right is closely linked to the right of access under Article 15, which, as confirmed in case law like Minister voor Immigratie v. M, is often a prerequisite for a data subject to identify inaccuracies and subsequently seek their correction.
Practical Application
The right to rectification is triggered when data is factually incorrect or misleading in light of the processing purposes. Organizations must implement procedures to receive, assess, and act on rectification requests promptly. The "without undue delay" requirement typically means within one month, aligning with other GDPR response deadlines. The obligation to complete incomplete data is not a right to compel controllers to process new categories of data, but rather to supplement existing records where the absence of information renders them misleading. For example, a partial address might need completion for delivery purposes. The right is not absolute and must be balanced against other obligations, such as retaining accurate original records for legal compliance. Case law, including Smaranda Bara, underscores that effective data subject rights, including rectification, rely on transparency about data processing, as rectification cannot be meaningfully exercised if the data subject is unaware of the processing.
Key Considerations
- Establish a Verifiable Process: Implement a clear internal workflow for logging, investigating, and resolving rectification requests. Document the rationale for decisions, especially if a request is refused (e.g., if the data is accurate and the request is contested).
- Notify Third Parties: If the inaccurate data has been disclosed to recipients, Article 19 GDPR generally requires the controller to inform those recipients of the rectification, unless this proves impossible or involves disproportionate effort. The controller must also inform the data subject about these recipients if requested.
- Link to Access and Erasure: Integrate rectification procedures with rights to access and erasure. An access request often precedes rectification, and if data is inaccurate but cannot be legitimately corrected (e.g., it is an opinion not presented as fact), the data subject may seek erasure under Article 17 instead.
Laws (14)
Recital 1
Recital 12
Recital 73
Recital 59
Article 19
Kennisgevingsplicht inzake rectificatie of wissing van persoonsgegevens of verwerkingsbeperking
Article 16
Recht op rectificatie
Recital 156
Recital 143
Recital 73
Recital 59
Article 19
Notification obligation regarding rectification or erasure of personal data or restriction of processing
Article 16
Right to rectification
Recital 156
Case Law (10)
Rechtbank Den Haag - rechten van betrokkenen - AWB - 19 _ 3393
Rechtbank Den Haag - Bestuursrecht
Verzoek van twee interne klokkenluiders binnen de Office of the High Commissioner of Human Rights (OHCHR) aan de Minister van Buitenlandse Zaken om inzage in hun persoonsgegevens die door verweerder worden verwerkt en de bronnen daarvan op grond van de Algemene Verordening Gegevensbescherming (AVG). Tevens hebben zij verzocht om correctie van hun persoonsgegevens die zijn verwerkt in de beantwoording van de Kamervragen.
Rechtbank Midden-Nederland - persoonsgegevens - 20/268
Rechtbank Midden-Nederland - Bestuursrecht
MK AVG, reikwijdt begrip 'persoonsgegevens'. Gegrond met instandlating rechtsgevolgen.
Data Protection Commissioner v. Facebook Ireland Ltd, and Maximillian Schrems
Schrems II
“although not requiring a third country to ensure a level of protection identical to that guaranteed in the EU legal order, the term ‘adequate level of protection’ must […] be understood as requiring the third country in fact to ensure, by reason of its domestic law or its international commitments, a level of protection of fundamental rights and freedoms that is essentially equivalent to that guaranteed within the European Union by virtue of the regulation, read in the light of the Charter.
Data Protection Commissioner v. Schrems and Facebook
Schrems I
Necessity/proportionality: The Decision does not contain any finding regarding US rules intended to limit the interference when they pursue legitimate objectives such as national security, nor refer to effective legal protection against such interference. FTC procedures and private dispute resolution mechanisms concern compliance with safe harbor principles (against US organizations) and cannot be applied with respect to measures originating from the State. Moreover, the Commission found that if
Data Protection Commissioner v. Schrems and Facebook
Schrems I
Independence of DPA: The Directive seeks to ensure an effective, complete, and high level of protection of the fundamental rights and freedoms of natural persons. The guarantee of a DPA’s independence is intended to ensure effectiveness and reliability of the monitoring of compliance, and is an essential component of data protection. DPAs powers extend to their own Member State, but not to processing in third countries. However, DPAs are responsible for monitoring transfers from a Member State t
SMARANDA BARA ET AL. V. PRESEDINTELE CASEI NATIONALE DE ASIGURARI DE SANATATE (CNAS) ET AL., 1.10.2015 (“BARA”)
Bara
Right to be informed: National law that does not require the specific transfer involved in the case cannot constitute “prior information” under Article 10 of Directive 95/46 (information requirement where data is collected from the data subject), enabling the controller to dispense with his obligation to inform the data subject of the recipients of the data. (¶¶ 34–38). Article 11 (information requirement where data is not collected from data subject) requires that specified information be provi
MINISTER VOOR IMMIGRATIE V. M, 17.7.2014 (“Minister v. M”)
Minister v. M
Right to access: The right of access is a per-requisite to obtain rectification, erasure or blocking of personal data (¶¶ 44-46). To comply with the right of access it is sufficient for the applicant to be provided with a full summary of those data in an intelligible form, that is, a form which allows him to become aware of those data and to check that they are accurate and processed in compliance with the Directive. He need not be given a copy of the documents. (¶¶ 59-60)
GOOGLE SPAIN SL V. AEPD (THE DPA) & MARIO COSTEJA GONZALEZ, 13.May.2014 (“GOOGLE v. Spain”)
Google Spain
Legitimate interest balancing test: Legitimate interest requires balancing of the interest of the controller and third party with the interest of the data subject. In this particular case, having regard to the sensitivity for data subject’s private life of information contained in announcements and the fact that the initial publication occurred 16 years earlier, the data subject has established that the links should be removed. (¶¶ 70–75, 80-81, 98)
X, 12.12.2013 (“X”)
X
Access: Directive 95/46 does not require Member States to levy fees when the right of access to personal data is exercised, nor does it prohibit the levying of such fees as long as they are not excessive. (¶¶ 22, 25, 28–30)
COLLEGE VAN BURGEMEESTER EN WETHOUDERS VAN ROTTERDAM V. RIJKEBOER, 7.5.2009 (“RIJKEBOER”)
Rijkeboer
Right of Access: Rules limiting the storage of information on the recipients or categories of recipient of personal data and on the content of the data disclosed to a period of one year and correspondingly limiting access to that information, while basic data is stored for a much longer period, do not constitute a fair balance of the interest and obligation at issue, unless it can be shown that longer storage of that information would constitute an excessive burden on the controller (determinati
Guidance (45)
View all 45Guidelines 03/2022 on Deceptive design patterns in social media platform interfaces: how to recognise and avoid them
Guidelines on deceptive design patterns in social media platform interfaces: how to recognise and avoid them
These Guidelines offer practical recommendations to social media providers as controllers of social media, designers and users of social media platforms on how to assess and avoid so-called 'deceptive design patterns' in social media interfaces that infringe on GDPR requirements. To this end, the EDPB recommends that controllers make use of interdisciplinary teams, consisting, among others, of designers, data protection officers and decision-makers. It is important to note ...
Guidelines 07/2020 on the concepts of controller and processor in the GDPR
Guidelines on the concepts of controller and processor in the GDPR
The concepts of controller, joint controller and processor play a crucial role in the application of the General Data Protection Regulation 2016/679 (GDPR), since they determine who shall be responsible for compliance with different data protection rules, and how data subjects can exercise their rights in practice. The precise meaning of these concepts and the criteria for their correct interpretation must be sufficiently clear and consistent throughout the European Economic Area (EEA). The conc...
Guidelines 09/2020 on relevant and reasoned objection under Regulation 2016/679
Guidelines on relevant and reasoned objection under Regulation 2016/679
Guidelines 10/2020 on restrictions under Article 23 GDPR
Guidelines on restrictions under Article 23 GDPR
Guidelines 04/2022 on the calculation of administrative fines under the GDPR
Guidelines on the calculation of administrative fines under the GDPR
The European Data Protection Board (EDPB) has adopted these guidelines to harmonise the methodology supervisory authorities use when calculating of the amount of the fine. These Guidelines complement the previously adopted Guidelines on the application and setting of administrative fines for the purpose of the Regulation 2016/679 (WP253), which focus on the circumstances in which to impose a fine. The calculation of the amount of the fine is at the discretion of the supervisory authority, ...
Guidelines 03/2021 on the application of Article 65(1)(a) GDPR
Guidelines on the application of Article 60 GDPR
Richtsnoeren 10/2020 met betrekking tot de beperkingen krachtens artikel 23 AVG
guidelines beperkingen rechten van betrokkenen
Richtsnoeren 01/2020 inzake de verwerking van persoonsgegevens in het kader van verbonden voertuigen en mobiliteitsgerelateerde toepassingen
guidelines connected vehicles
Versiegeschiedenis
guidelines doorgifte van persoonsgegevens tussen overheidsinstanties en -organen binnen en buiten de EER
Richtsnoeren 05/2022 voor het gebruik van gezichtsherkenningstechnologie in het kader van rechtshandhaving
guidelines gebruik gezichtsherkenning bij rechtshandhaving
Steeds meer rechtshandhavingsinstanties passen gezichtsherkenningstechnologie toe of zijn voornemens deze toe te passen. De technologie kan worden gebruikt om een persoon te authenticeren of te identificeren en kan voor video's (bijv. CCTV) of foto's worden ingezet, maar ook voor andere doeleinden, waaronder het opzoeken van personen op signaleringslijsten van de politie of het volgen van de bewegingen van een persoon in de openbare ruimte. Gezichtsherkenningstechnologie is gebaseer...
Richtsnoeren 3/2022 betreffende het herkennen en vermijden van misleidende ontwerppatronen in de interfaces van socialemediaplatforms
guidelines misleidende ontwerppatronen
Deze richtsnoeren bieden praktische aanbevelingen aan aanbieders van sociale media als verwerkingsverantwoordelijken van sociale media, ontwerpers en gebruikers van socialemediaplatforms, over het beoordelen en vermijden van zogenaamde 'misleidende ontwerp patronen' in de interfaces van sociale media die inbreuk maken op de vereisten van de AVG. Daartoe beveelt de EDPB aan dat verwerkingsverantwoordelijken gebruikmaken van interdisciplinaire teams, bestaande uit onder meer ontwerpers, func...
Richtsnoeren 07/2020 over de begrippen 'verwerkingsverantwoordelijke' en 'verwerker' in de AVG
guidelines over de begrippen 'verwerkingsverantwoordelijke' en 'verwerker' in de AVG
De begrippen 'verwerkingsverantwoordelijke', 'gezamenlijke verwerkingsverantwoordelijke' en 'verwerker' spelen een cruciale rol bij de toepassing van de algemene verordening gegevensbescherming (AVG, Verordening (EU) 2016/679), aangezien ermee wordt bepaald wie verantwoordelijk is voor de naleving van verschillende gegevensbeschermingsregels en op welke wijze betrokkenen hun rechten in de praktijk kunnen uitoefenen. De precieze betekenis van deze begrippen en de criteria voor de jui...
Guidelines 1/2020 on processing personal data in the context of connected vehicles and mobility related applications
Guidelines on processing of personal data through video devices
Richtsnoeren 07/2022 voor certificering als doorgifte-instrument
guidelines certificering
Op grond van artikel 46 van de algemene verordening gegevensbescherming (AVG) moeten gegevensexporteurs passende waarborgen bieden voor de doorgifte van persoonsgegevens aan derde landen of internationale organisaties. Daarom worden in de AVG de verschillende passende waarborgen aangegeven die gegevensexporteurs overeenkomstig artikel 46 kunnen gebruiken als kader voor de doorgifte aan derde landen, onder meer door certificering in te voeren als nieuw doorgiftemechanisme (artikel 42, lid 2, en a...
Guidelines 07/2022 on certification as a tool for transfers
Guidelines on certification and identifying certification criteria
The GDPR requires in its Article 46 that data exporters shall put in place appropriate safeguards for transfers of personal data to third countries or international organisations. To that end, the GDPR diversifies the appropriate safeguards that may be used by data exporters under Article 46 for framing transfers to third countries by introducing, amongst others, certification as a new transfer mechanism (Articles 42 (2) and 46 (2) (f) GDPR). These guidelines provide guidance as to the applicati...
Guidelines 8/2022 on identifying a controller or processor's lead supervisory authority
Guidelines for identifying a controller or processor’s lead supervisory authority
Guidelines 06/2022 on the practical implementation of amicable settlements
Guidelines on the processing of personal data under Article 6(1)(b) GDPR in the context of the provision of online services to data subjects
Guidelines 01/2022 on data subject rights - Right of access
Guidelines on data subject rights - Right of access
The right of access of data subjects is enshrined in Art. 8 of the EU Charter of Fundamental Rights. It has been a part of the European data protection legal framework since its beginning and is now further developed by more specified and precise rules in Art. 15 GDPR.
Guidelines 05/2022 on the use of facial recognition technology in the area of law enforcement
Guidelines on the use of facial recognition technology in the area of law enforcement
More and more law enforcement authorities (LEAs) apply or intend to apply facial recognition technology (FRT). It may be used to authenticate or to identify a person and can be applied on videos (e.g. CCTV) or photographs. It may be used for various purposes, including to search for persons in police watch lists or to monitor a person's movements in the public space. FRT is built on the processing of biometric data , therefore, it encompasses the processing of special categories ...
ARTICLE 29 DATA PROTECTION WORKING PARTY
Guidelines on transparency
News (9)
VDAI (Lithuania) - Nr. 3R-219 (2.13-1.E)
}}}} The DPA partially upheld a complaint and issued a reprimand against a travel company for unlawful direct marketing, excessive passport copy collection, inaccuracies in travel documents, lack of transparency, and an incomplete access response.The DPA partially upheld a complaint and issued a reprimand against a travel company for unlawful direct marketing, excessive passport copy collection, inaccuracies in travel documents, lack of transparency, and an incomplete response to an access reque
BVwG - W291 2298748-1
A data subject wished to be addressed in a gender-neutral way and claimed they were misgendered by two companies (the data controllers) in profile settings, tickets, and train announcements.A data subject wished to be addressed in a gender-neutral way and claimed they were misgendered by two companies (the data controllers) in profile settings, tickets, and train announcements. They initially sent a tweet to one of the involved controllers asking whether gender-neutral options would be available
CAA - 23VE02156
rephrased short summary }}}} A court rejected the appeal of a patient seeking the rectification of a medical report. The court found that the patient cannot request the rectification of a medical assessment even when it differed from subsequent diagnoses.A court found that a patient cannot request from a hospital the rectification of a medical assessment since this assessment constitutes a subjective opinion. The court held that this is the case even when the controller’s diagnosis differs from
CJEU clarifies GDPR principles of purpose limitation and storage limitation
The purpose limitation principle does not preclude a controller from capturing and storing in a test database established for testing and error correction purposes personal data previously collected and stored in another database. However, such "further processing" of personal data must be compatible with the specific purposes for which the personal data were originally collected. The principle of storage limitation precludes the retention of personal data in that test database for longer than n
AEPD publishes GDPR Risk Assessment
> GDPR RISK ASSESSMENT is intended to assist controllers and processors to identify the risk factors for the rights and freedoms of data subjects whose data are present in the processing, to make an initial assessment of the intrinsic risk, including the need to perform a DPIA, and to estimate the residual risk if measures and safeguards are used to mitigate the specific risk factors.
What Happened to the Risk-Based Approach to Data Transfers?
The GDPR incorporates the RBA for all obligations of the controller in the GDPR. Where the transfer rules are stated as obligations of the controller (rather than as absolute principles), the RBA of Article 24 therefore applies. Other than the DPAs assume, this is not contradicted by the ECJ in Schrems II nor by the EDPB recommendations on additional measures following the Schrems II judgment, according to Lokke Moerel, Professor of Global ICT Law at Tilburg University and a Dutch Cyber Security
Digital Privacy Rights and CLOUD Act Agreements between US and UK
The CLOUD Act agreements between the US and UK will likely improve the digital privacy rights of US and UK citizens, but they will further undermine these rights for Third Country Persons (eg from EU). The US and UK should voluntarily extend Fourth Amendment and Article 8 protections to these persons, according to an article in the Brooklyn Journal of International Law.
Who Is Collecting Data from Your Car?Who Is Collecting Data from Your Car?
> A firehose of sensitive data from your vehicle is flowing to a group of companies you’ve probably never heard of
DeFine is a calculator for GDPR fines based on method of the EDPB
> DeFine is a translation into a calculator of part of the methodology proposed by the European Data Protection Board to calculate GDPR fines (see EDPB, Guidelines 04/2022 on the calculation of administrative fines under the GDPR, 12 May 2022, available online; it was subject to a public consultation until 27 June 2022).