GDPR Correction and Rectification Requirements
From May 25, 2018, GDPR correction and rectification requests must be honored. Data subjects – EU residents – have the right to access the personal data collected by data controllers and view any supplemental data attached to their files.
If data subjects access their personal data and notice some information is incomplete or incorrect, they have the right to have that information corrected to ensure their data are accurate and complete. If any information in a personal data file is incorrect or out of date, the data subject can request the information be corrected, edited or removed. Requests can be made orally or in writing.
When such a request to access personal data is received, or when a correction or rectification is requested, the data controller is required to respond as soon as possible but no later than 30 days after the request has been made.
To ensure compliance with the GDPR correction and rectification requirements, businesses must have developed and implemented policies and procedures to allow them to respond in a timely manner. Those policies and procedures should be documented, as they may need to be provided to regulators in the event of an audit or if a complaint is made. The obligations of data controllers are detailed in Article 5 (1) d and Article 16 of GDPR.
When a request is received for a correction, reasonable action must be taken to address the request and update the data subject’s personal data. According to GDPR, “Every reasonable step must be taken to ensure that personal data that are inaccurate, having regard to the purposes for which they are processed, are erased or rectified without delay.”
This right of data subjects is particularly important when the data collector is a healthcare organization. If a data subject requests access to their personal data and discovers inaccuracies in their health data – incorrect records or the omission of an allergy for instance – the consequences for the data subject could be severe.
In the case of medical opinions detailed in data files, if the data subject believes those opinions to be incorrect, the data collector is not required to update those opinions, although it must be clearly stated in the data file that they are opinions and not facts and whose opinion it is.
If a GDPR correction and rectification request is determined to be unfounded or excessive, the data controller has the right to refuse to comply with the request or charge reasonable fees to honor that request. If the request is refused, the data controller must reply to the data subject within 30 days and explain why no action is being taken. The data subject must also be advised of their right to make a complaint to the ICO or supervisory authority and that they can request that their right is enforced through a judicial remedy.