In one sentence. GDPR Article 16 grants the data subject the right to obtain rectification of inaccurate personal data concerning them and to have incomplete personal data completed, including by providing a supplementary statement. The controller must respond within one month (extendable by two months for complex requests). Article 19 separately requires the controller to communicate the rectification to each recipient to whom the data was disclosed.
Article 16 is one of the most-exercised data subject rights — often invoked alongside access requests (Article 15) when the data subject discovers errors. The right is procedurally simple but operationally non-trivial: rectification must propagate to all downstream systems and recipients, not just the primary record.
For related rights: right of access (Article 15), right to erasure (Article 17), restriction of processing (Article 18). For procedural modalities: Article 12 transparency.
Key takeaways
- Right to correct inaccurate data + complete incomplete data.
- Deadline: one month (extendable to three months for complex requests).
- Article 19 requires notification to each recipient to whom the data was disclosed.
- The right is broader than it appears: covers inaccurate facts, outdated information, missing context.
- For data the controller cannot independently verify (e.g., subjective evaluations), supplementary statement allowed.
1. Article 16 text
“The data subject shall have the right to obtain from the controller without undue delay the rectification of inaccurate personal data concerning him or her. Taking into account the purposes of the processing, the data subject shall have the right to have incomplete personal data completed, including by means of providing a supplementary statement.”
Two distinct rights in one Article:
- Rectification of inaccurate data
- Completion of incomplete data (potentially via supplementary statement)
2. When is the right exercised?
Common triggers:
- Address change not propagated
- Misspelled name
- Outdated contact information
- Incorrect demographic data
- Inaccurate transaction history
- Outdated employment status
- Wrong medical record entry
- Incorrect calculation (credit score, premium)
The data subject must typically identify the specific inaccuracy. Generic “correct everything wrong” requests are unusual but not unlawful.
3. Verification of the inaccuracy
The controller may verify that the request is genuine:
- Comparison with original source documents
- Confirmation from the data subject themselves
- Cross-reference with authoritative sources (civil register for name changes, etc.)
For subjective data (evaluations, ratings, opinions), Article 16 has limits — the controller cannot be forced to “correct” a subjective evaluation simply because the data subject disagrees. The remedy is the supplementary statement: adding the data subject’s perspective alongside the original assessment.
4. Deadline (Article 12(3))
One month from receipt of the request, extendable by two further months for complex requests. The data subject must be informed of any extension within the initial one-month period.
For simple corrections (typo, address change), one month is generous — most should resolve in days. Complex corrections (medical records, credit history) may legitimately need the extension.
5. The Article 19 notification cascade
Article 19 GDPR requires the controller to communicate any rectification (or erasure or restriction) to each recipient to whom the data has been disclosed, unless this proves impossible or involves disproportionate effort.
This cascade matters:
- Correction in the CRM but not in the email marketing tool → marketing emails go to outdated address
- Correction in HR system but not in payroll → wage paid to wrong account
- Correction in master record but not in analytics platform → reports show inaccurate data
The fix: implement a propagation procedure that updates downstream systems when the master record is rectified.
6. Data subject right to know about recipients
Article 19 also gives the data subject the right to be informed about the recipients to whom rectification was communicated, if they ask. This means the controller must keep a record of where data was disclosed.
7. Distinction from right to complete
The “right to complete” (second clause of Article 16) covers cases where data is technically accurate but missing context. Example:
- Record states “patient has cancer” — accurate, but missing “in remission since 2020”
- Record states “candidate has 2 years of experience” — accurate, but missing “plus 5 years prior in adjacent field”
The data subject can request that the controller add the missing context, potentially via a supplementary statement that doesn’t replace but augments the original data.
8. Common implementation failures
| Failure | Risk |
|---|---|
| Correction in primary record only, no downstream propagation | Article 19 violation, ongoing inaccuracy |
| No procedure for handling rectification requests | Missed deadline |
| Refusal to add supplementary statement for subjective data | Article 16 violation |
| Identity verification disproportionate (requiring ID for typo correction) | Article 12 violation |
| No record of recipients to whom data was disclosed | Article 30 + Article 19 violation |
9. Sanctions
Article 16 violations are typically sanctioned under Article 83(5)(b) — up to €20M or 4% of global turnover.
Notable cases:
- Brico Privé (CNIL, 2023): €50K — failure to handle rectification requests
- Spartoo (CNIL, 2020): €250K — multiple data subject right failures including rectification
- Several SMB sanctions €5K-€50K for missing deadline or refusing rectification
10. Practical workflow
- Reception — log timestamp, classify as Article 16
- Identity verification — proportionate
- Specify the inaccuracy — request additional details if needed
- Verify — check against source documents
- Rectify in master record
- Propagate to downstream systems (Article 19)
- Notify the data subject within 30 days
- Notify recipients to whom data was disclosed
- Document the rectification in the request register
11. Sample response template
Subject: Rectification of your personal data — confirmation
Dear [Name],
Following your request dated [date], we have rectified your personal
data as follows:
Original (inaccurate):
[old value]
Corrected:
[new value]
This correction has been propagated to the following systems:
- Customer record (CRM)
- Email marketing list
- Order history
- Customer support ticketing
The correction was also communicated to the following recipients
(Article 19 GDPR):
- [Recipient A, e.g., shipping provider]
- [Recipient B, e.g., payment processor]
You also have the right to:
- Request additional rectifications if needed
- Lodge a complaint with the supervisory authority (CNIL, etc.)
For questions: dpo@company.com
12. Tooling
Legiscope handles the Article 16 workflow with downstream propagation tracking — flags which systems received the data and need updating, automated notification to processor recipients, audit trail of all rectifications.
For related guides: right of access GDPR, right to erasure GDPR, Article 12 transparency, GDPR Article 18 restriction.
Conclusion
Article 16 is procedurally simple but operationally tests the architecture. A rectification that doesn’t propagate is a half-rectification — and Article 19 makes that the controller’s problem. Build the propagation pipeline before the first request arrives.
FAQ
How long do I have to respond to a rectification request?
One month from receipt, extendable by two months for complex requests. The data subject must be informed of any extension within the initial month.
Can I refuse to correct subjective data?
For subjective evaluations (ratings, opinions), you don’t have to change the original assessment, but the data subject can request a supplementary statement be added — that’s required.
Do I need to verify the data subject’s identity?
Yes, where reasonable doubt exists (Article 12(6)). But verification must be proportionate. Requiring a passport copy for a typo correction is disproportionate and itself a violation.
What if I disclosed the data to third parties?
Article 19 requires notifying each recipient of the rectification unless impossible or disproportionate. The data subject also has the right to be informed about recipients on request.
What’s the difference between correction and completion?
Correction (first clause of Article 16) addresses inaccurate data. Completion (second clause) addresses technically accurate but missing context — typically via supplementary statement.
Legiscope automates this for you
Stop doing compliance manually. Legiscope's AI handles ROPA creation, DPA audits, and gap analysis — in minutes, not weeks.
Start free trial
