Article 16 GDPR: Difference between revisions

From GDPRhub
(style consistency)
 
(7 intermediate revisions by 3 users not shown)
Line 186: Line 186:
==Legal Text==
==Legal Text==
<br /><center>'''Article 16 - Right to rectification'''</center>
<br /><center>'''Article 16 - Right to rectification'''</center>
The data subject shall have the right to obtain from the controller without undue delay the rectification of inaccurate personal data concerning him or her. Taking into account the purposes of the processing, the data subject shall have the right to have incomplete personal data completed, including by means of providing a supplementary statement.
The data subject shall have the right to obtain from the controller without undue delay the rectification of inaccurate personal data concerning him or her. Taking into account the purposes of the processing, the data subject shall have the right to have incomplete personal data completed, including by means of providing a supplementary statement.


Line 192: Line 193:


==Commentary==
==Commentary==
Article 16 GDPR provides the data subjects the right to rectify their personal data.<ref>This right is another expression of the control that the GDPR gives data subjects over their personal data, as remarked by Recital 7 GDPR. Along with the rights to erasure, restriction, and objection, it can be considered a second-stage of the exercise of rights, in which control of personal data is effectively exerted. The first stage would be the right of access (Article 15) by which data subject can collect the necessary information about their personal data and how they are being processed. See, ''Kamann, Braun'', in Ehmann, Selmayr, Datenschutz-Grundverordnung, Article 16 GDPR, margin number 6 (Beck 2018, 2nd ed.) (accessed 17 August 2021).</ref> The term 'rectification' can have different meanings: modification, correction, integration or updating. More generally, it can be said that the right of rectification is based on the inaccuracy or failure to update personal data relating to the data subject. In this respect, the right of rectification represents the expression of the right to personal identity and to the correct representation of the facts concerning the individual.<ref>''Belisario'', in Riccio, Scorza, Belisario, GDPR e normativa privacy - Commentario, Article 16 GDPR (Wolters Kluwer 2018), p. 176.</ref>
The processing of incorrect or incomplete data can lead to possibly severe disadvantages for the data subject reducing the risk of exclusion, discrimination, or defamation.<ref>''Meents, Hinzpeter'' in Taeger, Gabel, DSGVO – BDSG, Article 16 GDPR, margin number 2 (Deutscher Fachverlag, 4th Edition).</ref> For example, the use of incorrect data can lead to the rejection of a required loan. In many cases false information about a data subject can also lead to severe emotional distress.
 
<u>Example:</u> A pregnant woman lost her baby. The advertisement system of a social media platform falsely categorise her in the group of "''future mothers''" and shows her advertisement based on the alleged aged of her baby. The mother is thereby reminded every day about how old her baby would have been.<ref>Based on a real story brought to the attention of ''noyb''. The relevant social network now allows to block such advertisement. Given that a function for this was introduced, it can be assumed that this is a rather common problem.</ref>
 
The principle of "''accuracy''" in [[Article 5 GDPR|Article 5(1)(d) GDPR]] already requires the controller to actively take "''every reasonable step''" to ensure that inaccurate data is erased or rectified. The controller therefor already has a positive duty to actively correct personal data. The processing of incorrect personal data may therefore already be unlawful if the requirements of [[Article 5 GDPR|Article 5(1)(d) GDPR]] are not complied with. In such cases, there is no need to exercise the rights under Article 16 GDPR - but also no harm in doing so. However, [[Article 5 GDPR|Article 5(1)(d) GDPR]] gives the controller some leeway to continue processing inaccurate data - see more details under [[Article 5 GDPR|Article 5(1)(d) GDPR]].
 
Article 16 GDPR, titled "right to rectification", addresses situations of inaccurate personal data with an additional right of the data subject that has a broader scope, but also requires action by the data subject.  
 
The right to rectification is also explicitly named as a fundamental right in Article 8(2) CFR. It is therefore important that it is interpreted in the light of the Charter and the principle of proportionality in Article 52(1) CFR.
 
===Right to Rectification===
===Right to Rectification===
The accuracy and completeness of personal data is of great importance to the data subject. The stored personal data and the linking of such data usually give an overall picture of the data subject and his or her personality. Also, such data often serve as a basis for decisions of third parties in relation to the data subject. For example, the storage of incorrect creditworthiness data can lead to the non-granting of a required loan and the person concerned can thus be cut off existentially necessary services. Therefore, the processing of incorrect or incomplete data can lead to – sometimes serious – disadvantages for the data subject.<ref>See, ''Meents, Hinzpeter'' in Taeger, Gabel, DSGVO – BDSG, Article 16 GDPR, margin number 2 (Deutscher Fachverlag, 4th edition (accessed 11 February 2022).</ref> The right to rectification is also applicable to data collected before the entry into force of the GDPR, since the storage of such data means that they are still being processed.<ref>VGH Baden-Württemberg, 3 March 2020, 1 S 397/19 (available [http://lrbw.juris.de/cgi-bin/laender_rechtsprechung/document.py?Gericht=bw&nr=30900 here]).</ref>
Article 16 GDPR introduces two distinct rights. The first is the right to rectify inaccurate data, the second is the right to complete incomplete data. Despite the differences between the two, the common factor is the individual's right to avoid a false representation of themselves within a given society.<ref>In this respect, the right of rectification represents another angle of the right to a correct representation of the facts concerning the individual. ''Belisario'', in Riccio, Scorza, Belisario, GDPR e normativa privacy - Commentario, Article 16 GDPR, p. 176 (Wolters Kluwer 2018). Along with the rights to erasure, restriction, and objection, rectification can be considered a second-stage of the exercise of rights, in which control of personal data is effectively exerted (the first stage being access to the processing through Article 15 GDPR. See, ''Kamann, Braun'', in Ehmann, Selmayr, Datenschutz-Grundverordnung, Article 16 GDPR, margin number 6 (C.H. Beck 2018, 2nd Edition). </ref>
 
==== Right to obtain ====
To exercise the right to rectify personal data as per Article 16, the data subject needs to request the controller to make the necessary changes (i.e. correct or complete the data).
 
In accordance with [[Article 12 GDPR|Article 12(3) GDPR]], the controller has to answer the rectification request "''without undue delay and in any event within one month of receipt of the request''". This deadline may be extended by two months where necessary, taking into account the complexity and number of the requests. Under Article 12(4) GDPR, any extension of the deadline must be communicated to the data subject alongside the reason behind it. The rectification request does not have to be justified, and the data subject does not need a reason to exercise it nor prove the existence of damage.<ref>''Kamann, Braun'', in Ehmann, Selmayr, Datenschutz-Grundverordnung, Article 16 GDPR, margin number 18 (C.H. Beck 2018, 2nd Edition).</ref>
 
Typically, the controller requires some time to verify the accuracy of the data and determine if it meets the eligibility requirements. To prevent the data from being processed (and possibly used incorrectly) during this period, the data subject has the right to restrict processing for a specific time frame that allows the controller to verify the data accuracy under Article 18(1)(a) GDPR. The only requirement for the data subject to claim this right is to dispute the accuracy of the data. Thus, in addition to a rectification request the data subject may also exercise their right to restrict the processing whilst the request is carried out.<ref>For further information, please refer to [https://gdprhub.eu/index.php%3Ftitle=Article_18_GDPR Article 18 GDPR].</ref>
 
[[Article 19 GDPR]] requires controllers to notify data subjects that the rectification of their data has been carried out, in order to ensure that they are informed about the correct exercise of their right to rectification. For further information, please refer to [[Article 19 GDPR]].
 
If the controller declines to rectify the data, they must provide reasons for their decision (Article 12(4) GDPR). The data subject has other options for recourse, such as filing a complaint with a supervisory authority or pursuing a judicial remedy.
 
==== Rectification of inaccurate data ====


==== Right to Correct Inaccurate Data ====
===== Inaccurate data =====
The first sentence of Article 16 concerns the right to rectify inaccurate data. The GDPR does not define the concept of inaccuracy. It must therefore be interpreted autonomously under EU law. Personal data are ''incorrect'' if the facts about the data subject set out therein do not objectively correspond to reality. This occurs when there are factual errors in the representation of reality. For example, in the case of registry errors (date of birth, residence) and more generally errors relating to events that can be measured in terms of truth or falsity ("''Subject A was in a certain place on a certain date''").<ref>For example, the right to rectification cannot be used as a means to correct data subjects’ exams answers, since according to the CJEU the assessment of whether personal data is accurate and complete must be made in the light of the purpose for which that data was collected. In such a case, the purpose is to be able to evaluate the level of knowledge and competence of that candidate at the time of the examination. That level is revealed precisely by any errors in those answers. Consequently, such errors do not represent inaccuracy. This right could be used, however, to examine whether scripts were mixed up in such a way that the answers of another candidate were ascribed to the candidate concerned, or whether some of the cover sheets containing the answers of that candidate are lost. See, CJEU, 20 December 2017, Nowak, C‑434/16, margin numbers 52-54 (available [https://curia.europa.eu/juris/document/document.jsf?text=&docid=198059&pageIndex=0&doclang=EN&mode=lst&dir=&occ=first&part=1&cid=6547096 here]). </ref> Conversely, and for the same reasons, it is not possible to obtain the correction of pure value judgments ("''Subject B is smart''"). However, this does not apply to value judgments based on false facts. Here, there is certainly an obligation to correct the facts on which a value judgment is based.<ref>See, ''Meents, Hinzpeter'' in Taeger, Gabel, DSGVO – BDSG, Article 16 GDPR, margin number 8 (Deutscher Fachverlag, 4th edition (accessed 13 February 2022).</ref> 
The first sentence of Article 16 concerns the right to rectify inaccurate data. The GDPR does not provide a more detailed definition of what constitutes inaccuracy. In general one can separate, objective facts (e.g. a birth date), forecasts and predictions that are based on scientific methods (e.g. the creditworthiness) and mere value judgements (e.g. if a person is attractive). While mere value judgements cannot be "inaccurate", predictions, forecasts and objective facts can be inaccurate.


==== Right to Complete Incomplete Data ====
<u>Example</u>: A bank employee is meant to assess a credit application. If the system is based on the wrong name, address or birth date, it is based on inaccurate data, which can be corrected. If the system also uses a "credit score" that is solely based on the name, address or birth date it likely yields statistically inaccurate results, which can be corrected. If the employee simply has a bad feeling in relation to the applicant's ability to pay back the loan, this is a pure value judgement and cannot be corrected.  
Article 16 also gives data subjects the right to have incomplete personal data completed. Fortunately, data sets are never complete. The concept of ''completeness'' is therefore to be understood in relative terms.<ref>''Worms,'' in BeckOK DatenschutzR, Article 16 GDPR, margin number 58 (Beck 2020, 38th ed.) (accessed 13 February 2022).</ref> Certain data could be considered as complete in one context of processing, while the same data could be seen as incomplete in another. This may also mean, however, that the right to rectification may not always oblige a controller to rectify personal data when the inaccuracy is not relevant for the purposes of the processing.<ref>For example, the Norwegian Privacy Appeals Board has decided in a case that a controller was not obliged to rectify a single letter of a name since it does not entail danger of mis-identification and is related to differences between countries in spelling names, especially given the burden that it will impose on the controller to modify it in all their records. See, Personvernrådet, 10 November 2020, 20/01868 (PVN-2020-15) (available [https://pvn.no/pvn-2020-15 here]).</ref>


<u>Example</u>: a controller running a parcel delivery service misses some important address information so that parcels may not be delivered. The data subject has a right to have their address data completed. Only in this way can the purpose of the data processing be fulfilled. Conversely,  
Secondly, it may be even feasible to rectify the value judgment ''itself'', when the underlying facts and/or the decision-making process are objectively wrong. <blockquote><u>Case-law</u>: In [[CJEU - C-434/16 - Peter Nowak|C-434/16 ''Peter Nowak'']], the CJEU clarified that there might be situations where the [...] the examiner’s comments [i.e., ''value judgments''] with respect to those answers prove to be inaccurate, within the meaning of Article 6(1)(d) of Directive 95/46, for example due to the fact that, by mistake, the examination scripts were mixed up in such a way that the answers of another candidate were ascribed to the candidate concerned, or that some of the cover sheets containing the answers of that candidate are lost, so that those answers are incomplete, or that any comments made by an examiner do not accurately record the examiner’s evaluation of the answers of the candidate concerned.<ref>CJEU, Case C-434/16, ''Nowak'', 20 December 2017, margin number 55 (available [[CJEU - C-434/16 - Peter Nowak|here]]).</ref>


The right to rectification may then become a right to add missing elements instead of to correct existing data. In this respect, the act of completing some personal data can be done by providing a supplementary statement (such as the mention of the data subject's acquittal and of the discontinuation of the criminal proceedings).<ref>''de Terwangne, Bygrave'', in Kuner et al., The EU General Data Protection Regulation (GDPR), Article 16 GDPR, p. 473 (Oxford University Press 2020).</ref>
For more details see the discussion of what constitutes "''inaccurate''" data under [[Article 5 GDPR|Article 5(1)(d) GDPR]].</blockquote>


==== Procedural aspects ====
===== Minor mistakes exempt? =====
Pursuant to [[Article 12 GDPR|Article 12(2) GDPR]], the controller shall facilitate the data subject's exercise of the rectification.<ref>This may be done, partially, by providing the possibility of making a rectification request via electronic means, as recommended by [https://gdprhub.eu/index.php%3Ftitle=Article_15_GDPR Article 15(3) GDPR] and Recital 64 GDPR when dealing with access requests.</ref> In accordance with [[Article 12 GDPR|Article 12(3) GDPR]], the controller has to answer the rectification request "''without undue delay and in any event within one month of receipt of the request''". This deadline may be extended two months where necessary, taking into account the complexity and number of the requests. Any extension of the deadline must be communicated to the data subject, along for the reasons for it, according to Paragraph 4 of the same Article. The rectification request is not subject to a justification. The data subject does not have to have a reason for exercising it. It is neither, for example, subject to the existence of damage.<ref>''Kamann, Braun'', in Ehmann, Selmayr, Datenschutz-Grundverordnung, Article 16 GDPR, margin number 18 (Beck 2018, 2nd ed.) (accessed 17 August 2021). </ref>
According to some commentators, minor inaccuracies that do not have any relevance or impact on data processing are generally irrelevant. These could be grammatical or orthographic errors, such as a misspelled street name or a missing "h" in the name "Katharina," or an umlaut written out in the internal databases. However, if such inaccuracies could cause confusion or consequential errors, they are no longer considered insignificant.<ref>''Haidinger'', in Knyrim, DatKomm, Article 16 GDPR, margin number 22 (Manz 2021).</ref> Another interpretation suggests that the responsibility for determining which data should be corrected and which errors can be deemed acceptable primarily rests with the data subject. Mistakes related to the spelling of the name cannot be considered insignificant because they impact the primary identifier of the data subject in the realm of automated data processing, which can lead to confusion and subsequent errors.<ref>''Reif,'' in Gola, DS-GVO, Article 16 GDPR, margin number 15 (C.H. Beck 2018).</ref> The case-law reflects both views.<blockquote><u>Case-law</u>: The Norwegian Privacy Appeals Board (Personvernrådet) overturned the Norwegian DPA’s (Datatilsynet) decision and held that a name which contained an incorrect uppercase letter did not constitute incorrect personal data which needs to be rectified based on Article 16 GDPR.<ref>Datatilsynet - 20/01868 (PVN-2020-15) (Available [[Datatilsynet - 20/01868 (PVN-2020-15)|here]]).</ref> However, the Court of Appeal of Brussels held just the opposite in a similar case: data subjects have the right under Article 16 GDPR for their name to be spelled correctly when processed by a bank's computer systems.<ref>Court of Appeal of Brussels - 2019/AR/1006 (available [https://gdprhub.eu/Court%20of%20Appeal%20of%20Brussels%20-%202019/AR/1006 here]).</ref></blockquote>


===== Relation to [[Article 18 GDPR]]=====
===== Cause for inaccuracy irrelevant =====  
[[Article 18 GDPR]] contains a provision that allows the data processing to be restricted when the accuracy of the data is contested. Therefore, along with a rectification request, the data subject may exercise also their right to restrict the processing during the time while the rectification request is being carried out. For further information, please refer to [[Article 18 GDPR]].


===== Relation to [[Article 19 GDPR]]=====
It is irrelevant why the data is incorrect. The controller must not have had any bad faith to trigger Article 1 GDPR. Even if the data subject himself or herself originally provided incorrect information, Article 16 GDPR is applicable. If the data is inaccurate, it must be rectified.<blockquote><u>Case-law</u>: The Hessian DPA (HBDI) held that a data subject has a right to rectification under Article 16 GDPR, even if he or she purposefully provided incorrect information during the account creation in order to circumvent age restrictions.<ref>HBDI (Hesse) - 62334 (available [[HBDI (Hesse) - 62334 (IMI Case)|here]]).</ref> </blockquote>
[[Article 19 GDPR]] contains an obligation for the controller to notify the data subject that the rectification of their data has been carried out, in order to ensure that the data subject is informed about the correct exercise of their right to rectification. For further information, please refer to [[Article 19 GDPR]].


==== Completion of incomplete data ====
Article 16 gives data subjects the right to have incomplete personal data completed. Whether data is incomplete within the meaning of Article 16 GDPR is a relative concept and depends on the purpose of processing, "''taking into account the purposes of the processing''".<ref>''Worms,'' in Wolff, Brink, BeckOK Datenschutzrecht, Article 16 GDPR, margin number 58 (C.H. Beck 2020, 38th Edition).</ref> If the complete personal data would lead to a different result or provide extra context, it is "''incomplete''". <blockquote><u>Example</u>: In terms of creditworthiness, information about a refusal to pay is incomplete without the additional information that the reason for the refusal was a dispute over incorrect delivery of goods.<ref>''Herbst'', in Kühling, Buchner, DS-GVO BDSG, Article 16 GDPR, margin number 27 (Beck 2020, 3rd ed.)</ref> </blockquote>The GDPR explicitly states that the right to complete incomplete personal data can be fulfilled through a supplementary statement. This is meant to ensure the data subject is not confined to the limited data fields provided by the controller when exercising this rights under Article 16 GDPR. Supplementary explanations provided by the data subject must be taken into account if they are necessary to accurately and unambiguously contextualize the personal information. In this respect, the act of completing personal data can be executed by providing a supplementary statement.<ref>''de Terwangne, Bygrave'', in Kuner, Bygrave, Docksey, The EU General Data Protection Regulation (GDPR): A Commentary, Article 16 GDPR, p. 473 (Oxford University Press 2020).</ref>
==Decisions==
==Decisions==
→ You can find all related decisions in [[:Category:Article 16 GDPR]]
→ You can find all related decisions in [[:Category:Article 16 GDPR]]

Latest revision as of 23:24, 6 March 2024

Article 16 - Right to rectification
Gdpricon.png
Chapter 10: Delegated and implementing acts

Legal Text


Article 16 - Right to rectification

The data subject shall have the right to obtain from the controller without undue delay the rectification of inaccurate personal data concerning him or her. Taking into account the purposes of the processing, the data subject shall have the right to have incomplete personal data completed, including by means of providing a supplementary statement.

Relevant Recitals

Recital 39: Principles of Data Processing
Any processing of personal data should be lawful and fair. It should be transparent to natural persons that personal data concerning them are collected, used, consulted or otherwise processed and to what extent the personal data are or will be processed. The principle of transparency requires that any information and communication relating to the processing of those personal data be easily accessible and easy to understand, and that clear and plain language be used. That principle concerns, in particular, information to the data subjects on the identity of the controller and the purposes of the processing and further information to ensure fair and transparent processing in respect of the natural persons concerned and their right to obtain confirmation and communication of personal data concerning them which are being processed. Natural persons should be made aware of risks, rules, safeguards and rights in relation to the processing of personal data and how to exercise their rights in relation to such processing. In particular, the specific purposes for which personal data are processed should be explicit and legitimate and determined at the time of the collection of the personal data. The personal data should be adequate, relevant and limited to what is necessary for the purposes for which they are processed. This requires, in particular, ensuring that the period for which the personal data are stored is limited to a strict minimum. Personal data should be processed only if the purpose of the processing could not reasonably be fulfilled by other means. In order to ensure that the personal data are not kept longer than necessary, time limits should be established by the controller for erasure or for a periodic review. Every reasonable step should be taken to ensure that personal data which are inaccurate are rectified or deleted. Personal data should be processed in a manner that ensures appropriate security and confidentiality of the personal data, including for preventing unauthorised access to or use of personal data and the equipment used for the processing.

Recital 65: Right to Erasure and Rectification
A data subject should have the right to have personal data concerning him or her rectified and a ‘right to be forgotten’ where the retention of such data infringes this Regulation or Union or Member State law to which the controller is subject. In particular, a data subject should have the right to have his or her personal data erased and no longer processed where the personal data are no longer necessary in relation to the purposes for which they are collected or otherwise processed, where a data subject has withdrawn his or her consent or objects to the processing of personal data concerning him or her, or where the processing of his or her personal data does not otherwise comply with this Regulation. That right is relevant in particular where the data subject has given his or her consent as a child and is not fully aware of the risks involved by the processing, and later wants to remove such personal data, especially on the internet. The data subject should be able to exercise that right notwithstanding the fact that he or she is no longer a child. However, the further retention of the personal data should be lawful where it is necessary, for exercising the right of freedom of expression and information, for compliance with a legal obligation, for the performance of a task carried out in the public interest or in the exercise of official authority vested in the controller, on the grounds of public interest in the area of public health, for archiving purposes in the public interest, scientific or historical research purposes or statistical purposes, or for the establishment, exercise or defence of legal claims.

Commentary

The processing of incorrect or incomplete data can lead to possibly severe disadvantages for the data subject reducing the risk of exclusion, discrimination, or defamation.[1] For example, the use of incorrect data can lead to the rejection of a required loan. In many cases false information about a data subject can also lead to severe emotional distress.

Example: A pregnant woman lost her baby. The advertisement system of a social media platform falsely categorise her in the group of "future mothers" and shows her advertisement based on the alleged aged of her baby. The mother is thereby reminded every day about how old her baby would have been.[2]

The principle of "accuracy" in Article 5(1)(d) GDPR already requires the controller to actively take "every reasonable step" to ensure that inaccurate data is erased or rectified. The controller therefor already has a positive duty to actively correct personal data. The processing of incorrect personal data may therefore already be unlawful if the requirements of Article 5(1)(d) GDPR are not complied with. In such cases, there is no need to exercise the rights under Article 16 GDPR - but also no harm in doing so. However, Article 5(1)(d) GDPR gives the controller some leeway to continue processing inaccurate data - see more details under Article 5(1)(d) GDPR.

Article 16 GDPR, titled "right to rectification", addresses situations of inaccurate personal data with an additional right of the data subject that has a broader scope, but also requires action by the data subject.

The right to rectification is also explicitly named as a fundamental right in Article 8(2) CFR. It is therefore important that it is interpreted in the light of the Charter and the principle of proportionality in Article 52(1) CFR.

Right to Rectification

Article 16 GDPR introduces two distinct rights. The first is the right to rectify inaccurate data, the second is the right to complete incomplete data. Despite the differences between the two, the common factor is the individual's right to avoid a false representation of themselves within a given society.[3]

Right to obtain

To exercise the right to rectify personal data as per Article 16, the data subject needs to request the controller to make the necessary changes (i.e. correct or complete the data).

In accordance with Article 12(3) GDPR, the controller has to answer the rectification request "without undue delay and in any event within one month of receipt of the request". This deadline may be extended by two months where necessary, taking into account the complexity and number of the requests. Under Article 12(4) GDPR, any extension of the deadline must be communicated to the data subject alongside the reason behind it. The rectification request does not have to be justified, and the data subject does not need a reason to exercise it nor prove the existence of damage.[4]

Typically, the controller requires some time to verify the accuracy of the data and determine if it meets the eligibility requirements. To prevent the data from being processed (and possibly used incorrectly) during this period, the data subject has the right to restrict processing for a specific time frame that allows the controller to verify the data accuracy under Article 18(1)(a) GDPR. The only requirement for the data subject to claim this right is to dispute the accuracy of the data. Thus, in addition to a rectification request the data subject may also exercise their right to restrict the processing whilst the request is carried out.[5]

Article 19 GDPR requires controllers to notify data subjects that the rectification of their data has been carried out, in order to ensure that they are informed about the correct exercise of their right to rectification. For further information, please refer to Article 19 GDPR.

If the controller declines to rectify the data, they must provide reasons for their decision (Article 12(4) GDPR). The data subject has other options for recourse, such as filing a complaint with a supervisory authority or pursuing a judicial remedy.

Rectification of inaccurate data

Inaccurate data

The first sentence of Article 16 concerns the right to rectify inaccurate data. The GDPR does not provide a more detailed definition of what constitutes inaccuracy. In general one can separate, objective facts (e.g. a birth date), forecasts and predictions that are based on scientific methods (e.g. the creditworthiness) and mere value judgements (e.g. if a person is attractive). While mere value judgements cannot be "inaccurate", predictions, forecasts and objective facts can be inaccurate.

Example: A bank employee is meant to assess a credit application. If the system is based on the wrong name, address or birth date, it is based on inaccurate data, which can be corrected. If the system also uses a "credit score" that is solely based on the name, address or birth date it likely yields statistically inaccurate results, which can be corrected. If the employee simply has a bad feeling in relation to the applicant's ability to pay back the loan, this is a pure value judgement and cannot be corrected.

Secondly, it may be even feasible to rectify the value judgment itself, when the underlying facts and/or the decision-making process are objectively wrong.

Case-law: In C-434/16 Peter Nowak, the CJEU clarified that there might be situations where the [...] the examiner’s comments [i.e., value judgments] with respect to those answers prove to be inaccurate, within the meaning of Article 6(1)(d) of Directive 95/46, for example due to the fact that, by mistake, the examination scripts were mixed up in such a way that the answers of another candidate were ascribed to the candidate concerned, or that some of the cover sheets containing the answers of that candidate are lost, so that those answers are incomplete, or that any comments made by an examiner do not accurately record the examiner’s evaluation of the answers of the candidate concerned.[6] For more details see the discussion of what constitutes "inaccurate" data under Article 5(1)(d) GDPR.

Minor mistakes exempt?

According to some commentators, minor inaccuracies that do not have any relevance or impact on data processing are generally irrelevant. These could be grammatical or orthographic errors, such as a misspelled street name or a missing "h" in the name "Katharina," or an umlaut written out in the internal databases. However, if such inaccuracies could cause confusion or consequential errors, they are no longer considered insignificant.[7] Another interpretation suggests that the responsibility for determining which data should be corrected and which errors can be deemed acceptable primarily rests with the data subject. Mistakes related to the spelling of the name cannot be considered insignificant because they impact the primary identifier of the data subject in the realm of automated data processing, which can lead to confusion and subsequent errors.[8] The case-law reflects both views.

Case-law: The Norwegian Privacy Appeals Board (Personvernrådet) overturned the Norwegian DPA’s (Datatilsynet) decision and held that a name which contained an incorrect uppercase letter did not constitute incorrect personal data which needs to be rectified based on Article 16 GDPR.[9] However, the Court of Appeal of Brussels held just the opposite in a similar case: data subjects have the right under Article 16 GDPR for their name to be spelled correctly when processed by a bank's computer systems.[10]

Cause for inaccuracy irrelevant

It is irrelevant why the data is incorrect. The controller must not have had any bad faith to trigger Article 1 GDPR. Even if the data subject himself or herself originally provided incorrect information, Article 16 GDPR is applicable. If the data is inaccurate, it must be rectified.

Case-law: The Hessian DPA (HBDI) held that a data subject has a right to rectification under Article 16 GDPR, even if he or she purposefully provided incorrect information during the account creation in order to circumvent age restrictions.[11]

Completion of incomplete data

Article 16 gives data subjects the right to have incomplete personal data completed. Whether data is incomplete within the meaning of Article 16 GDPR is a relative concept and depends on the purpose of processing, "taking into account the purposes of the processing".[12] If the complete personal data would lead to a different result or provide extra context, it is "incomplete".

Example: In terms of creditworthiness, information about a refusal to pay is incomplete without the additional information that the reason for the refusal was a dispute over incorrect delivery of goods.[13]

The GDPR explicitly states that the right to complete incomplete personal data can be fulfilled through a supplementary statement. This is meant to ensure the data subject is not confined to the limited data fields provided by the controller when exercising this rights under Article 16 GDPR. Supplementary explanations provided by the data subject must be taken into account if they are necessary to accurately and unambiguously contextualize the personal information. In this respect, the act of completing personal data can be executed by providing a supplementary statement.[14]

Decisions

→ You can find all related decisions in Category:Article 16 GDPR

References

  1. Meents, Hinzpeter in Taeger, Gabel, DSGVO – BDSG, Article 16 GDPR, margin number 2 (Deutscher Fachverlag, 4th Edition).
  2. Based on a real story brought to the attention of noyb. The relevant social network now allows to block such advertisement. Given that a function for this was introduced, it can be assumed that this is a rather common problem.
  3. In this respect, the right of rectification represents another angle of the right to a correct representation of the facts concerning the individual. Belisario, in Riccio, Scorza, Belisario, GDPR e normativa privacy - Commentario, Article 16 GDPR, p. 176 (Wolters Kluwer 2018). Along with the rights to erasure, restriction, and objection, rectification can be considered a second-stage of the exercise of rights, in which control of personal data is effectively exerted (the first stage being access to the processing through Article 15 GDPR. See, Kamann, Braun, in Ehmann, Selmayr, Datenschutz-Grundverordnung, Article 16 GDPR, margin number 6 (C.H. Beck 2018, 2nd Edition).
  4. Kamann, Braun, in Ehmann, Selmayr, Datenschutz-Grundverordnung, Article 16 GDPR, margin number 18 (C.H. Beck 2018, 2nd Edition).
  5. For further information, please refer to Article 18 GDPR.
  6. CJEU, Case C-434/16, Nowak, 20 December 2017, margin number 55 (available here).
  7. Haidinger, in Knyrim, DatKomm, Article 16 GDPR, margin number 22 (Manz 2021).
  8. Reif, in Gola, DS-GVO, Article 16 GDPR, margin number 15 (C.H. Beck 2018).
  9. Datatilsynet - 20/01868 (PVN-2020-15) (Available here).
  10. Court of Appeal of Brussels - 2019/AR/1006 (available here).
  11. HBDI (Hesse) - 62334 (available here).
  12. Worms, in Wolff, Brink, BeckOK Datenschutzrecht, Article 16 GDPR, margin number 58 (C.H. Beck 2020, 38th Edition).
  13. Herbst, in Kühling, Buchner, DS-GVO BDSG, Article 16 GDPR, margin number 27 (Beck 2020, 3rd ed.)
  14. de Terwangne, Bygrave, in Kuner, Bygrave, Docksey, The EU General Data Protection Regulation (GDPR): A Commentary, Article 16 GDPR, p. 473 (Oxford University Press 2020).