Article 16 GDPR: Difference between revisions

Revision as of 20:34, 5 March 2024

← Article 16 - Right to rectification →

Chapter 1: General provisions Article 1: Subject-matter and objectives Article 2: Material scope Article 3: Territorial scope Article 4: Definitions Chapter 2: Principles Article 5: Principles relating to processing of personal data Article 6: Lawfulness of processing Article 7: Conditions for consent Article 8: Conditions applicable to child’s consent in relation to information society services Article 9: Processing of special categories of personal data Article 10: Processing of personal data relating to criminal convictions and offences Article 11: Processing which does not require identification Chapter 3: Rights of the data subject Article 12: Transparent information, communication and modalities for the exercise of the rights of the data subject Article 13: Information to be provided where personal data are collected from the data subject Article 14: Information to be provided where personal data have not been obtained from the data subject Article 15: Right of access by the data subject Article 16: Right to rectification Article 17: Right to erasure (‘right to be forgotten’) Article 18: Right to restriction of processing Article 19: Notification obligation regarding rectification or erasure of personal data or restriction of processing Article 20: Right to data portability Article 21: Right to object Article 22: Automated individual decision-making, including profiling Article 23: Restrictions Chapter 4: Controller and processor Article 24: Responsibility of the controller Article 25: Data protection by design and by default Article 26: Joint controllers Article 27: Representatives of controllers or processors not established in the Union Article 28: Processor Article 29: Processing under the authority of the controller or processor Article 30: Records of processing activities Article 31: Cooperation with the supervisory authority Article 32: Security of processing Article 33: Notification of a personal data breach to the supervisory authority Article 34: Communication of a personal data breach to the data subject Article 35: Data protection impact assessment Article 36: Prior consultation Article 37: Designation of the data protection officer Article 38: Position of the data protection officer Article 39: Tasks of the data protection officer Article 40: Codes of conduct Article 41: Monitoring of approved codes of conduct Article 42: Certification Article 43: Certification bodies Chapter 5: Transfers of personal data Article 44: General principle for transfers Article 45: Transfers on the basis of an adequacy decision Article 46: Transfers subject to appropriate safeguards Article 47: Binding corporate rules Article 48: Transfers or disclosures not authorised by Union law Article 49: Derogations for specific situations Article 50: International cooperation for the protection of personal data Chapter 6: Supervisory authorities Article 51: Supervisory authority Article 52: Independence Article 53: General conditions for the members of the supervisory authority Article 54: Rules on the establishment of the supervisory authority Article 55: Competence Article 56: Competence of the lead supervisory authority Article 57: Tasks Article 58: Powers Article 59: Activity reports Chapter 7: Cooperation and consistency Article 60: Cooperation between the lead supervisory authority and the other supervisory authorities concerned Article 61: Mutual assistance Article 62: Joint operations of supervisory authorities Article 63: Consistency mechanism Article 64: Opinion of the Board Article 65: Dispute resolution by the Board Article 66: Urgency procedure Article 67: Exchange of information Article 68: European Data Protection Board Article 69: Independence Article 70: Tasks of the Board Article 71: Reports Article 72: Procedure Article 73: Chair Article 74: Tasks of the Chair Article 75: Secretariat Article 76: Confidentiality Chapter 8: Remedies, liability and penalties Article 77: Right to lodge a complaint with a supervisory authority Article 78: Right to an effective judicial remedy against a supervisory authority Article 79: Right to an effective judicial remedy against a controller or processor Article 80: Representation of data subjects Article 81: Suspension of proceedings Article 82: Right to compensation and liability Article 83: General conditions for imposing administrative fines Article 84: Penalties Chapter 9: Specific processing situations Article 85: Processing and freedom of expression and information Article 86: Processing and public access to official documents Article 87: Processing of the national identification number Article 88: Processing in the context of employment Article 89: Safeguards and derogations relating to processing for archiving purposes in the public interest, scientific or historical research purposes or statistical purposes Article 90: Obligations of secrecy Article 91: Existing data protection rules of churches and religious associations Chapter 10: Delegated and implementing acts Article 92: Exercise of the delegation Article 93: Committee procedure Chapter 11: Final provisions Article 94: Repeal of Directive 95: /46: /EC Article 95: Relationship with Directive 20: 02: /58: /EC Article 96: Relationship with previously concluded Agreements Article 97: Commission reports Article 98: Review of other Union legal acts on data protection Article 99: Entry into force and application

Legal Text

Article 16 - Right to rectification

The data subject shall have the right to obtain from the controller without undue delay the rectification of inaccurate personal data concerning him or her. Taking into account the purposes of the processing, the data subject shall have the right to have incomplete personal data completed, including by means of providing a supplementary statement.

Relevant Recitals

Recital 39: Principles of Data Processing

Any processing of personal data should be lawful and fair. It should be transparent to natural persons that personal data concerning them are collected, used, consulted or otherwise processed and to what extent the personal data are or will be processed. The principle of transparency requires that any information and communication relating to the processing of those personal data be easily accessible and easy to understand, and that clear and plain language be used. That principle concerns, in particular, information to the data subjects on the identity of the controller and the purposes of the processing and further information to ensure fair and transparent processing in respect of the natural persons concerned and their right to obtain confirmation and communication of personal data concerning them which are being processed. Natural persons should be made aware of risks, rules, safeguards and rights in relation to the processing of personal data and how to exercise their rights in relation to such processing. In particular, the specific purposes for which personal data are processed should be explicit and legitimate and determined at the time of the collection of the personal data. The personal data should be adequate, relevant and limited to what is necessary for the purposes for which they are processed. This requires, in particular, ensuring that the period for which the personal data are stored is limited to a strict minimum. Personal data should be processed only if the purpose of the processing could not reasonably be fulfilled by other means. In order to ensure that the personal data are not kept longer than necessary, time limits should be established by the controller for erasure or for a periodic review. Every reasonable step should be taken to ensure that personal data which are inaccurate are rectified or deleted. Personal data should be processed in a manner that ensures appropriate security and confidentiality of the personal data, including for preventing unauthorised access to or use of personal data and the equipment used for the processing.

Recital 65: Right to Erasure and Rectification

A data subject should have the right to have personal data concerning him or her rectified and a ‘right to be forgotten’ where the retention of such data infringes this Regulation or Union or Member State law to which the controller is subject. In particular, a data subject should have the right to have his or her personal data erased and no longer processed where the personal data are no longer necessary in relation to the purposes for which they are collected or otherwise processed, where a data subject has withdrawn his or her consent or objects to the processing of personal data concerning him or her, or where the processing of his or her personal data does not otherwise comply with this Regulation. That right is relevant in particular where the data subject has given his or her consent as a child and is not fully aware of the risks involved by the processing, and later wants to remove such personal data, especially on the internet. The data subject should be able to exercise that right notwithstanding the fact that he or she is no longer a child. However, the further retention of the personal data should be lawful where it is necessary, for exercising the right of freedom of expression and information, for compliance with a legal obligation, for the performance of a task carried out in the public interest or in the exercise of official authority vested in the controller, on the grounds of public interest in the area of public health, for archiving purposes in the public interest, scientific or historical research purposes or statistical purposes, or for the establishment, exercise or defence of legal claims.

Commentary

The processing of incorrect or incomplete data can lead to possibly severe disadvantages for the data subject reducing the risk of exclusion, discrimination, or defamation.^[1] For example, the use of incorrect data can lead to the rejection of a required loan, causing the applicant to be cut off from essential services. The publication of a news which does not provide a complete information may be misleading and damage the data subject reputation. The provision, titled "Right to rectification", addresses this issue and introduces two distinct rights. The first is the right to rectify inaccurate data, the second is the right to complete incomplete data. Despite the differences between the two, the common factor is the individual's right to avoid a false representation of themselves within a given society.^[2]

The right to rectification is also explicitly named as a fundamental right in Article 8(2) CFR. It is therefore important that it is interpreted in the light of the Charter and the principle of proportionality in Article 52(1) CFR.

Right to Rectification

The provision, contained in a single paragraph, provides for two distinct rights: the right to rectify inaccurate data and the right to complete incomplete data.

Right to obtain

To exercise the right to rectify personal data as per Article 16, the data subject needs to request the controller to make the necessary changes (i.e. correct or complete the data).

In accordance with Article 12(3) GDPR, the controller has to answer the rectification request "without undue delay and in any event within one month of receipt of the request". This deadline may be extended by two months where necessary, taking into account the complexity and number of the requests. Under Article 12(4) GDPR, any extension of the deadline must be communicated to the data subject alongside the reason behind it. The rectification request does not have to be justified, and the data subject does not need a reason to exercise it nor prove the existence of damage.^[3]

Typically, the controller requires some time to verify the accuracy of the data and determine if it meets the eligibility requirements. To prevent the data from being processed (and possibly used incorrectly) during this period, the data subject has the right to restrict processing for a specific time frame that allows the controller to verify the data accuracy under Article 18(1)(a) GDPR. The only requirement for the data subject to claim this right is to dispute the accuracy of the data. Thus, in addition to a rectification request the data subject may also exercise their right to restrict the processing whilst the request is carried out.^[4]

Article 19 GDPR requires controllers to notify data subjects that the rectification of their data has been carried out, in order to ensure that they are informed about the correct exercise of their right to rectification. For further information, please refer to Article 19 GDPR.

If the controller declines to rectify the data, they must provide reasons for their decision (Article 12(4) GDPR). The data subject has other options for recourse, such as filing a complaint with a supervisory authority or pursuing a judicial remedy.

Rectification of inaccurate data

The first sentence of Article 16 concerns the right to rectify inaccurate data. The GDPR does not provide a more detailed definition of what constitutes inaccuracy. In everyday language, terms such as "inaccurate", "incorrect", "wrong", or "inexact" are often used interchangeably to refer to something that is not correct.^[5] This means that the personal data being processed by the controller does not reflect reality, such as an incorrect date of birth or an outdated address. Additionally, legal classifications, like describing someone as "single" when they are actually in a registered partnership, also fall under the scope of inaccuracy.^[6]

Correspondingly, in principle, it is not possible to rectify personal data in form of value judgement ("Data subject A is attractive"). While value judgments may constitute personal data (being "attractive"), they cannot be deemed objectively right or wrong since different views and interpretations are possible.^[7] However, in certain cases, it can be difficult to determine whether a statement falls under the category of a factual assertion or a value judgment. This is especially true when a value judgment is based on factual assumptions or contains factual elements ("Data subject B is creditworthy"). In such borderline cases, it may be challenging to apply the right to rectification or to determine its boundaries. However, this does not mean that individuals cannot defend themselves against these types of value judgments.

Firstly, it is always possible to change the value judgement by rectifying the facts on which it is based - these elements can certainly be amended.^[8]

Example: XXX

Secondly, it may be even feasible to rectify the value judgment itself, when the underlying facts and/or the decision-making process are objectively wrong.

Case-law: In C-434/16, Peter Nowak, the CJEU clarifies that there might be situations where the [...] the examiner’s comments [i.e., value judgments] with respect to those answers prove to be inaccurate, within the meaning of Article 6(1)(d) of Directive 95/46, for example due to the fact that, by mistake, the examination scripts were mixed up in such a way that the answers of another candidate were ascribed to the candidate concerned, or that some of the cover sheets containing the answers of that candidate are lost, so that those answers are incomplete, or that any comments made by an examiner do not accurately record the examiner’s evaluation of the answers of the candidate concerned.^[9] Example: XXX

Finally, to delete the value judgment based on inaccurate information, as per Article 17(1)(c) GDPR, where it does not serve the purpose for which it is processed.^[10]

Example: Credit rating, purpose is safeguarding orderly trade, letting creditworthy people accessing the market and conclude contracts. A wrong rating , objectively wrong does not do so, and should be deleted under 17.1.a for instance

According to a first interpretation, minor inaccuracies that do not have any relevance or impact on data processing are generally irrelevant. These could be grammatical or orthographic errors, such as a misspelled street name or a missing "h" in the name "Katharina," or an umlaut written out in the internal databases. However, if such inaccuracies could cause confusion or consequential errors, they are no longer considered insignificant.^[11] Another interpretation suggests that the responsibility for determining which data should be corrected and which errors can be deemed acceptable primarily rests with the data subject. Mistakes related to the spelling of the name cannot be considered insignificant because they impact the primary identifier of the data subject in the realm of automated data processing, which can lead to confusion and subsequent errors.^[12] The case-law reflects both views.

Case-law: The Norwegian Privacy Appeals Board (Personvernrådet) unanimously overturned the Norwegian DPA’s (Datatilsynet) decision and held that a name which contained an incorrect uppercase letter did not constitute incorrect personal data which needs to be rectified based on Article 16 GDPR.^[13] However, the Court of Appeal of Brussels held just the opposite in a similar case: data subjects have the right under Article 16 GDPR for their name to be spelled correctly when processed by a bank's computer systems.^[14]

It is irrelevant why the data is incorrect, for example whether the data subject himself or herself originally provided incorrect information or whether the person responsible is the author of the inaccuracy. If the data is inaccurate, it must be rectified.

Case-law: The Hessian DPA (HBDI) held that a data subject has a right to rectification under Article 16 GDPR, even if he or she purposefully provided incorrect information during the account creation in order to circumvent age restrictions.^[15]

Completion of incomplete data

Article 16 gives data subjects the right to have incomplete personal data completed. The GDPR does not define "incompleteness." Whether data is incomplete depends on the purpose of processing, "taking into account the purposes of the processing".^[16] In this sense, personal data are incomplete if they are correct in their own right, but give an inaccurate picture of the data subject with regard to the purpose of processing, which can be corrected by adding further data.

Example: If the purpose is the assessment of a trader's reliability, information about non-payment of taxes is considered incomplete if there are pending tax court proceedings with no available information. In terms of creditworthiness, information about a refusal to pay is incomplete without clarification that the reason for the refusal was due to an incorrect delivery of goods.^[17]

This also suggests that the right to rectification requires controllers to rectify personal data only when the missing elements are relevant for the purposes of the processing.

Example: A controller running a parcel delivery service lacks some important address information so that parcels cannot be delivered. The data subject has a right to have their address data completed so that the purpose of the data processing can be fulfilled.

The GDPR explicitly states that the right to complete incomplete personal data can be fulfilled through a supplementary statement. This means that the data subject is not confined to the limited data fields provided by the controller when exercising this right. Supplementary explanations provided by the data subject must be taken into account if they are necessary to accurately and unambiguously contextualize the personal information. In this respect, the act of completing personal data can be executed by providing a supplementary statement.^[18]

Example: e.g. mentioning the data subject's acquittal and the discontinuation of criminal proceedings).

Decisions

→ You can find all related decisions in Category:Article 16 GDPR

References

↑ Meents, Hinzpeter in Taeger, Gabel, DSGVO – BDSG, Article 16 GDPR, margin number 2 (Deutscher Fachverlag, 4th Edition).
↑ In this respect, the right of rectification represents another angle of the right to a correct representation of the facts concerning the individual. Belisario, in Riccio, Scorza, Belisario, GDPR e normativa privacy - Commentario, Article 16 GDPR, p. 176 (Wolters Kluwer 2018). Along with the rights to erasure, restriction, and objection, rectification can be considered a second-stage of the exercise of rights, in which control of personal data is effectively exerted (the first stage being access to the processing through Article 15 GDPR. See, Kamann, Braun, in Ehmann, Selmayr, Datenschutz-Grundverordnung, Article 16 GDPR, margin number 6 (C.H. Beck 2018, 2nd Edition).
↑ Kamann, Braun, in Ehmann, Selmayr, Datenschutz-Grundverordnung, Article 16 GDPR, margin number 18 (C.H. Beck 2018, 2nd Edition).
↑ For further information, please refer to Article 18 GDPR.
↑ Only facts can be true or false, hence accurate or inaccurate. Therefore, the right to rectification does not cover value judgements.
↑ Haidinger, in Knyrim, DatKomm, Article 16 GDPR, margin number 22 (Manz 2021).
↑ The determining factor for identifying a fact is whether it can be verified by evidence. Value judgments are only considered abusive criticism if they go beyond acceptable boundaries.
↑ Meents, Hinzpeter in Taeger, Gabel, DSGVO – BDSG, Article 16 GDPR, margin number 8 (Deutscher Fachverlag, 4th Edition).
↑ CJEU, Case C-434/16, Nowak, 20 December 2017, margin number 55 (available here).
↑ Reif, in Gola, DS-GVO, Article 16 GDPR, margin number 10-11 (C.H. Beck 2018).
↑ Haidinger, in Knyrim, DatKomm, Article 16 GDPR, margin number 22 (Manz 2021).
↑ Reif, in Gola, DS-GVO, Article 16 GDPR, margin number 15 (C.H. Beck 2018).
↑ Datatilsynet - 20/01868 (PVN-2020-15) (Available here).
↑ Court of Appeal of Brussels - 2019/AR/1006 (available here).
↑ HBDI (Hesse) - 62334 (available here).
↑ Therefore, the concept of completeness should be understood in relative terms as data sets are never complete. See, Worms, in Wolff, Brink, BeckOK Datenschutzrecht, Article 16 GDPR, margin number 58 (C.H. Beck 2020, 38th Edition).
↑ Herbst, in Kühling, Buchner, DS-GVO BDSG, Article 16 GDPR, margin number 27 (Beck 2020, 3rd ed.)
↑ de Terwangne, Bygrave, in Kuner, Bygrave, Docksey, The EU General Data Protection Regulation (GDPR): A Commentary, Article 16 GDPR, p. 473 (Oxford University Press 2020).

[1] Meents, Hinzpeter in Taeger, Gabel, DSGVO – BDSG, Article 16 GDPR, margin number 2 (Deutscher Fachverlag, 4th Edition).

[2] In this respect, the right of rectification represents another angle of the right to a correct representation of the facts concerning the individual. Belisario, in Riccio, Scorza, Belisario, GDPR e normativa privacy - Commentario, Article 16 GDPR, p. 176 (Wolters Kluwer 2018). Along with the rights to erasure, restriction, and objection, rectification can be considered a second-stage of the exercise of rights, in which control of personal data is effectively exerted (the first stage being access to the processing through Article 15 GDPR. See, Kamann, Braun, in Ehmann, Selmayr, Datenschutz-Grundverordnung, Article 16 GDPR, margin number 6 (C.H. Beck 2018, 2nd Edition).

[3] Kamann, Braun, in Ehmann, Selmayr, Datenschutz-Grundverordnung, Article 16 GDPR, margin number 18 (C.H. Beck 2018, 2nd Edition).

[4] For further information, please refer to Article 18 GDPR.

[5] Only facts can be true or false, hence accurate or inaccurate. Therefore, the right to rectification does not cover value judgements.

[6] Haidinger, in Knyrim, DatKomm, Article 16 GDPR, margin number 22 (Manz 2021).

[7] The determining factor for identifying a fact is whether it can be verified by evidence. Value judgments are only considered abusive criticism if they go beyond acceptable boundaries.

[8] Meents, Hinzpeter in Taeger, Gabel, DSGVO – BDSG, Article 16 GDPR, margin number 8 (Deutscher Fachverlag, 4th Edition).

[9] CJEU, Case C-434/16, Nowak, 20 December 2017, margin number 55 (available here).

[10] Reif, in Gola, DS-GVO, Article 16 GDPR, margin number 10-11 (C.H. Beck 2018).

[11] Haidinger, in Knyrim, DatKomm, Article 16 GDPR, margin number 22 (Manz 2021).

[12] Reif, in Gola, DS-GVO, Article 16 GDPR, margin number 15 (C.H. Beck 2018).

[13] Datatilsynet - 20/01868 (PVN-2020-15) (Available here).

[14] Court of Appeal of Brussels - 2019/AR/1006 (available here).

[15] HBDI (Hesse) - 62334 (available here).

[16] Therefore, the concept of completeness should be understood in relative terms as data sets are never complete. See, Worms, in Wolff, Brink, BeckOK Datenschutzrecht, Article 16 GDPR, margin number 58 (C.H. Beck 2020, 38th Edition).

[17] Herbst, in Kühling, Buchner, DS-GVO BDSG, Article 16 GDPR, margin number 27 (Beck 2020, 3rd ed.)

[18] de Terwangne, Bygrave, in Kuner, Bygrave, Docksey, The EU General Data Protection Regulation (GDPR): A Commentary, Article 16 GDPR, p. 473 (Oxford University Press 2020).

[1]

[2]

[3]

[4]

[5]

[6]

[7]

[8]

[9]

[10]

[11]

[12]

[13]

[14]

[15]

[16]

[17]

[18]

@@ Line 193: / Line 193: @@
 ==Commentary==
 The processing of incorrect or incomplete data can lead to possibly severe disadvantages for the data subject reducing the risk of exclusion, discrimination, or defamation.<ref>''Meents, Hinzpeter'' in Taeger, Gabel, DSGVO – BDSG, Article 16 GDPR, margin number 2 (Deutscher Fachverlag, 4th Edition).</ref> For example, the use of incorrect data can lead to the rejection of a required loan, causing the applicant to be cut off from essential services. The publication of a news which does not provide a complete information may be misleading and damage the data subject reputation. The provision, titled "Right to rectification", addresses this issue and introduces two distinct rights. The first is the right to rectify inaccurate data, the second is the right to complete incomplete data. Despite the differences between the two, the common factor is the individual's right to avoid a false representation of themselves within a given society.<ref>In this respect, the right of rectification represents another angle of the right to a correct representation of the facts concerning the individual. ''Belisario'', in Riccio, Scorza, Belisario, GDPR e normativa privacy - Commentario, Article 16 GDPR, p. 176 (Wolters Kluwer 2018). Along with the rights to erasure, restriction, and objection, rectification can be considered a second-stage of the exercise of rights, in which control of personal data is effectively exerted (the first stage being access to the processing through Article 15 GDPR. See, ''Kamann, Braun'', in Ehmann, Selmayr, Datenschutz-Grundverordnung, Article 16 GDPR, margin number 6 (C.H. Beck 2018, 2nd Edition). </ref>
+The right to rectification is also explicitly named as a fundamental right in Article 8(2) CFR. It is therefore important that it is interpreted in the light of the Charter and the principle of proportionality in Article 52(1) CFR.
 ===Right to Rectification===
 The provision, contained in a single paragraph, provides for two distinct rights: the right to rectify inaccurate data and the right to complete incomplete data.