Skip to content
Rights & Requests calendar_today Updated: 11 April 2026 schedule 4 min read

Right to Rectification: Correcting Personal Data

A customer or employee says their data is wrong and wants it fixed. This article explains step by step how to handle a rectification request under the GDPR, from verifying the correction to informing recipients.

summarize Key Takeaways
  • check_circle You have one month to respond to a rectification request
  • check_circle Always verify the requester's identity before making changes
  • check_circle After correcting data, you must inform all recipients who received the incorrect data
  • check_circle Rectification includes both correcting inaccurate data and completing incomplete data

What is a rectification request?

Under Article 16 of the GDPR, every person has the right to have inaccurate personal data corrected without undue delay. They also have the right to have incomplete data completed.

In practice, this often looks simple: “My last name is spelled wrong in your system” or “You still have my old address.” But handling it properly requires a clear process.

Step 1: Register the request

As soon as the request comes in, note down:

  • Who is making the request
  • When you received it (the one-month deadline starts now)
  • Through which channel it came in
  • What data they say is incorrect
  • What the correct data should be
description

Template: Rectification Confirmation

Use this template to confirm receipt of the rectification request and communicate the correction to the data subject.

View the template arrow_forward

Step 2: Verify the identity

Before changing any data, make sure the request comes from the right person. If someone impersonates a customer and changes their email address, that is a data breach.

How to verify:

  • If the person has an account: have them confirm through that account
  • If you know the person (e.g. an employee): confirmation via the known email address is sufficient
  • For unknown persons: ask for a copy of an ID document with the national ID number and photo redacted

Step 3: Verify the correction is accurate

This step is often overlooked. Before making the change, check that the new data is actually correct.

Practical examples:

  • For an address change, you could ask for a recent utility bill or official document
  • For a name change (e.g. after marriage), a marriage certificate or updated ID is reasonable
  • For a simple typo, the context usually makes it obvious

You do not need to demand proof for every minor correction. Keep it proportionate. A typo in a first name does not need the same level of evidence as changing an entire identity record.

Step 4: Make the correction

Update the data in all systems where the incorrect data is stored:

  • CRM system - customer records, notes
  • Email marketing - mailing lists, contact details
  • Accounting - invoices, payment records
  • HR system - if it concerns an employee
  • Website - account profiles, form data
  • Paper files - contracts, printed correspondence

Be thorough. If you correct data in your CRM but forget the mailing list, you are still processing inaccurate data.

Step 5: Inform recipients (Article 19)

This is the step most organisations miss. Under Article 19, you must notify every recipient to whom you disclosed the incorrect data, unless this proves impossible or involves disproportionate effort.

Think about:

  • Partners or processors who received the data
  • Third parties you shared it with (e.g. a delivery service with the wrong address)
  • Other group companies that have a copy

You must also inform the data subject about these recipients if they ask.

Step 6: Respond to the data subject

Send a clear response within one month:

  • Confirm which data was corrected
  • Explain what you changed and in which systems
  • Mention that recipients have been informed (or explain why not)

Common scenarios

ScenarioWhat to do
Typo in nameCorrect in all systems, usually no proof needed
Outdated addressAsk for confirmation of new address, update everywhere
Wrong email addressVerify via the correct email, update all lists
Incomplete dataAdd the missing information (e.g. missing middle name)
Name change after marriageReasonable to ask for supporting document
Disputed factual dataAssess the evidence, consider restriction while investigating

What if the data came from a third party?

If you did not collect the data yourself but received it from another source, you still need to correct it. You should also inform the source about the inaccuracy so they can correct their own records.

If you cannot verify the accuracy of the new data because you rely on the original source, explain this to the data subject and consider restricting processing of the disputed data until it is resolved.

Frequently asked questions

Can I refuse a rectification request?

Only if you can demonstrate the data is actually correct. For example, if a customer claims their date of birth is wrong but your records match their original ID verification, you may refuse. Always document your reasoning and inform the requester of their right to complain to the supervisory authority.

What if I disagree with the correction?

If the accuracy of the data is in dispute, the data subject can request restriction of processing while you investigate. Assess the evidence fairly. If you still refuse after investigation, explain why in writing.

Do I need to correct data in backups?

You do not need to alter every historical backup retroactively. However, you should ensure that if a backup is restored, the corrected data overwrites the inaccurate version. Document your approach to backup corrections in your data processing procedures.

auto_awesome Be prepared for rectification requests

GDPRWise helps you track data subject requests and ensures you respond correctly within the legal deadline.

GW
GDPRWise Editorial

This article was written by the GDPRWise team and reviewed by our privacy experts. We regularly review our content for accuracy and legal correctness.