Lexicon > Right to rectification

IT Glossary

Right to rectification

The right to rectification of personal data is one of the seven rights that data subjects have over their personal data enshrined in the GDPR, namely:

Under the right to rectification, the data subject has the right to obtain from the data controller, as soon as possible, the rectification of personal data concerning him/her that are inaccurate.

In view of the purposes of the processing of his or her personal data, the data subject has the right to have his or her incomplete data completed, including by providing a supplementary declaration where necessary.

In any case, the processing of personal data that are not complete, accurate or updated is unlawful. The data controller is then obliged, in view of the purposes for which the data are processed, to erase or rectify them without delay.

Beyond the obligation to which the data controller is subject to process only accurate data and to respond to requests by data subjects to exercise their right of rectification, the processing of incomplete or inaccurate data is counterproductive and will not enable the controller to achieve the original purpose of the processing for which the data were collected.

The data controller must also notify each potential recipient of the personal data of their rectification unless such information proves impossible or requires disproportionate efforts.

The right to rectification may, however, be subject to limitations with regard to processing for literary, artistic and journalistic purposes.


Provision should be made to facilitate the exercise by the data subject of his or her rights under this Regulation, including the means of requesting and, where appropriate, obtaining free of charge, inter alia, access to and rectification or erasure of personal data and the exercise of a right of objection. The controller should also provide the means to make requests electronically, especially where personal data are processed electronically. The controller should be obliged to respond to requests from the data subject as soon as possible and at the latest within one month and to give reasons for not responding to such requests.

Recital 59 of the GDPR

Point of jurisprudence

The CNIL was able to sanction a company on the grounds that ”
that despite the various steps taken by the complainant and the CNIL, the company had not complied by the deadline set

CNIL, September 15, 2021, N°SAN-2021-014

The Bouchara firm assists you in particular in :

  • Making your organization GDPR compliant;
  • The drafting of data protection policies (privacy policy, computer charter …);
  • Documentation of your processing (register of processing activities, register of violations, privacy impact analysis, prior consultation…);
  • Obtaining certifications and adhering to codes of conduct;
  • The study of the legal feasibility of the implementation of a new personal data processing;
  • The drafting and transmission of your codes of conduct to the CNIL for approval;
  • Legal analysis of the compliance of your data processing, including data transfers outside the European Economic Area;
  • Drafting and negotiating your data processing agreements (DPA);
  • Drafting your Binding Corporate Rules (BCR) and Codes of Conduct;
  • Training and awareness of your employees.

We are also the external Data Protection Officer of many data processors and subcontractors.