Ireland’s Data Protection Commission (DPC) in a blog post on its website examined complaints into the right to rectification within Article 16 of the General Data Protection Regulation (GDPR). Whilst the blog post is for guidance purposes only, it does offer some insight into the thought process within the DPC.
The legal framework
According to Article 16 of the GDPR individuals have a right to have their personal data rectified, if it is inaccurate or incomplete. Where a data subject has requested the rectification of his/her personal data, the controller must inform recipients to whom that data have been disclosed, unless this proves impossible or involves a disproportionate effort. The controller must also inform the data subject about the recipients to whom the data has been disclosed if he/she requests it (Article 19).
A controller must provide information on action taken on a request for rectification to the data subject without undue delay, and at least within one calendar month of receipt of the request. This period may be extended by two further months where requests are numerous or complex (Article 12(3)).
The DPC guidance
The blog post from the DPC relates to a compliant that it received from a data subject, who alleged that the Health Service Executive (HSE) was in breach of the GDPR when a hospital, where he was being treated, told him that its IT system did not recognise fadas. A fada (´) is a diacritical mark. Fadas are an integral component of the Irish language and necessary to properly spell Irish names.
After examining the issue, the DPC found that an individual’s right to have their records rectified “is not an absolute right” and depends “on the circumstances in each individual case”. In essence, the DPC found that the right to rectification is not an absolute right under data protection law.
The blog post by the DPC seeks to provide more information in relation to others who may also seek to invoke Article 16 of the GDPR. Despite the right provided in Article 16, the post from the DPC indicates that it will consider rectification based on merits of a complaint on a case-by-case basis. Those merits will include consideration of Article 5(1)(d), which requires data controllers to take all reasonable steps to ensure the accuracy of personal data. The DPC will take into account the circumstances of the case, the nature of the personal data, and the purposes for which they are processed when considering rectification.
In summary, there tends to be a common misconception that the rights of data subjects under GDPR are absolute, and under no circumstances can those rights be lost. While it is true that data subjects have enhanced rights under the GDPR, in certain situations those rights cannot be granted. For example, the guidance from the DPC makes it clear that the rights of data subjects to have their names spelt correctly is not an absolute right. This is reassuring for organisations who have to contend with fulfilling the rights of data subjects. Organisations that have good reasons for pushing back on rectification requests by data subjects should not fear that they will automatically face fines if they do not comply. However, these reasons should be well-founded and well-documented, with the organisation’s DPO centrally involved in the decision-making process.
Trilateral is on hand to help organisations who are grappling with how the right to rectification and other data subject rights might impact the way they work. For more information please refer to our serivce pages or contact our Data Governance team.