Section 3
Rectification and erasure
Author: Alexander Dix
The data subject shall have the right to obtain from the controller without undue delay the rectification of inaccurate personal data concerning him or her. Taking into account the purposes of the processing, the data subject shall have the right to have incomplete personal data completed, including by means of providing a supplementary statement.
A. Preliminary remarks
It is one of the principles for the processing of personal data that they are accurate and up to date. Controllers therefore must take appropriate measures at their own initiative to rectify inaccurate personal data (Art. 5 para. 1 lit. d). The Union legislator has deliberately strengthened this obligation (Recital 11).[1] Thus the fact is accommodated that the individual’s life chances in an era of growing automation increasingly depend on the accuracy of the data processed.[2] Conversely the processing of inaccurate data (e.g., by spreading misinformation online through “deep fake” technology[3]) may lead to the social exclusion, discrimination, defamation and ultimately to the data subject’s “social death”.[4]
However, often the controller does not dispose of all the information needed to ascertain the accuracy of the data processed. Furthermore, the data subject should have the possibility to enforce rectification. Therefore Art. 16 complements the principle of accuracy in Art. 5 para. 1 lit. d, which obliges the controller to correct inaccurate data irrespective of a request and enables the data subject to become himself an agent in the processing of his data. He may request a rectification (Art. 16, 1st sentence) as well as an addendum to incomplete data (Art. 16, 2nd sentence). These rights of intervention and control are at the same time conditions for and elements of the fundamental right to data protection.[5] This is not limited to procedural rights to information about which data are stored and used. The further reaching rights to control under Arts. 16–22 may not in themselves solve the structural problems of modern data protection law[6] but they complement the necessary procedural requirements for the exercise of a fundamental right as one of the “ex post empowerment measures”[7] in Arts. 16–22 after processing has started (as opposed to the ex ante empowerment measures such as consent under Art. 6 para. 1 lit. a and Art 7).[8] They are essential elements of self-data protection in the system of the Regulation (→ Art. 15 mn. 1).[9] The right to rectification alongside with the right of access therefore is expressly guaranteed in Art. 8 para. 2 of the Charter of Fundamental Rights. The Directive (EU) 2016/680 provides for an equivalent right to rectification which the Member States must implement (Art. 16 para. 1).
B. Legislative History
Art. 16 which mirrors Art. 12 lit. b of Directive 95/46 was part of the original Commission proposal and underwent only minor changes in the legislative process. The word “without undue delay” was inserted by the Council. It was the Council again who had proposed the specification of the term “inaccurate” in Art. 5 para. 1 lit. d (“having regard to the purposes for which they are processed”). This was however not inserted in Art. 16, 1st sentence, but only in the second sentence of this provision. Other changes only referred to the drafting of Art. 16. The European Data Protection Supervisor had proposed to add a right to restrict the data processing where the accuracy had been disputed; this was later integrated in Art. 18 lit. a.
The right to have the data amended has two elements. The data subject is entitled to request the correction of inaccurate data as well as the completion of incomplete data. Instead, the data subject may request the deletion of inaccurate data under Art. 17 para. 2 lit. d[10] if rectification or completion makes no sense or is impossible. Any correction may – depending on the method – include a partial deletion of data. Is the controller processing inaccurate data which – even after correcting them – he would not be allowed to process under Art. 5 para. 1 lit a he is obliged to delete them without request. The principle of lawfulness takes priority over the principle of accuracy.[11] The right to rectification must be read in conjunction with the controller’s obligation to communicate any amendment to each recipient to whom the personal data have been disclosed (→ Art. 19). This strengthens the data subject’s position who is not required to “chase” incorrect data and place multiple requests for correction with subsequent recipients.[12]
I. Right to correction (Art. 16, 1st sentence)
Data within the meaning of Art. 16 is any factual information referring to the data subject (Art. 4 No. 1). This includes genetic as well as biometric (Art. 4 No. 13, 14) and health data (Art. 4 No. 15). They do not have to be stored; it suffices that they are processed within the meaning of Art. 4 No. 2.
[…]
[1]The German text of the Regulation in this context uses more explicitly the term “Verschärfung”.
[2]Cf. Mallmann in Simitis, BDSG, § 20 mn. 9.
[3]For practical examples and possible technological and legal counter-measures under US law cf. Chesney/Citron, California Law Review 107 (2019), 1753.
[4]Cf. Chen, EDPL 2018, 36, 39.
[5]Cf. Dix in Simitis, BDSG, § 35 mn. 2.
[6]Cf. Worms in BeckOK DatenschutzR, DSGVO, Art. 16 mn. 2.
[7]Ausloos/Dewitte, IDPL 2018, 4, 22.
[8]Bundesverfassungsgericht BVerfGE 65, 1, 46 explicitly mentioning the duty to delete under German constitutional law.
[9]Cf. Roßnagel, Handbuch Datenschutzrecht Kap. 3.4, mn. 74 et seq.
[10]Cf. Art. 5 para. 1 lit. d; Recital 65.
[11]If however the data subject requests access to the data unlawfully processed then access must be granted. It would violate Art 5 para. 1 lit. a (transparency) and Art. 15 if the controller would delete the data instead of granting access.
[12]De Terwangne, ‘Art. 16’, in Kuner/Bygrave/Docksey, C.