Right to Correct
What does right to correct mean?
The right to correct, also known as the Right to Rectification, refers to an individual’s ability to request that inaccurate, incomplete, or outdated personal data held by an organization be corrected. This right is commonly granted under global data privacy laws like the GDPR, CPRA, and others, empowering individuals to maintain control over the accuracy of their personal information.
How does the right to correct work?
When a user identifies that their data is incorrect or incomplete, they can submit a request to the organization holding the data. The organization must then assess the claim, validate it if necessary, and make the appropriate corrections without undue delay. Some laws may require the organization to notify any third parties with whom the data was shared.
Accurate data is essential for fair decision-making, especially when data influences things like credit scoring, healthcare access, employment, or legal outcomes. The right to correct helps individuals protect themselves from the harmful consequences of incorrect personal data and fosters trust in data-handling organizations.
FAQs about right to correct
The GDPR (EU), CPRA (California), VCDPA (Virginia), and several other laws grant individuals the right to correct their personal data. The terminology may vary (e.g., "rectification" in the GDPR), but the core concept remains the same.
Under the GDPR, organizations typically have one month to respond. U.S. state laws like the CPRA also have defined timeframes, often 45 days, with possible extensions in certain situations.
Yes, if the business can demonstrate that the data is accurate or if the correction request is unfounded or excessive. However, they must clearly explain the reason for denial and inform the individual of their options, such as lodging a complaint with the supervisory authority.
This right generally applies to factual inaccuracies (e.g., name, address, account number). It does not usually apply to subjective opinions or legal records unless the factual basis behind them is incorrect.
Under the GDPR, yes, businesses must notify third parties who received the incorrect data, unless it proves impossible or requires disproportionate effort. Similar requirements may exist under other laws.