GDPR Article 16 gives employees the right to have inaccurate personal data corrected within one month. HR teams that treat rectification as a single-record fix — rather than a documented, end-to-end process — are non-compliant. These 9 rules close every gap from intake to audit trail.

Rectification sits at the intersection of your HRIS data validation practices, your employee record accuracy obligations, and your day-to-day HR operations. Getting it wrong compounds every automated decision that follows — payroll errors, benefits mismatches, access control failures. Before building your workflow, review what a broken HR operation costs when data quality problems go unaddressed.

The table below maps each rule to the compliance gap it closes and the deadline pressure it addresses.

Rule 1: Build a Single, Named Intake Channel

Employees cannot exercise a right they cannot find. Your rectification request channel must be documented, promoted, and consistently monitored. Create one named intake point — a dedicated email address, a form in your HR portal, or a formal section within your employee self-service system. Publicize it in your employee privacy notice, onboarding materials, and internal HR policies.

Every employee must be able to answer “How do I ask HR to correct my data?” without searching. Multiple informal channels — a manager’s inbox, a Slack message, a verbal request — create audit gaps and miss the clock start.

At intake, collect: the employee’s name and ID, the specific data they believe is inaccurate, the correct data they are requesting, and any supporting documentation. Send an acknowledgment confirming receipt and stating the expected response date. The GDPR clock starts from receipt, not from when you begin processing.

For teams managing a high volume of HR requests, a structured minimum viable HR process framework helps set the intake standards that make this rule sustainable at scale.

Rule 2: Register Every Request in Your DSR Log on Day 0

A Data Subject Request register is your audit evidence. Without it, you cannot demonstrate compliance to a supervisory authority — and “we corrected it” without a log entry is not a defense.

Log every incoming rectification request the same day it arrives. Each entry must capture: the date received, the employee’s identity, the data category affected, the action taken, the date of completion, and the outcome communicated to the employee. This register is not optional documentation — it is the spine of your entire GDPR rectification compliance posture.

If your HR team lacks a DSR register, building one is the first priority before any other step in this list. A spreadsheet works. An HRIS module works better. What does not work is relying on email threads as your record.

Rule 3: Verify Identity Before You Touch Any Record

Acting on a rectification request from an unverified party is itself a data breach. Before making any correction, confirm the requestor is who they claim to be. This step protects the employee whose data you hold.

For current employees, identity verification is straightforward: cross-reference against the work email, employee ID, or authenticated HR portal login. For former employees submitting post-termination requests, require additional verification — a government-issued ID or the last four digits of their employee ID combined with former work email confirmation.

Document the verification step in your DSR register. Note what was verified and how. If identity cannot be confirmed, do not process the request. Communicate the issue to the requestor in writing and explain exactly what documentation is needed. The clock does not pause for unverified requests — but a documented hold with a clear resolution path is defensible.

Rule 4: Assess Validity Before Correcting — Three Categories Require Different Responses

Not every request results in a correction. HR must make a documented determination about whether the data is factually inaccurate, outdated, or simply disputed on subjective grounds. These three categories demand different responses:

Factual Error

The data was always wrong — a transposed digit in a bank account number, a misspelled name, an incorrect date of birth. Correct it. Document the source of the error. This is the David scenario: a transcription error in payroll data produced a $103K annual salary record that should have read $130K — a $27K overpayment that went undetected until an employee quit. Factual errors in HR records are not low-stakes.

Changed Circumstance

The data was accurate when collected but is now outdated — an old home address, a changed bank account, a name change following marriage. Correct it. Note the effective date of the change and update all downstream systems, not just the primary HRIS record.

Disputed Opinion or Judgment

The employee disputes a performance rating, a manager’s documented assessment, or a disciplinary record that reflects accurately documented events. This is not a factual error. The correct resolution is to attach a supplementary statement from the employee to the record — not to alter the original data. Communicate this clearly in writing. Altering accurate subjective records under rectification pressure creates a different compliance and legal exposure.

Rule 5: Correct the Data Across Every System That Holds It

This is the most commonly incomplete step in HR rectification workflows. Correcting the HRIS record and closing the ticket is the beginning of compliance, not the end of it.

Pull your data map. For every system that holds a copy of the data being corrected, execute the correction. This typically includes:

• Core HRIS (source of record)
• Payroll system
• Benefits administration platform
• Applicant tracking system (if pre-hire records are retained)
• Learning management system
• Access control or identity management systems
• Any third-party processors named in your vendor contracts

If you do not have a complete data map, build one before your next DSR arrives. The data map is a prerequisite, not an optional enhancement. HR teams that have run an OpsMap™ audit before automating HR processes report that this step — mapping every system holding employee data — is the single most revealing exercise in their compliance review. You cannot correct what you cannot find.

Rule 6: Issue Formal Written Instructions to Every Third-Party Processor

Your GDPR obligations do not stop at your own systems. If a third-party processor — a benefits carrier, a background check vendor, a payroll bureau — holds the inaccurate data, you are responsible for ensuring they correct it within a timeframe that allows you to meet your one-month deadline.

Issue correction instructions in writing. Log the date you issued the instruction and the date you received confirmation of correction. If a processor cannot confirm correction within your internal Day 25 deadline, escalate immediately — you may need to respond to the employee before processor confirmation is received, with a follow-up once it is.

Review your data processing agreements. Every processor contract must include a provision requiring timely data correction on your instruction. If current contracts lack this clause, flag them for your DPO or legal counsel. A processor that cannot correct data on instruction is a compliance liability, not just an operational inconvenience.

Rule 7: Set an Internal Day 25 Deadline — Not Day 30

One month sounds generous until you account for identity verification, system access, manager approvals, processor response times, and employee notification drafting. HR teams that target Day 30 routinely miss it. HR teams that target Day 25 have a buffer for the inevitable delay.

Build your internal workflow backward from Day 25: intake and logging by Day 0, identity verification complete by Day 3, validity assessment documented by Day 7, cross-system corrections initiated by Day 10, processor instructions issued by Day 12, all corrections confirmed by Day 22, employee response drafted by Day 24, sent by Day 25.

This sequencing applies to a standard rectification request. Complex requests — involving multiple data categories across many systems, or requiring legal review of disputed records — may qualify for the GDPR one-month extension. Extensions must be communicated to the employee within the original one-month window with a reason provided.

Rule 8: Communicate the Outcome to the Employee in Writing

Every rectification request, whether granted or refused, requires a written response to the employee within one month of receipt. This is not a courtesy — it is a legal requirement under GDPR Article 12.

For granted requests: confirm what data was corrected, in which systems, and on what date. If corrections to third-party processors are still pending, state this and provide a completion timeline.

For refused requests: document your reasoning thoroughly. A refusal without explanation is not defensible. State the legal basis for refusal and inform the employee of their right to lodge a complaint with the relevant supervisory authority and their right to seek judicial remedy. Use templated language reviewed by your DPO or legal counsel for refusals — improvised refusal language creates exposure.

For partial grants — where some data is corrected and a supplementary statement is attached for disputed subjective records — explain both outcomes clearly in the same communication. Employees who understand why their performance rating was not altered but their address was corrected are far less likely to escalate to a regulator.

Rule 9: Close the DSR Register Entry With Complete Documentation

A DSR register entry is only complete when it contains the full lifecycle of the request: intake date, identity verification method, validity determination, systems corrected, processor instructions issued and confirmed, employee response date and content, and final outcome. An open or partial entry is an audit risk.

Before closing any rectification request, confirm:

• All in-scope systems show the corrected data
• All third-party processors have confirmed correction in writing
• The employee has received a written response
• The register entry is complete and signed off by the designated owner

Retain the complete DSR register entry for a minimum period consistent with your data retention policy and local legal requirements. In most EU jurisdictions, three years from the date of the request is a defensible minimum for litigation and regulatory purposes. Your DPO should set the specific retention period in your records management policy.

For HR teams managing high request volumes, fixing the underlying operational structure that produces inaccurate data in the first place reduces your rectification workload significantly. Every request you prevent is a request you do not have to log, verify, assess, correct, and document.

What Makes Rectification Workflows Fail in Practice

The nine rules above address the mechanics. These are the operational patterns that break them:

• No data map: Corrections stop at the HRIS. Payroll, benefits, and ATS records remain inaccurate. The correction is partial and the exposure continues.
• No designated owner: Requests arrive in a shared inbox and sit. The one-month clock runs. No one is accountable until the deadline passes.
• Treating disputes as corrections: A performance rating altered under employee pressure is no longer an accurate record. It creates a different legal exposure — and a precedent that invites further challenges.
• Weak processor contracts: Vendors who cannot confirm corrections within your internal timeline put your compliance posture at risk. Audit processor agreements before the next DSR arrives, not during it.
• Inadequate response letters: A one-line confirmation email is not a GDPR-compliant response. It is an artifact that will not survive supervisory authority review if challenged.

HR teams that have gone through a structured HR triage risk mapping process identify data accuracy gaps — and the workflows that produce them — before they generate rectification requests, complaints, or regulatory scrutiny.

How Automation Changes the Rectification Workflow

Manual rectification workflows have a ceiling. When request volumes increase, or when a single data error propagates across seven systems simultaneously, manual correction becomes a full-time job for someone who already has one.

Automation changes the propagation problem. A Make.com scenario triggered by a confirmed rectification in your core HRIS can push the correction to payroll, benefits, LMS, and access control simultaneously — with a logged confirmation from each system feeding directly into your DSR register entry. The verification and validity assessment steps remain human. The multi-system propagation does not have to be.

The TalentEdge HR process standardization case — $312K in annual savings at 207% ROI — demonstrates what happens when HR operations are rebuilt around documented, automated workflows rather than manual, inbox-dependent processes. Rectification is one process. The principle applies across every repeatable HR workflow you run.

For teams considering whether to build these automations in-house or with external support, the DIY automation vs. Make partner decision guide provides a clear framework for that choice in 2026.

Frequently Asked Questions

What is the GDPR right to rectification?

GDPR Article 16 gives individuals the right to have inaccurate or incomplete personal data corrected by the organization that holds it. For HR teams, this means employees can request corrections to any personal data held in HR systems — including payroll records, contact details, qualifications, and demographic data. The organization must respond within one month.

Does the one-month deadline apply to every rectification request?

Yes. The one-month deadline runs from receipt of the request, not from when you begin processing it. Extensions of up to two additional months are available for complex or high-volume requests, but the extension itself must be communicated to the employee within the original one-month window with a reason provided.

Can an employee use rectification to change a performance review?

No. GDPR Article 16 applies to factually inaccurate or incomplete personal data. A performance rating is a documented judgment, not a factual data point. The correct response to a disputed rating is to attach a supplementary statement from the employee to the record while leaving the original assessment intact. Altering accurate subjective records creates a different legal and HR exposure.

What happens if a third-party processor cannot correct data in time?

You remain responsible for compliance with the one-month deadline regardless of processor response times. Issue correction instructions to processors as early as possible — Rule 6 recommends Day 12 at the latest. If a processor cannot confirm correction before your Day 28 response deadline, send the employee response noting the pending processor update and a timeline for confirmation. Follow up in writing when processor confirmation is received.

What is the difference between a rectification request and a subject access request?

A Subject Access Request (SAR) under GDPR Article 15 gives employees the right to see what data you hold on them. A rectification request under Article 16 gives them the right to have that data corrected. Many rectification requests follow a SAR — the employee sees their data, identifies an error, and then submits a correction request. Both require the same one-month response deadline and the same DSR register documentation.

Do we need to notify third parties of corrections made to employee data?

Under GDPR Article 19, if you have disclosed personal data to third parties — processors, recipients, or controllers — you must notify them of any rectification unless it is impossible or involves disproportionate effort. Document every notification in your DSR register entry. Where notification is impossible or disproportionate, document why.

Additional Reading

• HRIS Required Fields vs Manual Data Validation: Which Is Safer for Small HR Teams?
• The $27K Overpayment: How One HRIS Data Entry Mistake Cost a Manufacturer a Year of Salary
• 11 Warning Signs Your Inherited HR Operation Is Bleeding Money
• What Is HR Triage Risk Mapping? How HR Leaders Prioritize Inherited Messes
• Drowning in Admin: How Solo and Small HR Teams Can Fix Broken HR Operations Without Burning Out
• How TalentEdge Saved $312K with HR Process Standardization
• How to Run an OpsMap Audit Before Automating Anything
• What Is a Minimum Viable HR Process? A Plain-Language Definition
• In-House HR Cleanup vs Fractional HR Consultant: 2026 Decision Guide
• How to Build a 90-Day HR Triage Plan Your CEO Will Sign
• 9 HRIS Configuration Defaults Every Small HR Team Should Change
• DIY Automation vs. Hiring a Make Partner in 2026: When to Do Each
• HR of One Survival FAQ: Inherited Operations Questions Answered
• What Is OpsMesh? The Framework That Structures Every 4Spot Engagement
• 9 EEOC AI Compliance Requirements HR Teams Must Meet in 2026