Right to Rectification

The right to rectification under Quebec Law 25 section 28 allows individuals to demand the correction of their personal information if it is inaccurate, incomplete, or equivocal. It also empowers them to require rectification if the collection, communication, or retention of the information was not authorized by law.

An individual must submit a request for rectification in writing and prove that they are the person concerned or an authorized representative. The organization must process the request and can assist applicants in identifying the specific information if the request lacks precision.

Organizations must rectify personal information that is factually incorrect, missing necessary details, or misleadingly ambiguous. This requirement ensures that any data used to render decisions regarding the individual is accurate, up to date, and reliable.

Identity verification for rectification requests under Quebec Law 25 should involve reasonable and secure methods commensurate with the sensitivity of the data. Organizations must confirm identity before making changes, but should avoid collecting excessive additional personal data solely for verification purposes.

If personal information was collected without legal authorization, the required rectification typically involves securely deleting or destroying the unlawful data. The organization must then provide the requester with a formal attestation of the deletion free of charge.

The person in charge of the protection of personal information must reply in writing promptly and no later than 30 days after receiving the request. Failing to respond within this 30-day window is legally deemed a refusal to grant the request.

Yes, an organization can refuse a request if it can prove that the information does not need to be rectified, unless the data was provided directly by the individual or with their consent. Any refusal must include written reasons, cite the specific legal provision, and explain available remedies.

To document rectification requests for audit and compliance, organizations should maintain a data subject request log detailing the date received, identity verification steps, actions taken, and the final response. Retaining copies of deletion attestations or modified data receipts is essential to prove fulfillment. Tools like WatchDog Security's Compliance Center can help standardize evidence collection and link each request to the supporting artifacts and closure proof.

When an organization grants a request to correct personal data in customer records, the correction must be propagated across all internal databases and relevant downstream systems. The organization should also notify third-party processors to ensure inaccurate data is updated or deleted globally.

A request for access allows an individual to confirm the existence of their personal data and obtain a copy. In contrast, a right to rectification vs right to access centers on demanding modifications or deletions if the data is flawed, incomplete, or unlawfully held.

Rectification requests require consistent intake, deadline tracking, and defensible evidence of what changed and why. Tools like WatchDog Security's Compliance Center can help teams centralize control requirements, map tasks to evidence (e.g., request logs, response letters, deletion attestations), and surface gaps when key artifacts are missing or outdated.

Repeated rectification requests can indicate upstream data quality problems or process breakdowns that increase privacy risk. Tools like WatchDog Security's Risk Register can help capture trends as risks, assign owners, document treatment plans (e.g., fixing source system validation), and support board-level reporting on remediation progress.