Right to Rectification

Plain English Translation

Data subjects have the right to dispute inaccuracies in their personal data and require the controller to correct errors promptly. Where data has been corrected, the controller must ensure both the original and updated records are accessible and must notify any third parties who previously received the inaccurate data. Organizations must have a clear, accessible process for handling rectification requests.

Executive Takeaway

Organizations must immediately correct inaccurate personal data upon request and systematically notify any third-party recipients of the correction.

ImpactHigh
ComplexityMedium

Why This Matters

  • Processing inaccurate data violates fundamental data subject rights, exposing the organization to legal damages and regulatory scrutiny.
  • Ensuring data accuracy prevents business errors, such as misdirected communications or flawed automated decision-making.
  • Proactive propagation of corrected data to third parties mitigates downstream compliance risks and prevents compounding privacy violations.

What “Good” Looks Like

  • A streamlined, verifiable process exists for data subjects to submit rectification requests seamlessly, with tools like WatchDog Security's Compliance Center helping track request evidence and control mapping.
  • Data architecture allows for both the update of inaccurate information and the archiving of the retracted information for audit trails.
  • Automated or manual workflows ensure third-party vendors and partners are promptly notified when shared data is corrected; tools like WatchDog Security's Vendor Risk Management can help maintain vendor ownership and notification tracking.

Put Philippines DPA (2012) compliance + 19 others on autopilot

Starting at $99/admin/mo — includes all frameworks, evidence automation, and AI-powered gap analysis.

Start Free Trial No credit card required

Under RA 10173, the right to rectification empowers data subjects to dispute inaccuracies or errors in their personal data and requires the personal information controller to correct it immediately.

A data subject can request a correction by submitting a formal notification to the organization's Data Protection Officer or through established privacy portals, providing proof of the correct information.

The organization must immediately correct the personal data, retain accessibility to both the new and retracted information, and inform previous third-party recipients of the update.

Yes, the Implementing Rules and Regulations explicitly require the personal information controller to correct the data immediately upon receipt of a valid, non-vexatious request.

Third parties who previously received the inaccurate personal data must be informed of its inaccuracy and its rectification upon the reasonable request of the data subject.

Yes, an organization can legitimately reject a rectification request if it can demonstrate that the request is vexatious or otherwise unreasonable.

Data subjects typically need to provide valid identification and substantial documentary proof verifying their true and correct personal information to substantiate the requested change.

Companies should maintain a Data Subject Request Log that tracks the request date, identity verification, the specific data corrected, and the dates when third parties were notified. Tools like WatchDog Security's Compliance Center can help preserve supporting evidence and show how each request maps to the applicable RA 10173 control requirement.

The right to access entitles an individual to view and obtain a copy of the personal data an organization holds, whereas the right to rectification allows them to compel the organization to fix errors within that data.

Failing to respect data subject rights can result in civil liability for damages incurred by the data subject, as well as significant administrative fines and sanctions from the National Privacy Commission.

Rectification requests require intake tracking, identity verification, evidence of the corrected data, and proof that the organization responded within a defensible process. Tools like WatchDog Security's Compliance Center can help centralize request evidence, map the activity to RA 10173 controls, and maintain an audit trail for review.

A correction is not complete if inaccurate data remains with vendors, processors, or business partners that previously received it. Tools like WatchDog Security's Vendor Risk Management can help maintain a vendor catalog, identify affected third parties, and track follow-up actions related to rectification notices.

PHILIPPINES-DPA IRR Section 34(d)

"The data subject has the right to dispute the inaccuracy or error in the personal data and have the personal information controller correct it immediately and accordingly, unless the request is vexatious or otherwise unreasonable."

PHILIPPINES-DPA IRR Section 34(d)

"If the personal data have been corrected, the personal information controller shall ensure the accessibility of both the new and the retracted information... Provided, That the third parties who have previously received such processed personal data shall be informed of its inaccuracy and its rectification upon reasonable request..."

VersionDateAuthorDescription
1.0.02026-05-06Compliance Content TeamInitial publication