If a company or other organization (a so-called controller) has stored false (or incomplete) personal data on you, then under the General Data Protection Regulation (GDPR) you have a right to demand immediate correction of said incorrect data.
This allows you to defend yourself against credit agencies (such as Experian or Equifax), for example, if they rate your creditworthiness or your payment history negatively due to incorrect entries.
If you want to learn more, have a look at our article about your rights under the GDPR.
How do I exercise this right?
The GDPR does not impose any requirements on how you make your request. This means that you could in principle simply write an informal letter and send it to the controller. In theory, even a phone call would do.
In most cases, however, you should use the written form, if only to be able to prove later that you have actually made a request. And while you could also state informally that you would like for your data to be corrected, we advise you to make a more formal request referring to the specific legislation. This ensures that the controller cannot talk their way out of their responsibility.
What does a letter like that have to contain?
Don’t worry, you don’t have to write this letter yourself. We have prepared a sample letter for you to copy and adapt for your purposes.
Here is our sample letter for requests for rectification according to Art. 16 GDPR. You still have to fill in the data in curly braces. You can decided whether you want all personal data concerning you to be deleted or just some. Depending on your choice, include one of the sections in [square brackets].
To Whom It May Concern:
I am hereby requesting rectification or completion of inaccurate personal data concerning me according to Article 16 GDPR.
Please make the following changes:
Specify the data to be corrected.
In case you have disclosed the affected personal data to one or more recipients as defined in Article 4(9) GDPR, you have to communicate my request for rectification of the affected personal data to each recipient as laid down in Article 19 GDPR. Please also inform me about those recipients.
My request explicitly includes any other services and companies for which you are the controller as defined by Article 4(7) GDPR.
As laid down in Article 12(3) GDPR, you have to confirm the erasure to me without undue delay and in any event within one month of receipt of the request.
I am including the following information necessary to identify me:
Enter your identification data here. This often includes information like your name, your date of birth, your address, your email address and so on.
If you do not answer my request within the stated period, I am reserving the right to take legal action against you and to lodge a complaint with the responsible supervisory authority.
Thank you in advance.
To make your life easier, you can also download the letter and use it directly with the word processor of your choice. You can choose between the following templates:
To whom do I send the letter?
You send the letter directly to the controller. If they have a data protection officer, we recommend that you always address the letter directly to this person. Data protection officers are not only specially trained, but are also required to treat your request confidentially.
Isn’t there an easier way?
The idea behind Datenanfragen.de is to make it as easy as possible for you to exercise your rights regarding data protection. Therefore we have developed a generator, with which you can create requests like this automatically. We invite you to give it a try.
We have made the following changes to this sample letter since the initial publication: