Skip to content

The right of correction (sometimes called the “right of rectification”) refers to a person’s ability to request that an organization fix any inaccuracies in the personal data it holds about them.[1] Correction is sometimes referred to as an absolute right in the context of the GDPR, because unlike some other rights conferred by the regulation which are dependent upon the lawful purpose of processing (e.g., the right of erasure), the right of correction applies regardless of the lawful purpose relied upon by an organization.

When personal data is included in an artificial intelligence (AI) prompt it may, or may not, be stored after the AI has completed its task and returned a response to the prompt. If prompts are stored for continued fine-tuning or future training of an AI, they may need to be searched if an organization receives a GDPR correction request. If a prompt that contains inaccurate personal data about a requestor is identified, that prompt (or at least the personal data that was included within that prompt) may need to be corrected. If, however, prompts are either deleted shortly after they are submitted (and prior to the receipt of a correction request), or if any personal data contained within a prompt is only kept for audit-trail purposes (i.e., to confirm the prompt was run at a certain date and time), an organization might decide not to correct any inaccurate information and, instead, provide a more complete record by including a supplementary statement or note with the data indicating that the original information was utilized as part of a prompt, but after the prompt was executed a data subject indicated that the information contained within the prompt may be inaccurate.[2] 

[1] GDPR, Article 16.

[2] See GDPR Art. 16 (referring to a right to have incomplete personal data “completed” by having a controller include a “supplementary statement” in conjunction with the potentially inaccurate personal data.