https://ico.org.uk/your-data-matters/credit/
What should I do if my credit file is inaccurate?
If your credit file is inaccurate, you can raise your concerns with the relevant CRA you obtained your file from. However, the problem may lie with the original lender or organisation that supplied the CRA with the information so you will need to contact them instead.
Who is responsible for the information on my credit file?
It is easy to see why people assume the CRAs are responsible for all the information that appears on their credit file. However, in reality, the lenders and telecoms and utility companies who passed the information to the CRA in the first place also have responsibilities for the information that appears on your credit file.
As a general rule, if the entry you are looking at has the name of a company on it, it’s likely to be that company who is responsible for that entry. The CRAs cannot amend this data without the permission of that company.
https://gdpr-info.eu/
https://gdpr-info.eu/art-16-gdpr/
1The data subject shall have the right to obtain from the controller without undue delay the rectification of inaccurate personal data concerning him or her. 2Taking into account the purposes of the processing, the data subject shall have the right to have incomplete personal data completed, including by means of providing a supplementary statement.
https://ico.org.uk/for-organisations/guide-to-data-protection/guide-to-the-general-data-protection-r...
What is the right to rectification?
Under Article 16 of the GDPR individuals have the right to have inaccurate personal data rectified. An individual may also be able to have incomplete personal data completed – although this will depend on the purposes for the processing. This may involve providing a supplementary statement to the incomplete data.
This right has close links to the accuracy principle of the GDPR (Article 5(1)(d)). However, although you may have already taken steps to ensure that the personal data was accurate when you obtained it, this right imposes a specific obligation to reconsider the accuracy upon request.
What do we need to do?
If you receive a request for rectification you should take reasonable steps to satisfy yourself that the data is accurate and to rectify the data if necessary. You should take into account the arguments and evidence provided by the data subject.
What steps are reasonable will depend, in particular, on the nature of the personal data and what it will be used for. The more important it is that the personal data is accurate, the greater the effort you should put into checking its accuracy and, if necessary, taking steps to rectify it. For example, you should make a greater effort to rectify inaccurate personal data if it is used to make significant decisions that will affect an individual or others, rather than trivial ones.
You may also take into account any steps you have already taken to verify the accuracy of the data prior to the challenge by the data subject.
When is data inaccurate?
The GDPR does not give a definition of the term accuracy. However, the Data Protection Act 2018 (DPA 2018) states that personal data is inaccurate if it is incorrect or misleading as to any matter of fact.
What should we do while we are considering the accuracy?
Under Article 18 an individual has the right to request restriction of the processing of their personal data where they contest its accuracy and you are checking it. As a matter of good practice, you should restrict the processing of the personal data in question whilst you are verifying its accuracy, whether or not the individual has exercised their right to restriction.
How can we recognise a request?
The GDPR does not specify how to make a valid request. Therefore, an individual can make a request for rectification verbally or in writing. It can also be made to any part of your organisation and does not have to be to a specific person or contact point.
A request to rectify personal data does not need to mention the phrase ‘request for rectification’ or Article 16 of the GDPR to be a valid request. As long as the individual has challenged the accuracy of their data and has asked you to correct it, or has asked that you take steps to complete data held about them that is incomplete, this will be a valid request under Article 16.
How long do we have to comply?
You must comply with a request for rectification without undue delay and at the latest within one month of receipt of the request or (if later) within one month of receipt of:
• any information requested to confirm the requester’s identity (see Can we ask an individual for ID?); or
• a fee (only in certain circumstances – see Can we charge a fee?)
You should calculate the time limit from the day you receive the request (whether it is a working day or not) until the corresponding calendar date in the next month.
Do we have to tell other organisations if we rectify personal data?
If you have disclosed the personal data to others, you must contact each recipient and inform them of the rectification or completion of the personal data - unless this proves impossible or involves disproportionate effort. If asked to, you must also inform the individual about these recipients.
The GDPR defines a recipient as a natural or legal person, public authority, agency or other body to which the personal data are disclosed. The definition includes controllers, processors and persons who, under the direct authority of the controller or processor, are authorised to process personal data.
Also see The Data Protection Act 2018: http://www.legislation.gov.uk/ukpga/2018/12/contents
Part 3; Section 3; Parts 46, 47 and 48.
http://www.legislation.gov.uk/ukpga/2018/12/part/3/chapter/3/crossheading/data-subjects-rights-to-re...
It's What I Do.
I Drink and I
Remember Things.
Only mark a post as helpful if your issue has been resolved.
