Clinical records sit at a genuine intersection of competing legal obligations. The General Data Protection Regulation (GDPR) grants patients meaningful rights over their personal data, including the right to have inaccurate information corrected and, in some circumstances, deleted. But clinical documentation exists for reasons that go well beyond data management: it underpins patient safety, professional accountability, and legal defensibility. When a patient submits a request to correct or remove an entry from their clinical record, the applicable rules are not straightforward, and the consequences of getting the response wrong in either direction can be serious. This article sets out what GDPR compliance in healthcare actually requires in these situations, what exemptions apply, and what clinical admins need to do in practice.

The two GDPR rights that trigger correction and deletion requests

Two articles of GDPR are directly relevant when a patient challenges the content of their clinical record.

Article 16 provides the right to rectification. It entitles a data subject to request that a controller correct personal data that is inaccurate, and to have incomplete data completed, including by means of a supplementary statement. Rectification can be carried out by changing the data directly, by partial or complete deletion, or by adding information to complete an incomplete record.

Article 17 provides the right to erasure, sometimes called the "right to be forgotten". It requires controllers to delete personal data without undue delay in specific circumstances, for example where the data is no longer necessary for the purpose for which it was collected, or where the data subject withdraws consent and no other legal basis applies.

Neither right is absolute. In a healthcare context, both rights are subject to significant and well-defined limitations. As the Irish Data Protection Commission states directly: these rights "rarely apply to personal data such as medical opinions, diagnoses, and clinical treatment notes." Understanding why requires looking at the exemptions in detail.

When GDPR's right to erasure does not apply to clinical records

Article 17 includes explicit exceptions that are directly applicable to healthcare. Under Article 17(3), the right to erasure does not apply where processing is necessary:

• For compliance with a legal obligation under EU or member-state law

• For reasons of public interest in the area of public health under Article 9(2)(i)

• For archiving purposes in the public interest, scientific or historical research, or statistical purposes

• For the establishment, exercise, or defence of legal claims

In practice, the most commonly applicable exception in clinical settings is the legal obligation to retain records. Healthcare organisations across EU member states are subject to statutory minimum retention periods. In England, for example, NHS England Records Management Code of Practice requires adult patient records to be kept for a minimum of eight years after the last entry. General Practitioner (GP) records must be retained for ten years after a patient's death, in accordance with current NHS guidance, though retention periods may vary by record type. Equivalent obligations exist across EU member states, though the specific periods vary by jurisdiction.

Where a statutory retention obligation applies, an erasure request can lawfully be refused. The organisation is not required to delete the record simply because the patient has requested it. The obligation is to respond to the request, explain the applicable exemption, and inform the patient of their right to complain to the relevant supervisory authority.

The regulatory context is also relevant here: GDPR erasure rights are subject to active regulatory scrutiny, with penalties for non-compliance reaching up to €20 million or 4 per cent of global annual turnover under Article 83(5). This signals that erasure rights in healthcare are under active regulatory scrutiny, and that both unjustified refusals and unjustified deletions carry real risk.

What "rectification" actually means in a clinical context

Rectification under Article 16 applies to data that is factually inaccurate. A patient's incorrect date of birth, a misspelled name, or an address recorded in error are clear candidates for correction. These are objective errors, and correcting them is both required and straightforward.

The more complex situation arises when a patient disputes a clinical judgement, such as a diagnosis, a documented assessment, or a clinician's recorded opinion about their presentation or behaviour. These entries are not automatically "inaccurate" under GDPR simply because the patient disagrees with them.

The BMA's guidance on access to health records is explicit on this point: "patients may seek correction of information they believe is inaccurate, but the health professional is not obliged to accept the patient's opinion — they must ensure that the notes indicate the patient's view." A clinician's documented professional judgement reflects their assessment at the time it was made. Disagreeing with that judgement does not make the record factually wrong in the GDPR sense.

Where a patient believes a record is incomplete rather than inaccurate, the Irish Data Protection Commission confirms that the patient can request that a supplementary statement be added to complete the record. This is a meaningful right, but it is distinct from the right to have the original entry removed or overwritten.

The audit trail obligation: what must be recorded when an entry changes

When a clinical record entry is corrected or annotated, the audit trail is not optional. It is a core compliance requirement under both GDPR and professional documentation standards.

An adequate audit trail for a record amendment must include:

• The original entry, which must remain visible and unaltered

• The date and time of any amendment

• The identity of the person making the amendment

• The reason for the change, clearly documented

The BMA's guidance states that "amendments to records can be made provided the amendments are made in a way which indicates why the alteration was made, so that it is clear that records have not been tampered with." The guidance also confirms that "information can be removed from display but the audit trail will always keep the record complete."

From a technical perspective, audit trails must be tamper-proof to serve as credible evidence during regulatory investigations or legal proceedings. Each log entry should capture user identity, timestamp, and the action performed. Overwriting or deleting the original entry, rather than annotating it, creates both a GDPR compliance risk and a professional liability risk. If a record has been altered without a visible audit trail, it may be impossible to demonstrate that the change was legitimate rather than an attempt to conceal information.

How to handle a rectification request without altering the original entry

The standard clinical approach to a valid rectification request is to add a dated addendum or annotation alongside the original entry, rather than editing or removing it. This method satisfies GDPR's accuracy principle while preserving the integrity of the original record.

A properly constructed annotation should include:

• The date the annotation was added

• The name and role of the person adding it

• A clear statement of what is being corrected or added, and why

• Where relevant, a note that the amendment follows a patient request under Article 16 GDPR

Where the patient has disputed a clinical judgement rather than a factual error, the annotation should record the patient's view without implying that the original clinical entry was wrong. For example: "Patient has requested that it be noted they dispute the above assessment. Their view has been recorded in accordance with their right to add a supplementary statement under Article 16 GDPR."

This approach means the record remains complete, the original entry is preserved for clinical and legal purposes, and the patient's right to have their perspective documented is respected. It also creates a clear paper trail for any subsequent regulatory review.

The role of the Data Protection Officer and Caldicott Guardian

Not every rectification or erasure request needs to be escalated, but knowing when to involve specialist roles matters.

Under GDPR, healthcare organisations processing special category data, which includes all health data, are required to designate a Data Protection Officer (DPO). The DPO must be involved in any situation where the response to a data subject request is legally uncertain, where a refusal is being issued, or where the request involves a potential breach of the accuracy principle that could affect patient safety.

In National Health Service (NHS) and UK healthcare settings, the Caldicott Guardian plays a related but distinct role: they are responsible for protecting the confidentiality of patient information and supporting appropriate information sharing. Where a rectification or deletion request raises questions about the clinical appropriateness of disclosing or amending record content, the Caldicott Guardian should be consulted alongside the DPO.

For routine requests, such as correcting an obvious factual error like a wrong address, a practice manager or senior clinical admin can typically handle the response directly, provided the amendment follows the correct audit trail procedure. For anything involving a disputed clinical entry, a refusal to delete, or a request that touches on sensitive diagnoses or safeguarding information, escalation to the DPO is the appropriate step.

Responding to the patient: timelines, format, and what to say when you refuse

GDPR sets a firm deadline for responding to data subject requests. The response must be provided within one month of receiving the request. In complex cases, this period may be extended by a further two months, but only if the data subject is notified of the extension and the reasons for it within the original one-month window. Without such notification, the one-month deadline remains firm.

Silence or delay is itself a compliance failure. Failing to respond within the deadline is treated as a refusal without justification, and the patient can complain directly to the relevant supervisory authority.

When refusing a request, whether for erasure or rectification, the response must:

• Be in plain, accessible language (not legal boilerplate)

• Clearly identify the specific exemption or legal basis for the refusal

• Inform the patient of their right to lodge a complaint with the national supervisory authority (for example, the Information Commissioner's Office (ICO) in the UK, the Data Protection Commission (DPC) in Ireland, or the Commission Nationale de l'Informatique et des Libertés (CNIL) in France)

• Inform the patient of their right to seek a judicial remedy

Before acting on any request, the controller must confirm that the requester is the data subject themselves, or someone with authority to act on their behalf. This verification step is particularly important in healthcare, where records contain highly sensitive information.

How correction and deletion obligations differ across EU member states

GDPR sets the baseline, but it explicitly permits member states to introduce additional conditions for processing health data. Article 9(4) allows member states to "maintain or introduce further conditions, including limitations, with regard to the processing of genetic data, biometric data or data concerning health."

This means that clinical admins working across different EU jurisdictions may encounter variations in:

• Retention periods: National law determines minimum retention schedules, and these differ significantly. Germany, France, Ireland, and the Netherlands each have their own statutory frameworks governing how long different categories of clinical record must be kept.

• Amendment procedures: Some member states have specific procedural requirements for how amendments to health records must be documented or notified to the patient.

• Patient rights extensions: Certain jurisdictions have extended patient rights beyond the GDPR baseline in the context of health records.

The GDPR framework described in this article applies across the EU, but it does not substitute for local legal advice. Clinical admins operating in any specific member state should verify the applicable national guidance, typically issued by the national data protection authority or the relevant health ministry, before responding to requests that may engage local law.

A practical decision framework for clinical admins

When a data subject request about a clinical record arrives, the following decision path provides a structured starting point. It is not a substitute for legal advice in complex cases, but it covers the majority of scenarios a clinical admin will encounter.

Step 1 — Identify the type of request
Is the patient requesting correction of a factual error (Article 16), completion of an incomplete record (Article 16), or deletion of the record (Article 17)? The applicable rules differ.

Step 2 — Verify the requester's identity
Confirm that the request is from the data subject or an authorised representative before taking any action or sharing any information.

Step 3 — Check applicable exemptions
For erasure requests: does a statutory retention obligation apply? Is the data required for public health purposes, legal claims, or archiving? If yes, the request can be refused. For rectification requests: is the disputed data factually inaccurate, or is it a clinical judgement the patient disagrees with? If the latter, the original entry does not need to be changed, but the patient's view should be recorded as a supplementary statement.

Step 4 — Determine the appropriate action

• Factual error: correct the entry using an audit-trailed amendment

• Incomplete record: add a dated supplementary statement

• Disputed clinical judgement: add an annotation recording the patient's view, without altering the original entry

• Erasure request subject to a retention exemption: prepare a refusal response citing the applicable legal basis

Step 5 — Document the decision
Record what request was received, what decision was made, which exemption or legal basis was applied, and who was involved in making the decision. This documentation is itself part of the organisation's GDPR accountability obligation.

Step 6 — Respond within the deadline
Send a written response within one month. If the request is refused, include the specific legal basis, the patient's right to complain to the supervisory authority, and their right to a judicial remedy. Use plain language throughout.

Step 7 — Escalate if disputed or uncertain
If the patient challenges the refusal, if the request involves sensitive categories of information such as safeguarding or mental health records, or if there is genuine legal uncertainty about the applicable exemption, escalate to the DPO. In NHS settings, consult the Caldicott Guardian where patient confidentiality is engaged.

One important limitation to acknowledge: the framework above reflects the GDPR baseline and general clinical documentation standards. It does not account for every national variation, and it does not address the technical complexity of deletion in modern clinical systems, particularly where records are replicated across backups, archives, and third-party processors. Implementing verifiable data deletion across encrypted clinical datasets remains technically challenging, and erasure obligations extend to backups and archived copies held by processors. Where a deletion is legally required, information technology and information governance teams will need to be involved to ensure it is carried out completely.

Frequently asked questions

▶ Do patients have the right to delete their clinical records under GDPR?

Not in most circumstances. Article 17 of the General Data Protection Regulation grants a right to erasure, but this right doesn't apply where a legal obligation to retain records exists. Healthcare organisations across EU member states are subject to statutory minimum retention periods. In England, for example, NHS England requires adult patient records to be kept for a minimum of eight years after the last entry. Where such an obligation applies, an erasure request can lawfully be refused, provided the organisation responds in writing, explains the exemption, and informs the patient of their right to complain to the relevant supervisory authority.

▶ Can a patient request correction of a clinical diagnosis they disagree with?

A patient can request correction, but a clinician isn't obliged to change a documented professional judgement simply because the patient disputes it. The right to rectification under Article 16 applies to factually inaccurate data, such as a wrong date of birth or a misspelled name. A clinical diagnosis or assessment reflects the clinician's professional opinion at the time it was recorded. Disagreeing with that opinion doesn't make the entry inaccurate under GDPR. Where a patient disputes a clinical judgement, the appropriate response is to add a supplementary statement recording the patient's view, without altering the original entry.

▶ What must an audit trail include when a clinical record is amended?

When a clinical record entry is corrected or annotated, the audit trail must include four things: the original entry, which must remain visible and unaltered; the date and time of the amendment; the identity of the person making the amendment; and the reason for the change. Overwriting or deleting the original entry, rather than annotating it, creates both a GDPR compliance risk and a professional liability risk. If a record has been altered without a visible audit trail, it may be impossible to demonstrate that the change was legitimate.

▶ How should a clinical admin handle a rectification request without changing the original entry?

The standard approach is to add a dated addendum or annotation alongside the original entry. A properly constructed annotation should include the date it was added, the name and role of the person adding it, a clear statement of what is being corrected or added and why, and, where relevant, a note that the amendment follows a patient request under Article 16 GDPR. Where a patient has disputed a clinical judgement rather than a factual error, the annotation should record the patient's view without implying the original entry was wrong.

▶ What is the deadline for responding to a patient's correction or deletion request?

GDPR requires a response within one month of receiving the request. In complex cases, this period can be extended by a further two months, but only if the patient is notified of the extension and the reasons for it within the original one-month window. Silence or delay is itself a compliance failure. Failing to respond within the deadline is treated as a refusal without justification, and the patient can complain directly to the relevant supervisory authority.

▶ What must a refusal letter include when declining a patient's erasure or rectification request?

A refusal response must be written in plain, accessible language. It must clearly identify the specific exemption or legal basis for the refusal, inform the patient of their right to lodge a complaint with the national supervisory authority (such as the Information Commissioner's Office in the UK, the Data Protection Commission in Ireland, or the Commission Nationale de l'Informatique et des Libertés in France), and inform the patient of their right to seek a judicial remedy. Legal boilerplate isn't sufficient. The patient must be able to understand why the request has been refused and what they can do next.

▶ When should a Data Protection Officer be involved in handling a clinical record request?

Healthcare organisations processing health data are required under GDPR to designate a Data Protection Officer. The Data Protection Officer must be involved where the response to a request is legally uncertain, where a refusal is being issued, or where the request involves a potential breach of the accuracy principle that could affect patient safety. Routine requests, such as correcting an obvious factual error like a wrong address, can typically be handled by a practice manager or senior clinical admin, provided the amendment follows the correct audit trail procedure. Anything involving a disputed clinical entry, a refusal to delete, or sensitive information such as safeguarding or mental health records should be escalated to the Data Protection Officer.

▶ Do GDPR correction and deletion rules differ across EU member states?

GDPR sets the baseline, but it explicitly permits member states to introduce additional conditions for processing health data under Article 9(4). This means clinical admins working across different EU jurisdictions may encounter variations in statutory retention periods, amendment procedures, and patient rights that go beyond the GDPR baseline. Germany, France, Ireland, and the Netherlands each have their own statutory frameworks governing how long different categories of clinical record must be kept. Clinical admins operating in any specific member state should verify the applicable national guidance, typically issued by the national data protection authority or the relevant health ministry, before responding to requests that may engage local law.

▶ Does GDPR's right to erasure extend to backups and archived copies of clinical records?

Yes. Where a deletion is legally required, the obligation extends to backups and archived copies held by processors, not just the primary record. Implementing verifiable data deletion across encrypted clinical datasets is technically challenging, particularly where records are replicated across backups, archives, and third-party processors. Where a deletion is legally required, information technology and information governance teams will need to be involved to ensure it's carried out completely.

▶ What is the difference between the right to rectification and the right to add a supplementary statement?

The right to rectification under Article 16 GDPR covers correction of factually inaccurate data and completion of incomplete data. Where a patient believes a record is incomplete rather than inaccurate, they can request that a supplementary statement be added to complete the record. This is a meaningful right, but it's distinct from the right to have the original entry removed or overwritten. The Irish Data Protection Commission confirms this distinction directly: the supplementary statement sits alongside the original entry rather than replacing it.