The Principle of Accuracy
Article 5(1)(d) of the GDPR
Summary of the GDPR Principle
The Data Protection Principle of Accuracy
The principle of accuracy under the GDPR is one of the seven data protection principles. In short, the principle of accuracy means that companies should process personal data that is accurate, up-to date and correct. Article 5(1)(d) of the GDPR governs this principle.
The Principle of Data Accuracy
Article 5(1)(d) of the GDPR states the principle of data minimization. The more important the personal data is, the more the company should do to ensure that the data is correct. This means that the company should not just rely on the data subject having provided correct information. Companies also have a responsibility to ensure this through varius means.
Please note that the company must also comply with the other basic data protection principles, such as the Data Protection Principle of Purpose Limitation.
What does the Principle of Accuracy mean?
In short, the principle of accuracy under the GDPR means the following:
- Correct: A company that process personal data must ensure that they are correct. If the personal data are incorrect, the company should correct or delete them.
- Updated: A company must keep personal data up to date to ensure that it is correct.
- Putting in place procedures: A company should have internal procedures in place to handle any inaccurate personal data.
Particularly important in some cases
In some cases, the accuracy of the personal data is particularly important. For example, when a company makes a decision that is essential to the data subject.
A practical example is if a hospital processes incorrect personal data. The consequence can be devastating and lead to actions that are not correct. In the worst case, it could be dangerous for the data subject.
The more sensitive personal data is, the more important it is to ensure that personal data is correct.
Data subjects have the right to contact companies when their personal data is incorrect
Data subjects may contact a company if their personal data is incorrect. For example, the personal data may be misspelled or no longer relevant due to change. Or that certain personal data needs to be completed. In such cases, the company must correct the personal data or delete it. Also, according to the main rule, the company must inform the data subjects when such activity has been carried out.
In order to comply with this right, the company should implement internal procedures that employees must follow. Please note that a company must conduct any corrections without undue delay. Normally within one month from the date of submission of the request by the data subject. However, the company has the right to extend the deadline in certain specific cases. For example, if there are many data subjects who have requested rectification during the same period. Or if it is complicated to carry out the action. In such cases, the period can be extended to another maximum two months. Companies wishing to extend the deadline must be able to justify the decision.
Fees for fulfilling this right to rectification of personal data
Under the general rule, a company is not entitled to charge for fulfilling the data subjects rights. Including the right to have their personal data rectified. However, there are exceptions. If the request for rectification is unreasonable, unjustified or repeated several times by the same person, the company may be entitled to charge a fee. But the fee must be reasonable. Please note that the company must be able to justify its decision.
In order to comply with this right, the company should implement internal procedures that employees must follow. Please note that a company must conduct any corrections without undue delay. Normally within one month from the date of submission of the request by the data subject. However, the company has the right to extend the deadline in certain specific cases. For example, if there are many data subjects who have requested rectification during the same period. Or if it is complicated to carry out the action. In such cases, the period can be extended to another maximum two months. Companies wishing to extend the deadline must be able to justify the decision.
Refusal of a request
A company can refuse a request for rectification. In such cases, the company must be able to justify the decision.
Companies can conclude that the personal data is correct even if a data subject does not consider it to be so. If the company reaches this decision, they must inform the data subject of the decision. This must be done within one month of the company receiving the request from the data subject. Companies must take reasonable steps to ensure that the personal data they process is accurate.
Verify the identity of the data subject
When a data subject requests to have his or her personal data corrected or updated, the company must ensure that the contact is made with the right person. Therefore, the company has the right to first verify the identity of the data subject. However, this may only be done if there are reasonable grounds to doubt the identity of the data subject.
In such cases, the company can request additional information to prove the identity of the data subject. However, this must be done in a way that is proportionate.
A company is not allowed to collect more personal data than is necessary for identification. This is in accordance with Article 12(6) of the GDPR. The collection of additional data must not take place without good reason, as this would counter to the principle of data minimisation. In other words, the collection must be proportionate. It shall not lead to a new, non-necessary collection of personal data.
The company needs to carry out a proportionality assessment. The assessment shall take into account different aspects. Such as, the consequences or risks of an unauthorised use of the right for the data subject. Also, what damage could occur if the information is disclosed to the wrong person, or if correction is done incorrectly.
Additional factors that may be useful to include in the assessment are whether the request concerns sensitive personal data. Also, the nature of the data and the context in which the request is made. The type of activity carried out by the undertaking may also be relevant to be taken into account.
When can the company require the presentation of an identity document?
In most cases, it is not necessary to require the presentation of the identity document by the data subject in order for the company to carry out an identification. Requiring such presentation may pose a security risk. Therefore, a company should only require the presentation of an identity document if this is strictly necessary and is done on the basis of law.
One company had to pay a fine because they requested a passport copy in order to prove the identity of the data subject. The supervisory authority did not consider this to be reasonable. This documentation contained too much information and was not proportionate.
Instead, a company should consider verifying the identity of the data subject requesting their rights by other means. For example, by asking control questions that only the data subject could answer. Such as information on other contact details of the data subject held by the company.
Other data protection principles
The Principle of Storage Limitation under the GDPR
It is important to limit the storage duration of personal data. A company shall delete personal data when it is no longer necessary for the purpose for which it was collected. It is also possible to anonymise the data instead of deleting it. Anonymised data is no longer personal data and therefore not covered by the GDPR. When a company processes personal data, the company must know in advance how long the personal data is necessary to process. The company must present this information to data subjects.