This is the second of three principles about data standards, along with data minimisation and storage limitation.
Article 5(1)(d) of the Applied GDPR requires that personal data is:
"accurate and, where necessary, kept up to date; every reasonable step must be taken to ensure that personal data that are inaccurate, having regard to the purposes for which they are processed, are erased or rectified without delay".
Controllers should note that the rights of erasure and rectification of personal data are directly associated with the principle of accuracy. In addition, individuals have a right to restrict the processing of inaccurate data and controllers must comply with all the rights when exercised.
The Applied GDPR does not define the word ‘inaccurate’. However, regulation 5 of the GDPR and LED Implementing Regulations 2018 says that ‘inaccurate’ means “incorrect or misleading as to any matter of fact”. It will usually be obvious whether personal data are accurate. For example, incorrect or out of date contact details is clearly inaccurate personal data; however, an accurate recording of a third party's opinion about the data subject may not, however, be 'inaccurate'.
You must always be clear about what you intend the record of the personal data to show. What you use it for may affect whether it is accurate or not. For example, just because personal data has changed doesn’t mean that a historical record is inaccurate – but you must be clear that it is a historical record.
In order to comply with this principle:
- You may need to regularly check and keep the personal data updated, although this will depend on what you are using it for (for example contact details).
- You should take all reasonable steps to ensure the personal data you hold is not incorrect or misleading as to any matter of fact.