This is the first of three principles about data standards, along with accuracy and storage limitation.
Article 5(1)(c) of the Applied GDPR requires that personal data is:
"adequate, relevant and limited to what is necessary in relation to the purposes for which they are processed"
You must ensure the personal data you are processing is:
- adequate – sufficient to properly fulfil your stated purpose;
- relevant – has a rational link to that purpose; and
- limited to what is necessary – you do not hold more than you need for that purpose.
This is an exacting standard for controllers to meet. To assess whether you are holding the right amount of personal data, you must first be clear about why you need it and be able to identify and process the minimum personal data necessary for each particular purpose. The accountability principle means that you need to be able to demonstrate that you have appropriate processes to ensure that you only collect and hold the personal data you need.
Individuals have several rights which are related to this principle including the right to complete any incomplete data which is inadequate for your purpose under the right to rectification and to get you to delete any data that is not necessary for your purpose under the right to erasure (right to be forgotten).