Excessive personal data – who decides?

One of the questions that does not get much attention in data protection is the concept of excessiveness. Data Protection Directive Article 6(1)(c) states personal data must be (c) adequate, relevant and not excessive in relation to the purposes for which they are collected and/or further processed.

General Data Protection Regulation Article 5(1)(c) states that personal data shall be adequate, relevant and limited to what is necessary in relation to the purposes for which they are processed. So, personal data that is excessive or unnecessary cannot be collected and processed.

Source: Excessive personal data – who decides?

>