The GDPR article most closely related to the principle of accuracy is 16 right to rectification. Its relevance has already been discussed in section section Description. Adequate information that creates awareness of the processing among data subjects (Art. 13 and 14 GDPR) and the right to access the data in possession of the controller (Art. 15) can be seen to be necessary to enable the right to rectification.
When a controller cannot instantly act on a request for rectification (according to Art. 16 GDPR), but requires adequate time to verify the accuracy of the data in discussion, it may be necessary to restrict the processing of the data (see Art. 18(1)(a) GDPR). After the verification of the accuracy and effectuated rectification, the controller must inform the data subject according to Art. 12(3) GDPR. Should the controller find that the data is indeed accurate and does not need rectification, the data subject must be informed according to Art. 12(4) )GDPR. If the processing was restricted, the data subject can then consent to lifting the restriction even without rectification (see Art. 18(2) GDPR). In absence of such consent, the controller can either delete the data (see Art. 5(1)(d) GDPR) or have its Data Protection Officer consult the Supervisory Authority on the issue (see Art. 39(1)(e) GDPR).
In the case that the controller disclosed the data to recipients, these must also be made aware of the inaccuracy (according to Art. 19 GDPR). In particular, controllers are obliged to notify recipients of the rectifications that were carried out. Considering that the verification of accuracy can depend on the purposes of processing (see Description), it may be useful and more timely to voluntarily notify recipients already of the request of rectification. Such an extended approach then also covers the case where the data is accurate for the controller, but requires rectification at one of the recipients.
Data subjects also have the right to request to be informed about such notifications (see 2nd sentence of Art. 19 GDPR). This information includes the naming of individual recipients.
1This is interesting, since in Art. 13(1)(e) and 14(1)(e), it is sufficient to inform about categories of recipients. ↑