Skip to main content

Article 6 — Accuracy, Storage Limitation, and Accountability

  1. Personal data shall be accurate and, where necessary, kept up to date. The controller shall take every reasonable step to ensure that personal data that is inaccurate, having regard to the purposes for which it is processed, is erased or rectified without undue delay.
  2. The controller shall establish appropriate mechanisms, including electronic self-service facilities where feasible, to enable data subjects to verify and, where appropriate, request the correction of their personal data.
  3. Personal data shall be kept in a form which permits identification of data subjects for no longer than is necessary for the purposes for which the personal data is processed. Personal data may be stored for longer periods insofar as the data will be processed solely for:
    1. archival purposes in the public interest;
    2. scientific or historical research purposes; or
    3. statistical purposes, provided that appropriate technical and organisational measures are implemented to safeguard the rights and freedoms of the data subject, including, where practicable, pseudonymisation.
  4. The controller shall establish and document a data retention policy specifying the retention periods for each category of personal data processed. The retention policy shall be reviewed at regular intervals and made available to the supervisory authority upon request.
  5. Personal data shall be processed in a manner that ensures appropriate security, including protection against unauthorised or unlawful processing and against accidental loss, destruction, or damage, using appropriate technical and organisational measures. Given the digital-first nature of the Kaharagian legal order, such measures shall include, as appropriate:
    1. encryption of personal data in transit and at rest;
    2. access controls and authentication mechanisms;
    3. logging and audit trails of processing activities;
    4. regular testing, assessment, and evaluation of the effectiveness of security measures.
  6. The controller shall be responsible for, and shall be able to demonstrate compliance with, the principles set out in Article 4, Article 5, and the preceding paragraphs of this Article. This obligation includes maintaining records of processing activities, conducting impact assessments where required, and cooperating with the supervisory authority.
  7. Where the controller engages a processor, the controller shall ensure, by means of a written agreement or other binding instrument, that the processor provides sufficient guarantees to implement appropriate technical and organisational measures such that the processing meets the requirements of this Code and ensures the protection of the rights of the data subject.