Article 11 of the GDPR embodies one of the important principles of GDPR i.e. data minimization. One of the objectives of GDPR is to process the data to a minimum and to keep a record of only that data that is relevant and only for a limited time. Once the purpose of the data processing is complete, the data must be deleted.
Article 11 provides that when a data controller no longer requires the identification of the data subject then the data controller is not obliged to maintain or acquire new data to identify the data subject. This implies that when the data controller’s purpose for which it collected the personal data has been achieved, it shall not acquire any further data from the data subject.
Here, identification would mean digital identification such as login credentials of the data subject.
However, if the data subject wishes to exercise his or her rights provided by Articles 15 to 20 then he or she shall have to provide additional information to the data controller for identification purposes in cases where the data controller is unable to identify the data subject.
This clearly shows that the GDPR has tried to balance the rights of the data subject and also taken into consideration the limitations of the data controller while identifying data subjects. However, this can also be misinterpreted by the data controller and even if a data subject wishes to exercise his or her rights they might refuse to obtain any additional data from the data subject once their processing objective is met citing Article 11. It is to be seen how organisations interpet Article 11. An organisation which cares about its data subjects’ rights shall always comply and try to identify the data subject through the additional information given by him/her.
Reference:
– https://gdpr.eu
-https://iapp.org