What is the Right to Restrict Processing?

Defined in Article 18, Right to Restrict Processing is one of the data subject rights covered in chapter 3 of the General Data Protection Regulation (GDPR).

Right to Restrict Processing Summary

  • Right to restrict processing gives individuals the right to limit the way an organization uses their personal data, instead of requesting erasure
  • Restriction rights are not absolute rights and only apply to certain circumstances
  • Organizations may still store personal data that is restricted but cannot process it
  • Right to restrict processing can be made to an organization verbally or in writing
  • Restriction requests must be handled, by an organization (the data controller), without undue delay and within one month from receiving the request; exceptions apply to extend an organization’s response by an additional two months
  • Right to restrict processing is closely related to the right to rectification (Article 16) and the right to object (Article 21)

Business Considerations for Organizations to Understand

How does an organization restrict processing?

Organizations need a process, which enables them to restrict personal data if required. This can often be done using technical solutions that can automate data subject requests. Whether performed manually or with automation tools, the GDPR suggests a number of different methods to restrict data, including:

  • Temporarily moving the data to another processing system
  • Making the data unavailable to users through access control or data encryption
  • Temporarily removing published data from a website

It is particularly important for organizations to consider how they store personal data no longer needing to be processed but has been restricted by an individual. In such cases, data masking techniques like pseudonymization or anonymization could be leveraged.

For organizations using automated filing systems, technical measures are needed to ensure any further processing or changes to the data cannot take place while restrictions are in place. Use of data classification software can help with this, while continuous monitoring software can provide reassurance that the measures applied to this data remain for the duration of the restriction.

What information is required for you to respond to a data subject access request?

The right to access entitles data subjects to the following information from an organization (from the organization’s data controller):

  • confirmation that the organization is processing their personal data
  • a complete and clear copy of the personal data collected
  • additional supplementary information corresponding to information disclosed in any privacy notice(s) of the organization

Can an organization lift restrictions applied to the data?

Yes, but often with justification and disclosure to the data subject.

In many cases processing restrictions are only temporary, especially when applied for reasons similar to those below:

  • An organization is investigating accuracy disputes made by an individual regarding their personal data

OR

  • An organization is considering whether they have legitimate grounds to override an individual’s right to object processing based upon its legal basis

If an organization decides they have legitimate grounds to continue processing an individual’s personal data, they will likely decide to also lift the restrictions upon the data. If so, the organization must inform the data subject before lifting the restrictions and provide details for their decision to continue processing. The organization will also need to inform the individual of their right to make a complaint to local supervisory authorities, as well as their ability to seek further judicial remedy, in the event the individual is not satisfied with the organization’s justification to continue processing their data despite their previous dispute.

Can an organization do anything with restricted data?

An organization can only store restricted personal data. In all instances, the data should not be processed, unless:

  • The individual’s consent is obtained
  • It is for the establishment, exercise or defense of legal claims
  • It is to protect the natural or legal rights of another person
  • It is for reasons of important public interest