23# Data Subject Rights – The right to restrict processing
Welcome back to our GDPR Requirements series and happy Tuesday! Today, we’re going to dig deeper into another data subject right, namely the right to restrict the processing of personal data. The right to restrict processing entails that a data subject can limit the way you, as the controller, process their data.
A data subject’s request to restrict the processing of their personal data is an alternative to the erasure of the data. In most cases, you only need to have the restriction in place for a certain time and not infinitely. This right is not absolute, it only applies in four specific situations:
- If a data subject contests the accuracy of the personal data, the processing is restricted during the time it takes you to verify the accuracy of the said data;
- If your processing is unlawful and the data subject opposes the erasure of the data and requests you restrict the processing instead;
- If you no longer need the data for the purposes of the processing, but the data is required by the data subject for establishing, exercising or defending a legal claim;
- If the data subject has objected to the processing, pending the verification of whether the legitimate grounds of the controller override those of the data subject.
Moreover, in scenarios 1 and 4, even without the requests of the data subjects, it’s seen as a matter of best practice to temporarily restrict the processing. Once you’ve decided on the accuracy of the data, or if you’ve concluded that your legitimate grounds override those of the data subject, you may decide to lift the restriction. However, before you do so, you need to inform the data subject about the lifting of any restrictions. If you inform the individual that you are lifting the restriction, you should include the reasons for refusing to act upon their request. In addition to this, you’ll also need to inform the data subjects about their right to lodge a complaint to their relevant supervisory authority, and their ability to seek a judicial remedy to enforce their rights in that case. Your decision regarding the request must be both explainable and justifiable.
When the personal data is under restriction, you are not allowed to process it in any way except for storage. There are however exceptions to this rule: that is, unless the data subject has consented to the processing, or if it’s required for establishing, exercising or defence of legal claims, or for the protection of the rights of another natural or legal person, or for reasons of important public interest of the EU/EEA or of a Member State (or the UK).
You might wonder what different methods of restricting data there are. Some examples of them are to temporarily move the data to another processing system, make it unavailable to users, or temporarily remove the data from the website it’s been published on.
There are also two specific circumstances according to the GDPR where you should tell other organisations about the erasure, rectification or restriction of processing of personal data. The first one is if you have disclosed the data to other recipients. If you have disclosed the personal data to other recipients, you must contact and inform them of any request for rectification, erasure or restriction of processing of the personal data. The objective of this rule is to facilitate the exercise of the data subjects’ rights by removing the need for further communication with the relevant recipients to, for example, erase or restrict the processing of data. However, there are two exceptions to the obligation to notify other recipients about the request, namely if it proves impossible or involves a disproportionate effort for you to contact the recipients.
- ‘Impossibility’ means that there is at least one factor that absolutely prevents you from contacting the recipients. For example, this might be the case if the recipient is not reachable or no longer exists and has no legal successor. Generally, there is no degree of impossibility, it is either impossible or not.
- Relying on ‘disproportionate effort’ implies weighing the interest between you, the controller, and the impact and effect on the data subjects – the individual’s interest regarding their privacy, and the controller’s burdens and efforts, financial and time investments. Remember that this should be a case-by-case assessment.
In addition to the above, if you are asked to, you must also inform the data subject about those recipients to whom their personal data have been disclosed.
When responding to a ‘right to restrict processing’ request, DPOrganizer’s tool makes it easy by having your processing operations mapped, which would be a time-saver in identifying what data are processed, where, how, and why. You can also create a case and have a case log readily available for responding to the request. If you’d like to learn more about the right to restrict processing, please take a look at the WP29 Guidelines and the ICO Guidelines. I now hand over the pen (or keyboard, really) to my eminent colleague, Albin (firstname.lastname@example.org).