It’s important to note that organisations have been fined for not restricting the processing of personal data when they should have.
What does the GDPR mean by ‘restriction of processing’?
‘restriction of processing’ means the marking of stored personal data with the aim of limiting their processing in the future
When are you supposed to restrict the processing of personal data?
While a controller is verifying the accuracy of personal data (in the case where a data subject has contested its accuracy)
In the case where processing is unlawful and the data subject has opposed the erasure/deletion of the data and instead, requests the restriction of processing
Where the controller no longer needs the personal data for the purposes of the processing, but they are required by the data subject for the establishment, exercise or defence of legal claims
Where the lawful basis is ‘legitimate interest’ and the data subject has objected to the processing, BUT it still needs to be verified whether the legitimate grounds of the controller override those of the data subject
How might you restrict the processing of personal data?
The GDPR gives some examples:
temporarily moving the selected data to another processing system
making the selected personal data unavailable to users
temporarily removing published data from a website
In computers and other automated filing systems, the restriction of processing should, in principle, be ensured by technical means in such a manner that the personal data are not subject to further processing operations and cannot be changed. The fact that the processing of personal data is restricted should be clearly indicated in the system.
What are the other associated rights that apply?
Besides having the right to restriction, there are other rights that apply:
Through your privacy notices, the data subject must be informed of the existence of the right to request the restriction of processing
When a request is made for access to personal data, the data subject must be informed of the existence of the right to restrict
A data subject who has obtained restriction of processing pursuant to paragraph 1 shall be informed by the controller before the restriction of processing is lifted
Where processing has been restricted, such personal data shall, (with the exception of storage), only be processed
with the data subject's consent
for the establishment, exercise or defence of legal claims
for the protection of the rights of another natural or legal person, or
for reasons of important public interest of the Union or of a Member State
Are there any other obligations for the controller?
The controller shall communicate any restriction of processing to all parties to whom the personal data has been disclosed, unless this proves impossible or involves disproportionate effort. The controller shall inform the data subject about those recipients if the data subject requests it.
Note that Member States are authorised to provide specifications and derogations with regard to the information requirements and rights to the restriction of processing
The content herein is provided for your convenience and does not constitute legal advice.
Compliance Technology Solutions B.V. 2018