GDPR and the Restriction of Processing

It’s important to note that organisations have been fined for not restricting the processing of personal data when they should have.

What does the GDPR mean by ‘restriction of processing’?

‘restriction of processing’ means the marking of stored personal data with the aim of limiting their processing in the future

When are you supposed to restrict the processing of personal data?

While a controller is verifying the accuracy of personal data (in the case where a data subject has contested its accuracy)

In the case where processing is unlawful and the data subject has opposed the erasure/deletion of the data and instead, requests the restriction of processing

Where the controller no longer needs the personal data for the purposes of the processing, but they are required by the data subject for the establishment, exercise or defence of legal claims

Where the lawful basis is ‘legitimate interest’ and the data subject has objected to the processing, BUT it still needs to be verified whether the legitimate grounds of the controller override those of the data subject

How might you restrict the processing of personal data?

The GDPR gives some examples:

temporarily moving the selected data to another processing system

making the selected personal data unavailable to users

temporarily removing published data from a website

In computers and other automated filing systems, the restriction of processing should, in principle, be ensured by technical means in such a manner that the personal data are not subject to further processing operations and cannot be changed. The fact that the processing of personal data is restricted should be clearly indicated in the system.

What are the other associated rights that apply?

Besides having the right to restriction, there are other rights that apply:

Through your privacy notices, the data subject must be informed of the existence of the right to request the restriction of processing

When a request is made for access to personal data, the data subject must be informed of the existence of the right to restrict

A data subject who has obtained restriction of processing pursuant to paragraph 1 shall be informed by the controller before the restriction of processing is lifted

Where processing has been restricted, such personal data shall, (with the exception of storage), only be processed

with the data subject's consent

for the establishment, exercise or defence of legal claims

for the protection of the rights of another natural or legal person, or

for reasons of important public interest of the Union or of a Member State

Are there any other obligations for the controller?

The controller shall communicate any restriction of processing to all parties to whom the personal data has been disclosed, unless this proves impossible or involves disproportionate effort. The controller shall inform the data subject about those recipients if the data subject requests it.

Note that Member States are authorised to provide specifications and derogations with regard to the information requirements and rights to the restriction of processing

The content herein is provided for your convenience and does not constitute legal advice.

Compliance Technology Solutions B.V. 2018

Russell is the author of this solution article.

Did you find it helpful? Yes No

Send feedback
Sorry we couldn't be helpful. Help us improve this article with your feedback.