Request to Restrict Processing
Under the GDPR, individuals have the right to restrict the processing of their personal data. It is one of the least common privacy requests because it only applies in a limited set of circumstances. However, you still may receive one on occasion, so here is some guidance on how to handle a request to restrict processing.
What Does It Mean to “Restrict Processing”?
“Restriction of processing” means the personal data cannot be used for any purpose beyond storing it. The right arises when there is some kind of dispute related to the data, and in most cases a Request to Restrict Processing serves as a temporary hold on any use of the data. The individual is telling you, “Don’t use the data, but don’t delete it either.”
It’s important to not treat a Request to Restrict Processing as a Request to Delete. Unless the individual tells you otherwise, you should assume they want you to retain the data.
When Does It Apply?
An individual has the right to restrict the processing of their personal data in the following circumstances:
- They submitted a Request to Correct and you are still verifying their accuracy of their data.
- Their personal data has been unlawfully processed under the rules of the GDPR. (I.e., their data was processed without a lawful basis, such as consent, necessity for performance of a contract, or legitimate interest.)
- They need you to keep your data in order to establish, exercise, or defend a legal claim.
- They have previously submitted a Request to Object to the processing of their personal data, and the status of your review is still pending.
How to Handle a Request to Restrict Processing
The first step in responding to a Request to Restrict Processing should be to confirm that the individual has a legal basis for making the request, as described above. If they do not, you may deny the request (explaining why), and direct them to the privacy request form if they would like to submit another type of request.
You may also want to communicate directly with the individual in order to clarify the scope of their request. It will often be the case that they have a specific type of data processing in mind when they submit the request. Identifying what it is they actually want will make it easier to respond accordingly.
The mechanics of restricting processing will vary greatly according to the context and any vendors that are involved. For example, a marketing vendor may offer a simple way to suspend all marketing communications to a specific person without deleting their information. Other situations may not be so straightforward. It may be necessary, for example, to export and save a copy of the person’s data from a vendor, and then delete all data within the vendor’s database.
Also, many of the circumstances which trigger the right to restrict processing can involve a dispute with your organization. Depending on the context, it may be a good idea to consult with an attorney before proceeding.
Read the ICO’s guidance on the right to restrict processing.