What is the right to restrict processing?

Individuals have a right to block or restrict the processing of their personal data.

Individuals can make a request verbally or in writing. You must verify the identity of the person making the request, using “reasonable means”.

You should respond to a request without delay and at least within one month of receipt.

When processing is restricted, you are permitted to store the personal data, but not further process it. You can retain just enough information about the individual to ensure that the restriction is respected in the future.

As a matter of good practice, you should consider restricting the processing of personal data if:

  • an individual contests the accuracy of the personal data, you should restrict the processing until you have verified the accuracy of the personal data;
  • an individual has objected to the processing (where it was necessary for the performance of a public interest task or purpose of legitimate interests), and you are considering whether your businesses legitimate grounds override those of the individual.
  • processing is unlawful and the individual opposes erasure and requests restriction instead
  • you no longer need the personal data but the individual requires the data to be retained to allow them to establish, exercise or defend a legal claim.
  • You may need to review procedures to ensure you are able to determine if you need to restrict the processing of personal data.

If you have disclosed the personal data to other organisations (controllers or processors), you must inform them about the restriction, unless it is impossible or involves disproportionate effort to do so.

You must inform individuals when you decide to lift a restriction on processing.

N.B.  If you consider the request, but conclude that you do have a lawful basis or legitimate interest in continuing to processing the data, you should inform the individual of the outcome of this conclusion and advise them that they have the right to consult the Information Commissioner if they disagree with your conclusion.

You can download a description of individuals’ rights under GDPR here