At a glance
- Individuals have the right to request the restriction or suppression of their personal data.
- This is not an absolute right and only applies in certain circumstances.
- When processing is restricted, you are permitted to store the personal data, but not use it.
- An individual can make a request for restriction verbally or in writing.
- You have one calendar month to respond to a request.
- This right has close links to the right to rectification (Article 16) and the right to object (Article 21).
Preparing for requests for restriction
☐ We know how to recognise a request for restriction and we understand when the right applies.
☐ We have a policy in place for how to record requests we receive verbally.
☐ We understand when we can refuse a request and are aware of the information we need to provide to individuals when we do so.
Complying with requests for restriction
☐ We have processes in place to ensure that we respond to a request for restriction without undue delay and within one month of receipt.
☐ We are aware of the circumstances when we can extend the time limit to respond to a request.
☐ We have appropriate methods in place to restrict the processing of personal data on our systems.
☐ We have appropriate methods in place to indicate on our systems that further processing has been restricted.
☐ We understand the circumstances when we can process personal data that has been restricted.
☐ We have procedures in place to inform any recipients if we restrict any data we have shared with them.
☐ We understand that we need to tell individuals before we lift a restriction on processing.
What is the right to restrict processing?
Article 18 of the GDPR gives individuals the right to restrict the processing of their personal data in certain circumstances. This means that an individual can limit the way that an organisation uses their data. This is an alternative to requesting the erasure of their data.
Individuals have the right to restrict the processing of their personal data where they have a particular reason for wanting the restriction. This may be because they have issues with the content of the information you hold or how you have processed their data. In most cases you will not be required to restrict an individual’s personal data indefinitely, but will need to have the restriction in place for a certain period of time.
When does the right to restrict processing apply?
Individuals have the right to request you restrict the processing of their personal data in the following circumstances:
- the individual contests the accuracy of their personal data and you are verifying the accuracy of the data;
- the data has been unlawfully processed (ie in breach of the lawfulness requirement of the first principle of the GDPR) and the individual opposes erasure and requests restriction instead;
- you no longer need the personal data but the individual needs you to keep it in order to establish, exercise or defend a legal claim; or
- the individual has objected to you processing their data under Article 21(1), and you are considering whether your legitimate grounds override those of the individual.
Although this is distinct from the right to rectification and the right to object, there are close links between those rights and the right to restrict processing:
- if an individual has challenged the accuracy of their data and asked for you to rectify it (Article 16), they also have a right to request you restrict processing while you consider their rectification request; or
- if an individual exercises their right to object under Article 21(1), they also have a right to request you restrict processing while you consider their objection request.
Therefore, as a matter of good practice you should automatically restrict the processing whilst you are considering its accuracy or the legitimate grounds for processing the personal data in question.
How do we restrict processing?
You need to have processes in place that enable you to restrict personal data if required. It is important to note that the definition of processing includes a broad range of operations including collection, structuring, dissemination and erasure of data. Therefore, you should use methods of restriction that are appropriate for the type of processing you are carrying out.
The GDPR suggests a number of different methods that could be used to restrict data, such as:
- temporarily moving the data to another processing system;
- making the data unavailable to users; or
- temporarily removing published data from a website.
It is particularly important that you consider how you store personal data that you no longer need to process but the individual has requested you restrict (effectively requesting that you do not erase the data).
If you are using an automated filing system, you need to use technical measures to ensure that any further processing cannot take place and that the data cannot be changed whilst the restriction is in place. You should also note on your system that the processing of this data has been restricted.
Can we do anything with restricted data?
You must not process the restricted data in any way except to store it unless:
- you have the individual’s consent;
- it is for the establishment, exercise or defence of legal claims;
- it is for the protection of the rights of another person (natural or legal); or
- it is for reasons of important public interest.
Do we have to tell other organisations about the restriction of personal data?
Yes. If you have disclosed the personal data in question to others, you must contact each recipient and inform them of the restriction of the personal data - unless this proves impossible or involves disproportionate effort. If asked to, you must also inform the individual about these recipients.
The GDPR defines a recipient as a natural or legal person, public authority, agency or other body to which the personal data are disclosed. The definition includes controllers, processors and persons who, under the direct authority of the controller or processor, are authorised to process personal data.
When can we lift the restriction?
In many cases the restriction of processing is only temporary, specifically when the restriction is on the grounds that:
- the individual has disputed the accuracy of the personal data and you are investigating this; or
- the individual has objected to you processing their data on the basis that it is necessary for the performance of a task carried out in the public interest or the purposes of your legitimate interests, and you are considering whether your legitimate grounds override those of the individual.
Once you have made a decision on the accuracy of the data, or whether your legitimate grounds override those of the individual, you may decide to lift the restriction.
If you do this, you must inform the individual before you lift the restriction.
As noted above, these two conditions are linked to the right to rectification (Article 16) and the right to object (Article 21). This means that if you are informing the individual that you are lifting the restriction (on the grounds that you are satisfied that the data is accurate, or that your legitimate grounds override theirs) you should also inform them of the reasons for your refusal to act upon their rights under Articles 16 or 21. You will also need to inform them of their right to make a complaint to the ICO or another supervisory authority; and their ability to seek a judicial remedy.
Can we refuse to comply with a request for restriction?
You can refuse to comply with a request for restriction if the request is manifestly unfounded or excessive, taking into account whether the request is repetitive in nature.
If you consider that a request is manifestly unfounded or excessive you can:
- request a "reasonable fee" to deal with the request; or
- refuse to deal with the request.
In either case you will need to justify your decision.
You should base the reasonable fee on the administrative costs of complying with the request. If you decide to charge a fee you should contact the individual promptly and inform them. You do not need to comply with the request until you have received the fee.
In more detail – Data Protection Bill
There are other proposed exemptions from the right to restriction that are contained in the draft DP Bill. As proposed, these exemptions will apply in certain circumstances, broadly associated with why you are processing the data. Once the DP Bill is finalised, we will update our guidance accordingly, and provide further detail on the application of these exemptions.
What should we do if we refuse to comply with a request for restriction?
You must inform the individual without undue delay and within one month of receipt of the request.
You should inform the individual about:
- the reasons you are not taking action;
- their right to make a complaint to the ICO or another supervisory authority; and
- their ability to seek to enforce this right through a judicial remedy.
You should also provide this information if you request a reasonable fee or need additional information to identify the individual.
How do we recognise a request?
The GDPR does not specify how to make a valid request. Therefore, an individual can make a request for restriction verbally or in writing. It can also be made to any part of your organisation and does not have to be to a specific person or contact point.
A request does not have to include the phrase 'request for restriction' or Article 18 of the GDPR, as long as one of the conditions listed above apply.
This presents a challenge as any of your employees could receive a valid verbal request. However, you have a legal responsibility to identify that an individual has made a request to you and handle it accordingly. Therefore you may need to consider which of your staff who regularly interact with individuals may need specific training to identify a request.
Additionally, it is good practice to have a policy for recording details of the requests you receive, particularly those made by telephone or in person. You may wish to check with the requester that you have understood their request, as this can help avoid later disputes about how you have interpreted the request. We also recommend that you keep a log of verbal requests.
Can we charge a fee?
No, in most cases you cannot charge a fee to comply with a request for restriction.
However, as noted above, where the request is manifestly unfounded or excessive you may charge a “reasonable fee” for the administrative costs of complying with the request.
How long do we have to comply?
You must act upon the request without undue delay and at the latest within one month of receipt.
You should calculate the time limit from the day after you receive the request (whether the day after is a working day or not) until the corresponding calendar date in the next month.
An organisation receives a request on 3 September. The time limit will start from the next day (4 September). This gives the organisation until 4 October to comply with the request.
If this is not possible because the following month is shorter (and there is no corresponding calendar date), the date for response is the last day of the following month.
If the corresponding date falls on a weekend or a public holiday, you will have until the next working day to respond.
This means that the exact number of days you have to comply with a request varies, depending on the month in which the request was made.
An organisation receives a request on 30 March. The time limit starts from the next day (31 March). As there is no equivalent date in April, the organisation has until 30 April to comply with the request.
If 30 April falls on a weekend, or is a public holiday, the organisation has until the end of the next working day to comply.
For practical purposes, if a consistent number of days is required (eg for operational or system purposes), it may be helpful to adopt a 28-day period to ensure compliance is always within a calendar month.
Can we extend the time for a response?
You can extend the time to respond by a further two months if the request is complex or you have received a number of requests from the individual. You must let the individual know within one month of receiving their request and explain why the extension is necessary.
However, it is the ICO's view that it is unlikely to be reasonable to extend the time limit if:
- it is manifestly unfounded or excessive;
- an exemption applies; or
- you are requesting proof of identity before considering the request.
Can we ask an individual for ID?
If you have doubts about the identity of the person making the request you can ask for more information. However, it is important that you only request information that is necessary to confirm who they are. The key to this is proportionality. You should take into account what data you hold, the nature of the data, and what you are using it for.
You must let the individual know without undue delay and within one month that you need more information from them to confirm their identity. You do not need to comply with the request until you have received the additional information.