You can limit the way an organisation uses your personal data if you are concerned about the accuracy of the data or how it is being used. If necessary, you can also stop an organisation deleting your data. Together, these opportunities are known as your ‘right to restriction’.
How you can ask an organisation to restrict the use of your data
To exercise your right to restriction, you should:
- make your request directly to the organisation, and
- say what data you want restricted and why.
If you want to, you can make a request for restriction at the same time as you raise another objection.
A request can be verbal or in writing. We recommend you follow up any verbal request in writing because this will allow you to explain your concern, give evidence and state your desired solution. It will also provide clear proof of your actions if you decide to challenge the organisation’s initial response.
When you can ask an organisation to restrict the use of your data
You can ask organisations to temporarily limit the use of your data when they are considering:
- a challenge you have made to the accuracy of your data, or
- an objection you have made to the use of your data.
You may also ask an organisation to limit the use of your data rather than delete it if:
- the organisation processed your data unlawfully but you do not want it deleted, or
- the organisation no longer needs your data but you want the organisation to keep it in order to create, exercise or defend legal claims.
What to do if the organisation does not respond or you are dissatisfied with the outcome
If you are unhappy with how the organisation has handled your request, you should first complaint to it.
Having done so, if you remain dissatisfied you can make a complaint to the ICO.
You can also seek to enforce your rights through the courts. If you decide to do this, we strongly advise you to seek independent legal advice first.
How should I raise my concern about how an organisation has handled my information?
You can use the template letter below to help you raise your concerns.
[Your full address]
[Name and address of the organisation]
Dear [Sir or Madam / name of the person you have been in contact with]
Information rights concern
I am concerned that you have not handled my personal information properly.
[Give details of your concern, explaining clearly and simply what has happened and, where appropriate, the effect it has had on you.]
I understand that before reporting my concern to the Information Commissioner’s Office (ICO) I should give you the chance to deal with it.
If, when I receive your response, I would still like to report my concern to the ICO, I will give them a copy of it to consider.
You can find guidance on your obligations under information rights legislation on the ICO’s website (www.ico.org.uk) as well as information on their regulatory powers and the action they can take.
Please send a full response within one calendar month. If you cannot respond within that timescale, please tell me when you will be able to respond.
If there is anything you would like to discuss, please contact me on the following number [telephone number].