1. The data subject shall have the right to obtain from the controller restriction of processing where one of the following applies:
(a) | the accuracy of the personal data is contested by the data subject, for a period enabling the controller to verify the accuracy of the personal data; |
(b) | the processing is unlawful and the data subject opposes the erasure of the personal data and requests the restriction of their use instead; |
(c) | the controller no longer needs the personal data for the purposes of the processing, but they are required by the data subject for the establishment, exercise or defence of legal claims; |
(d) | the data subject has objected to processing pursuant to Article 21(1) pending the verification whether the legitimate grounds of the controller override those of the data subject. |
2. Where processing has been restricted under paragraph 1, such personal data shall, with the exception of storage, only be processed with the data subject’s consent or for the establishment, exercise or defence of legal claims or for the protection of the rights of another natural or legal person or for reasons of important public interest of the Union or of a Member State.
3. A data subject who has obtained restriction of processing pursuant to paragraph 1 shall be informed by the controller before the restriction of processing is lifted.
Article 18 means data subjects can request you temporarily limit how their personal data is used. There are specific scenarios where their request must be honored (see next question). Your company needs procedures in place to respond appropriately to these.
A data controller must restrict the processing of a data subject’s personal data when there are doubts about the accuracy of their data, until this has been verified.
If the processing of personal data is deemed unlawful, the data subject can choose to have the processing of their personal data restricted rather than having it erased. This option may be relevant in cases where a legal claim is pending against the data controller. The restriction allows for the preservation of evidence of the unlawful practice, while ensuring the data cannot be used for the unlawful purpose.
The data subject can request the data controller to continue processing their data, but in a restricted manner. This can be done when the controller no longer has a purpose for processing, while the data subject needs the data intact for the establishment, exercise, or defense of legal claims against the data controller
Article 21(1) allows data subjects to object to a data controller’s processing of their data when it is founded on the legal bases of “public interest” or “legitimate interests”. When a data subject objects to the processing of their personal data as per Article 21(1), the processing must be restricted until it is determined whether the data controller’s legitimate reasons override those of the data subject.
When data processing is restricted, the data controller can store the data but cannot modify, share, or use it without the data subject’s consent.
However, there are exceptions where processing is still allowed:
To comply with a restriction request, you must have a process in place to receive and respond to such requests, ensuring data subjects can easily contact you.
Establish a mechanism to flag restricted data to prevent accidental use that would violate the restriction.
When a restriction is lifted, you must notify the data subject before the restriction is lifted, giving them time to respond.
Yes, restricting processing affects data shared with third parties. When you restrict processing, you must inform any third parties who have received the data about the restriction so they also comply and do not process the data further. Therefore, it is important to have updated records of how data is shared with third parties.
When a data subject requests that the data controller restrict processing, it impacts automated decision-making and profiling by halting these activities. The data cannot be used in automated systems or for profiling purposes until the restriction is lifted.
Ensure that your entire company is equipped with the necessary awareness training on the basics of GDPR and IT security.
Once you have submitted your details, you’ll be our top priority!