Request To Restrict Processing Procedure
Updated: 24th January 2019
What is the right to restrict processing?
Article 18 of the GDPR gives individuals the right to restrict the processing of their personal data in certain circumstances. This means that an individual can limit the way that an organisation uses their data.
Individuals have the right to restrict the processing of their personal data where they have a particular reason for wanting the restriction.
When does the right to restrict processing apply?
Individuals have the right to request you restrict the processing of their personal data in the following circumstances:
- the individual contests the accuracy of their personal data and we are verifying the accuracy of the data;
- the data has been unlawfully processed (i.e. in breach of the lawfulness requirement of the first principle of the GDPR) and the individual opposes erasure and requests restriction instead;
- we no longer need the personal data but the individual needs you to keep it in order to establish, exercise or defend a legal claim; or
- the individual has objected to us processing their data under Article 21(1), and you are considering whether your legitimate grounds override those of the individual.
How do we restrict processing?
You need to have processes in place that enable you to restrict personal data if required. The GDPR suggests a number of different methods that could be used to restrict data, such as:
- temporarily moving the data to another processing system;
- making the data unavailable to users; or
- temporarily removing published data from a website.
Can we do anything with restricted data?
We must not process the restricted data in any way except to store it unless:
- we have the individual’s consent;
- it is for the establishment, exercise or defence of legal claims;
- it is for the protection of the rights of another person (natural or legal); or
- it is for reasons of important public interest.
When can we lift the restriction?
In many cases the restriction of processing is only temporary, specifically when the restriction is on the grounds that:
- the individual has disputed the accuracy of the personal data and you are investigating this; or
- the individual has objected to you processing their data on the basis that it is necessary for the performance of a task carried out in the public interest or the purposes of your legitimate interests, and you are considering whether your legitimate grounds override those of the individual.
Once we have made a decision on the accuracy of the data, or whether your legitimate grounds override those of the individual, we may decide to lift the restriction and inform the individual beforehand.
Can we refuse to comply with a request for restriction?
We can refuse to comply with a request for restriction if the request is manifestly unfounded or excessive, taking into account whether the request is repetitive in nature and we will justify our decision.
What should we do if we refuse to comply with a request for restriction?
We will inform the individual without undue delay and within one month of receipt of the request, with:
- the reasons you are not taking action;
- their right to make a complaint to the ICO or another supervisory authority; and
- their ability to seek to enforce this right through a judicial remedy.
How do we recognise a request?
An individual can make a request for restriction verbally or in writing to any part of our organisation and does not have to be to a specific person or contact point.
A request does not have to include the phrase ‘request for restriction’ or Article 18 of the GDPR, as long as one of the conditions listed above apply.
We have a legal responsibility to identify that an individual has made a request to you and handle it accordingly.
Additionally, we will record details of the requests we receive, particularly those made in writing, by telephone or verbally in person.
We will record the request in the Brazelton Centre UK Data Request Record Form
How long do we have to comply?
We must act upon the request without undue delay and at the latest within one month of receipt.
We can extend the time to respond by a further two months if the request is complex or you have received a number of requests from the individual. We will let the individual know within one month of receiving their request and explain why the extension is necessary.
Can we ask an individual for ID?
If we have doubts about the identity of the person making the request you can ask for more information.