The right to restriction of processing arises from Art. 18 of the UK General Data Protection Regulation (UK GDPR) and is one of the so-called data subject rights. In addition to rectification and erasure, this right gives data subjects a supplementary possibility to exercise control and governance over their personal data. What must data controllers do when data subjects request the restriction of the processing of their personal data?
Data subject rights in the UK
- The right to be informed
- The right of access
- The right to rectification
- The right to erasure/be forgotten
- The right to restrict processing
- The right to data portability
- The right to object
- Rights relating to automated decision making and profiling
Conditions of the right to restriction
Data subjects have a right to restriction in the following cases according to Art. 18 (1) UK GDPR:
- if the accuracy of the data is disputed, for a period of time that enables the controller to verify the accuracy of the personal data (a);
- in the event of unlawful data processing and if data subjects simultaneously refuse erasure and demand restriction of processing in its place (b);
- on the basis of the assertion, exercise or defence of legal claims by data subjects (c);
- on the basis of a justified objection by the data subject pursuant to Art. 21 (1) UK GDPR, as long as it has not yet been determined whether the legitimate reasons of the controller outweigh those of the data subject (d).
The cases described in a, c and d each involve a temporary restriction of processing. Only in the case of b is a permanent restriction conceivable. The duration of the restriction depends on the cases described above. In the case of disputed accuracy of the data, the period for checking the justification of the request for rectification is based on Art. 16 UK GDPR:
- If there is unlawful processing, until the data subjects request erasure.
- If there is a restriction due to the assertion, exercise or defence of legal claims by the data subjects, for this period.
- Finally, for the period of the examination of the justification of the objection pursuant to Art. 21 (1) UK GDPR.
Consequences of the right to restriction
The controller shall inform all recipients of the personal data affected by the restriction, unless this is exceptionally impossible or feasible only with a disproportionate effort.
Provided that one of the above-mentioned conditions for a restriction of processing is met, the processing of personal data is limited to storage. Processing of data beyond mere storage is then only permitted in the following cases:
- with the consent of the data subject;
- for the assertion, exercise or defence of legal claims;
- to protect the rights of third parties;
- for reasons of important public interest.
It is also important that the data subjects must be informed beforehand about the lifting of the restriction on processing.
How is the restriction of processing to be ensured?
According to Art. 4 No. 3 UK GDPR, restriction of processing is the marking of stored personal data with the aim of restricting their further processing in the future. Further processing is then only permitted for specific purposes (see above). In order to make this purpose limitation possible, the data must be marked and it must then be ensured that the marking is also complied with.
How this marking for the purpose of restricting processing is to be carried out is not described in Art. 18 UK GDPR. However, the following criteria should be met:
- Any type of marking must clearly and easily recognisably indicate the circumstance of the processing restriction.
- The manner of marking must not allow any negative conclusions to be drawn about the personal data of the data subject.
- Appropriate technical measures must be implemented so that the data are only processed for the purposes mentioned above.
Practical tip: Implementing the restriction of processing
Recital 67 UK GDPR gives examples of methods that can be used to restrict processing. Accordingly, data should be temporarily transferred to another processing system or blocked by changing access rights for users of the systems. Publicly accessible data should be temporarily removed from the website or operated online service. As a technical measure, an automated blocking of the personal data concerned against further processing or modification, including an automated notice of the blocking of the personal data concerned, is recommended.
The same also applies to non-automated processing, such as systematically created patient file cards. Here, it is not sufficient for the restriction of processing if these are marked as “data blocked”, e.g. by a note or stamp. The possibility of taking note and thus processing beyond the limited purposes specified in Art. 18 (2) UK GDPR remains feasible. As a suitable measure to ensure the restriction of processing, it is recommended that the corresponding index cards be sorted out and stored in an appropriately secured location.
It must also be ensured that the restriction of processing applies to any back-up copies.
Form and further modalities of the exercise of rights
Although it can be deduced from Art. 12 UK GDPR that a request for restriction of processing must be made, there is no explicit formal requirement for the request. Data subjects can therefore exercise the right to restriction electronically or – although this should be avoided due to lack of evidence – orally. However, the applicant must prove their identity in order to exercise the right. The identity must be verified by the controller before the processing of the data concerned is restricted.
General requirements for the controller to deal with the right to restriction are also regulated by Art. 12 UK GDPR. The controller must facilitate data subjects’ exercise of their right to restriction of processing and inform them without undue delay, and at the latest within one month of receipt of the request, of the action taken on their request. This time limit may be extended by a maximum of two additional months for well-founded exceptions. If the controller does not take action, it must inform data subjects of the reasons for this and of legal remedies without delay, but at the latest within one month of receipt of the request.
In addition, the controller must in principle carry out the restriction of processing free of charge, unless it can demonstrate manifest unfoundedness or the excessive nature of the request. The latter would then justify a reasonable fee.
Conclusion: Restriction is sometimes better than deletion
The data subject’s right to restriction of processing is an important control right that enables differentiated handling of personal data – especially in situations where immediate rectification or erasure does not seem appropriate. Accordingly, the right to restriction is a milder remedy in certain situations compared to deletion, since the processing is only restricted. At the same time, data subjects receive effective legal protection until the legal situation is clarified.
In addition, we recommend our other guidance on dealing with data subject rights.
