What is the right to restrict processing of personal data under GDPR?
When can a person exercise this right?
What should a company do?
In this article, we will break down the concept of the right to restrict processing so you know all there is to know about it.
Are you ready?
Let’s get started!
What is the right to restrict processing?
The right to restrict processing is the right given to individuals by GDPR allowing them to limit or restrict the processing of their personal data.
Generally, an individual will exercise the right to restrict processing instead of their right to erasure.
The right to restrict processing stems from Article 18 GDPR stating the following:
“1. The data subject shall have the right to obtain from the controller restriction of processing where one of the following applies:
(a) the accuracy of the personal data is contested by the data subject, for a period enabling the controller to verify the accuracy of the personal data;
(b) the processing is unlawful and the data subject opposes the erasure of the personal data and requests the restriction of their use instead;
(c) the controller no longer needs the personal data for the purposes of the processing, but they are required by the data subject for the establishment, exercise or defence of legal claims;
(d) the data subject has objected to processing pursuant to Article 21(1) pending the verification whether the legitimate grounds of the controller override those of the data subject.”
When can an individual exercise the right to restrict processing?
Article 18 GDPR outlines the instances when an individual can exercise the right to restrict processing.
In the following cases, an individual may limit a company’s processing of personal data:
- When a person is contesting the accuracy of the data held by the company
- When a company is illegally or unlawfully processing their personal data
- The company no longer needs the personal data to defend against a claim, exercise a legal right or defend against one
- The person has objected to data processing and the company is evaluating its legitimate interests to decide to limit processing or not
Relationship between the right to restrict data and right to rectification
In some cases, the right to restrict data will be exercised in light of the exercise of the right to rectification.
When an individual discovers that a company may have inaccurate data about them and requests rectification, the individual can also demand that until the data is corrected the company should refrain from processing the inaccurate data.
In this context, the exercise of the right to restrict data is a means to perfect the exercise of the right to rectification.
Relationship between the right to restrict data and right to object
Similarly, the right to restrict data can be exercised in light of the exercise of the right to object.
If a person objects to a company’s data processing operations regarding his or her personal data, the individual can also ask from the company to limit the processing until the company evaluates and decides on the objection.
In this context, the exercise of the right to restrict data is a means to perfect the exercise of the right to object.
How does a company restrict the processing of personal data?
A company should avoid using personal data until it is required.
That sounds broad!
This is another concept that GDPR has left open for evaluation based on the context and circumstances.
Recital 67 GDPR provides some guidelines as to how a company should restrict data, it states:
“Methods by which to restrict the processing of personal data could include, inter alia, temporarily moving the selected data to another processing system, making the selected personal data unavailable to users, or temporarily removing published data from a website. In automated filing systems, the restriction of processing should in principle be ensured by technical means in such a manner that the personal data are not subject to further processing operations and cannot be changed. The fact that the processing of personal data is restricted should be clearly indicated in the system.”
Based on this, we can consider that a company should:
- Temporarily move the selected data to another system
- Make the data unavailable to others
- Remove data from a website
- Remove data from automated processing systems
What are the exemptions to restricting personal data?
A company may be exempt from restricting personal data in the following instances:
- For the exercise of the right of freedom of expression and information
- For compliance with the law
- For the performance of a task in the public interest
- For the performance of a task in the exercise of an official authority
- For public health reasons
- For archival, research or statistical purposes
- For the establishment, exercise or defence of legal claims
For how long should data processing be restricted?
Most often, the processing of personal data will be for a limited period of time.
When a person exercises his or her right to restrict data, it is often because they are contesting the accuracy of the data held by an organization or objecting to the processing of personal data.
In either case, a company should restrict the processing of data until it completes its investigation on the matter.
When a final decision is made, the company will either continue processing the data based on legitimate interest or get a new consent of the user or perhaps cease processing the data if the objection was valid.
Can a company charge fees to restrict data processing?
The rule is that a company cannot charge a fee to the data subject when exercising his or her rights under GDPR.
As a result, a company must comply with an individual’s request free of charge.
In some cases though, a company may have the option to demand fees to limit the processing of personal data.
If a request is manifestly unfounded or excessive, a company can demand reasonable fees to cover its administration cost.
Administration cost is not defined under GDPR, so a company must consider the overall nature of the request and the effort required in restricting data processing or reaching out to third-party organizations to determine the cost on a case-by-case basis.
Companies should make sure they can justify their request for a fee.
If not, data subjects may argue that the company is obstructing their ability to exercise their right.
What happens if a company has shared personal data with others?
What happens when a company is required to restrict the processing of personal data but they’ve shared the same data to other companies?
In such cases, the company must request that the other organizations restrict data processing as well.
If a company has made the personal data available on social media, forums, websites or another public online environment, the company must also take measures to make the data unavailable until a decision is made on the individual’s request.
The exception to this requirement is that it’s impossible to contact the other organizations to whom personal data was disclosed or the effort in doing that will be highly disproportionate.
Can a company refuse to restrict a person’s data?
A company should limit data processing on personal data when the data subject has exercised the right to restriction.
There is an exception that companies should be aware of.
Article 12(5) GDPR states that:
“where requests from a data subject are manifestly unfounded or excessive, in particular because of their repetitive character, the controller may either: (a) charge a reasonable fee taking into account the administrative costs of providing the information or communication or taking the action requested; or (b) refuse to act on the request”.
Based on this article, a data controller or data process has the right to refuse or reject a subject request provided it has the ability to demonstrate that the request is excessive or unfounded.
What is a manifestly unfounded request?
GDPR allows a data controller or data processor to either charge a fee or reject a data subject’s right to restrict the processing when the request is manifestly unfounded.
The term ‘manifestly’ refers to a request that is obvious or leaves no doubt that it is unfounded.
Companies should carefully assess a subject access request before rejecting it to ensure that the request is indeed manifestly unfounded.
Here are some examples of manifestly unfounded requests:
- A person has filed a request to get monetary advantages from the company
- The person’s request clearly shows that the objective is to disrupt the company operations
- The request is a person’s way to attack an employee of your company
- The person’s request is malicious
- The person is using the SAR as a means to harass the organization
What is an excessive request?
A data subject request can also be excessive in nature justifying its rejection.
An excessive request is when a person’s demands are excessive in nature or repetitive.
Companies should carefully assess a request before qualifying it as an excessive request though.
The burden to demonstrate that a request was excessive is on the organization’s shoulder.
Here are some examples of an excessive request:
- Repeatedly requesting the same thing over and over
- The request overlaps with another request
- Submitting the same requests through multiple channels
What’s advisable is that a company assesses the request carefully before rejecting it.
It may be a good practice to reach out to the data subject in order to clarify the request or better scope the request in such a way to eliminate its excessive nature.
If a data subject is unaware of the excessive nature of the request, they may request information in good faith not knowing any better.
Granted, some other individuals may know exactly what they are doing.
Rather than rejecting a request outright, it may be worth considering the option to have the request clarified.
How to notify the data subject of the request being rejected?
A data controller or data processor has the obligation to respond to the data subject’s request within one month from the request.
If a company intends to fully or partially reject the data subject’s request, it must inform the data subject of its decision in writing within the required timeline.
The data subject must be informed as to why his or her request has been rejected, their right to make a complaint with the relevant supervisory authority and their right to take action before judicial courts.
If the company has identified legitimate interests or another lawful basis to process personal data, they must clearly inform the data subject.
If a company’s privacy notice is well-drafted, it should already cover the company’s lawful basis for processing the data and the company can refer to the relevant sections of their privacy notice.
Infringement of data subject’s right of access
Article 83 GDPR allows the supervisory authorities to issue administrative fines in the event of non-compliance or the infringement of GDPR.
Depending on the nature of the infringement, GDPR classifies it in two categories.
One category is for serious infringement to GDPR whereby the fines can reach the greater of €20,000,000 or 4% of a company’s global annual turnover.
The other category is for less serious infringement cases where fines can reach the greater of €10,000,000 or 2% of a company’s global annual turnover.
The violation of Article 18 GDPR having to do with the data subject’s right to restriction of processing of personal data is a serious breach under GDPR (Article 83(5)(a) GDPR) exposing a company to GDPR fines in the amount equal to the greater of €20,000,000 or 4% of a company’s global annual turnover.
In addition, failure to observe the Article 12 GDPR requirements with regards to providing a data subject with supplementary information in response to a data subject exercising his or her right to be forgotten is considered a serious breach of GDPR (Article 83(5)(b) GDPR) and as such will expose a company to fines in the amount representing the greater of €20,000,000 or 4% of a company’s global annual turnover.