At a glance
- Individuals have the right to request the restriction or suppression of their personal data.
- This is not an absolute right and only applies in certain circumstances.
- When processing is restricted, you are permitted to store the personal data, but not use it.
- An individual can make a request for restriction verbally or in writing.
- You have one calendar month to respond to a request.
- This right has close links to the right to rectification (Article 16) and the right to object (Article 21).
Checklists
Preparing for requests for restriction
- We know how to recognise a request for restriction and we understand when the right applies.
- We have a policy in place for how to record requests we receive verbally.
- We understand when we can refuse a request and are aware of the information we need to provide to individuals when we do so.
Complying with requests for restriction
- We have processes in place to ensure that we respond to a request for restriction without undue delay and within one month of receipt.
- We are aware of the circumstances when we can extend the time limit to respond to a request.
- We have appropriate methods in place to restrict the processing of personal data on our systems.
- We have appropriate methods in place to indicate on our systems that further processing has been restricted.
- We understand the circumstances when we can process personal data that has been restricted.
- We have procedures in place to inform any recipients if we restrict any data we have shared with them.
- We understand that we need to tell individuals before we lift a restriction on processing.
In brief
-
What is the right to restrict processing?
Article 18 of the GDPR gives individuals the right to restrict the processing of their personal data in certain circumstances. This means that an individual can limit the way that an organisation uses their data. This is an alternative to requesting the erasure of their data.
Individuals have the right to restrict the processing of their personal data where they have a particular reason for wanting the restriction. This may be because they have issues with the content of the information you hold or how you have processed their data. In most cases you will not be required to restrict an individual’s personal data indefinitely, but will need to have the restriction in place for a certain period of time.
-
When does the right to restrict processing apply?
Individuals have the right to request you restrict the processing of their personal data in the following circumstances:
- the individual contests the accuracy of their personal data and you are verifying the accuracy of the data;
- the data has been unlawfully processed (ie in breach of the lawfulness requirement of the first principle of the GDPR) and the individual opposes erasure and requests restriction instead;
- you no longer need the personal data but the individual needs you to keep it in order to establish, exercise or defend a legal claim; or
- the individual has objected to you processing their data under Article 21(1), and you are considering whether your legitimate grounds override those of the individual.
Although this is distinct from the right to rectification and the right to object, there are close links between those rights and the right to restrict processing:
- if an individual has challenged the accuracy of their data and asked for you to rectify it (Article 16), they also have a right to request you restrict processing while you consider their rectification request; or
- if an individual exercises their right to object under Article 21(1), they also have a right to request you restrict processing while you consider their objection request.
Therefore, as a matter of good practice you should automatically restrict the processing whilst you are considering its accuracy or the legitimate grounds for processing the personal data in question.
-
How do we restrict processing?
You need to have processes in place that enable you to restrict personal data if required. It is important to note that the definition of processing includes a broad range of operations including collection, structuring, dissemination and erasure of data. Therefore, you should use methods of restriction that are appropriate for the type of processing you are carrying out.
The GDPR suggests a number of different methods that could be used to restrict data, such as:
- temporarily moving the data to another processing system;
- making the data unavailable to users; or
- temporarily removing published data from a website.
It is particularly important that you consider how you store personal data that you no longer need to process but the individual has requested you restrict (effectively requesting that you do not erase the data).
If you are using an automated filing system, you need to use technical measures to ensure that any further processing cannot take place and that the data cannot be changed whilst the restriction is in place. You should also note on your system that the processing of this data has been restricted.
-
Can we do anything with restricted data?
You must not process the restricted data in any way except to store it unless:
- you have the individual’s consent;
- it is for the establishment, exercise or defence of legal claims;
- it is for the protection of the rights of another person (natural or legal); or
- it is for reasons of important public interest.
-
Do we have to tell other organisations about the restriction of personal data?
Yes. If you have disclosed the personal data in question to others, you must contact each recipient and inform them of the restriction of the personal data – unless this proves impossible or involves disproportionate effort. If asked to, you must also inform the individual about these recipients.
The GDPR defines a recipient as a natural or legal person, public authority, agency or other body to which the personal data are disclosed. The definition includes controllers, processors and persons who, under the direct authority of the controller or processor, are authorised to process personal data.
-
When can we lift the restriction?
In many cases the restriction of processing is only temporary, specifically when the restriction is on the grounds that:
- the individual has disputed the accuracy of the personal data and you are investigating this; or
- the individual has objected to you processing their data on the basis that it is necessary for the performance of a task carried out in the public interest or the purposes of your legitimate interests, and you are considering whether your legitimate grounds override those of the individual.
Once you have made a decision on the accuracy of the data, or whether your legitimate grounds override those of the individual, you may decide to lift the restriction.
If you do this, you must inform the individual before you lift the restriction.
As noted above, these two conditions are linked to the right to rectification (Article 16) and the right to object (Article 21). This means that if you are informing the individual that you are lifting the restriction (on the grounds that you are satisfied that the data is accurate, or that your legitimate grounds override theirs) you should also inform them of the reasons for your refusal to act upon their rights under Articles 16 or 21. You will also need to inform them of their right to make a complaint to the ICO or another supervisory authority; and their ability to seek a judicial remedy.
-
Can we refuse to comply with a request for restriction?
If an exemption applies, you can refuse to comply with a request for restriction (wholly or partly). Not all of the exemptions apply in the same way, and you should look at each exemption carefully to see how it applies to a particular request. For more information, please see our guidance on Exemptions.
You can also refuse to comply with a request if it is:
• manifestly unfounded; or
• excessive.
In order to decide if a request is manifestly unfounded or excessive you must consider each request on a case-by-case basis. You should not have a blanket policy.
You must be able to demonstrate to the individual why you consider the request is manifestly unfounded or excessive and, if asked, explain your reasons to the Information Commissioner.
-
What does manifestly unfounded mean?
A request may be manifestly unfounded if:
- the individual clearly has no intention to exercise their right to restriction. For example an individual makes a request, but then offers to withdraw it in return for some form of benefit from the organisation; or
- the request is malicious in intent and is being used to harass an organisation with no real purposes other than to cause disruption. For example:
- the individual has explicitly stated, in the request itself or in other communications, that they intend to cause disruption;
- the request makes unsubstantiated accusations against you or specific employees;
- the individual is targeting a particular employee against whom they have some personal grudge; or
- the individual systematically sends different requests to you as part of a campaign, eg once a week, with the intention of causing disruption.
This is not a simple tick list exercise that automatically means a request is manifestly unfounded. You must consider a request in the context in which it is made, and you are responsible for demonstrating that it is manifestly unfounded.
Also, you should not presume that a request is manifestly unfounded because the individual has previously submitted requests which have been manifestly unfounded or excessive or if it includes aggressive or abusive language.
The inclusion of the word “manifestly” means there must be an obvious or clear quality to it being unfounded. You should consider the specific situation and whether the individual genuinely wants to exercise their rights. If this is the case, it is unlikely that the request will be manifestly unfounded.
ExampleAn individual believes that information held about them is inaccurate. They repeatedly request its correction but you have previously investigated and told them you regard it as accurate.
The individual continues to make requests along with unsubstantiated claims against you as the controller.
You refuse the most recent request because it is manifestly unfounded and you notify the individual of this.
-
What does excessive mean?
A request may be excessive if:
- it repeats the substance of previous requests; or
- it overlaps with other requests.
However, it depends on the particular circumstances. It will not necessarily be excessive just because the individual:
- makes a request about the same issue. An individual may have legitimate reasons for making requests that repeat the content of previous requests. For example, if the controller has not handled previous requests properly;
- makes an overlapping request, if it relates to a completely separate set of information; or
- previously submitted requests which have been manifestly unfounded or excessive.
-
What should we do if we refuse to comply with a request for restriction?
You must inform the individual without undue delay and within one month of receipt of the request.
You should inform the individual about:
- the reasons you are not taking action;
- their right to make a complaint to the ICO or another supervisory authority; and
- their ability to seek to enforce this right through a judicial remedy.
You should also provide this information if you request a reasonable fee or need additional information to identify the individual.
-
How do we recognise a request?
The GDPR does not specify how to make a valid request. Therefore, an individual can make a request for restriction verbally or in writing. It can also be made to any part of your organisation and does not have to be to a specific person or contact point.
A request does not have to include the phrase ‘request for restriction’ or Article 18 of the GDPR, as long as one of the conditions listed above apply.
This presents a challenge as any of your employees could receive a valid verbal request. However, you have a legal responsibility to identify that an individual has made a request to you and handle it accordingly. Therefore you may need to consider which of your staff who regularly interact with individuals may need specific training to identify a request.
Additionally, it is good practice to have a policy for recording details of the requests you receive, particularly those made by telephone or in person. You may wish to check with the requester that you have understood their request, as this can help avoid later disputes about how you have interpreted the request. We also recommend that you keep a log of verbal requests.
-
Can we charge a fee?
In most cases you cannot charge a fee to comply with a request for restriction.
However, you can charge a “reasonable fee” for the administrative costs of complying with the request if it is manifestly unfounded or excessive. You should base the reasonable fee on the administrative costs of complying with the request.
If you decide to charge a fee you should contact the individual promptly and inform them. You do not need to comply with the request until you have received the fee.
Alternatively, you can refuse to comply with a manifestly unfounded or excessive request.
-
How long do we have to comply?
You must comply with a request for restriction without undue delay and at the latest within one month of receipt of the request or (if later) within one month of receipt of:
- any information requested to confirm the requester’s identity (see Can we ask an individual for ID?); or
- a fee (only in certain circumstances – see Can we charge a fee?)
You should calculate the time limit from the day you receive the request (whether it is a working day or not) until the corresponding calendar date in the next month.
ExampleAn organisation receives a request on 3 September. The time limit will start from the same day. This gives the organisation until 3 October to comply with the request.
If this is not possible because the following month is shorter (and there is no corresponding calendar date), the date for response is the last day of the following month.
If the corresponding date falls on a weekend or a public holiday, you have until the next working day to respond.
This means that the exact number of days you have to comply with a request varies, depending on the month in which the request was made.
ExampleAn organisation receives a request on 31 March. The time limit starts from the same day. As there is no equivalent date in April, the organisation has until 30 April to comply with the request.
For practical purposes, if a consistent number of days is required (eg for operational or system purposes), it may be helpful to adopt a 28-day period to ensure compliance is always within a calendar month.
-
Can we extend the time for a response?
You can extend the time to respond by a further two months if the request is complex or you have received a number of requests from the individual. You must let the individual know within one month of receiving their request and explain why the extension is necessary.
-
Can we ask an individual for ID?
If you have doubts about the identity of the person making the request you can ask for more information. However, it is important that you only request information that is necessary to confirm who they are. The key to this is proportionality. You should take into account what data you hold, the nature of the data, and what you are using it for.
You must let the individual know without undue delay and within one month that you need more information from them to confirm their identity. You do not need to comply with the request until you have received the additional information.
Thank you for reading.