What is a restriction on processing personal data?
Restriction of processing means limiting how a company can use your personal data, without deleting it. If processing your personal data is restricted, the company must keep it but cannot use it. This can be useful if you still need the data as evidence or the deletion of your data would harm you (e.g. when you still want to use a service or product) or while you wait for data to be rectified.
You have the right to restrict processing in the following cases:
- If you contest the accuracy of the data (see the right to rectification)
- If the processing is unlawful and you rather want the data to be restricted instead of deleted to be able to prove that the data was not legally processed
- If the company does not need the data anymore, but you need it for the establishment or defense of legal claims (often against the company itself)
- If you exercise the right to object and you are waiting for a decision
How do I restrict processing?
- Inform the company that you are seeking to restrict the processing of your data.
- Specify the data for which you ask the restriction and the reason for seeking a restriction.
What are the consequences of restricting of processing?
- The processing of your data is restricted until your rectification or objection request is dealt with (if that was the reason why you had it restricted).
- The company must notify you before they lift the restriction.
Typical Problems
- The right to restriction is often technically challenging for companies, as they have to “freeze” data, which is often not foreseen in their systems.
- The right is not commonly exercised, so many companies may not have proper procedures in place.