GDPR Right to Restrict Processing Explained

The new General Data Protection Regulations come into effect the last week of May. These guidelines are aimed at protecting the rights of EU citizens. Businesses that employ or do business with EU citizens must comply with these regulations or face stiff penalties.

What is the Right to Restrict Processing?

Individuals whose personal data is being collected have the right to ask that their personal data be restricted or suppressed—in special situations.

Article 18 of the GDPR outlines the individual’s right to restrict the processing of personal data. The individual has the right to limit how the business collecting the data uses it. They must have a legitimate reason for doing so.

Why Restrict Processing?

Individuals who request restrictions may have issues with what is contained in the file. Or, they may be concerned with how the data is going to be used and/or stored.

What Do Companies Need to Know?

If restrictions are requested and the individual’s claim is upheld it means that the gatherer is allowed to store this data but it cannot be used.

  • Requests to restrict can be made in writing or orally.
  • The gatherer has one month to give a response.
  • Businesses must have a process for responding to these requests. Requests should be recorded and dated.
  • Businesses should know when a request is legitimate and when it is frivolous.
  • If the company refuses a request it must provide the individual with a good reason which fits the guidelines.
  • Companies need a process for investigating legitimate requests.

The business also needs to know how to restrict information if a request is deemed reasonable. A procedure also has to be in place to share this information with the requester.

It is quite possible that restrictions are for a specified time period. Should restrictions later be lifted, the company needs to know how and when to do this and how to let the individual know.