April 30, 2020

What is an Individual’s right to restrict data processing?

Inasmuch as the data harvested by your organisation relates to individuals, then those individuals have a right to restrict what it is used for – and your organisation needs to have the requisite procedures to deal with this. Your organisation should detail these procedures in its Privacy Policy.

A request from an individual to restrict data processing can be made verbally or in writing.  As with other such requests, you need to be sure of the identity, using “Reasonable Means”, of the individual asking for the restriction and must therefore verify that the individual asking is the one who’s data is being processed.

You should respond to a request without delay and at least within one month of receipt.

To restrict the processing of the individual’s data means that only such data as is needed for managing the individual’s activities may be stored together with relevant details relating to the restriction being in place. No other use of the data may be made. 

There are times when it is in the organisation’s interest to restrict the processing of data:

  • If the individual has challenged the accuracy of the data – the organisation may want to restrict use of the data until the accuracy is confirmed or amended
  • If the individual has asked for their data to be restricted and you are still determining whether this is an area where it still forms a legitimate interest sufficient to outweigh the request - while this determination takes place, the data should be restricted
  • In a situation where the processing of the data would be unlawful, but the individual does not want the data deleted but does want it restricted (possibly so that the individual can maintain such records for their own reasons)
  • The organisation does not need the data any further, but the individual needs it present for external purposes – to follow up on a legal claim, or have a historic record of some activity etc.

It is good practice to check your own procedures periodically to determine if data sets should be restricted.

Where such data has been shared with third parties, your organisation must keep those third parties informed upon receipt of a restriction request unless impossible or disproportionate effort is required to do so.

In the event you decide to lift a restriction on processing, then the relevant individual must be informed - both of the lifting of the restriction and the justification for that action.

Secure Business Data

We are here to help you secure your business data using cutting edge technology.
linkedin facebook pinterest youtube rss twitter instagram facebook-blank rss-blank linkedin-blank pinterest youtube twitter instagram