Right to restriction of processing
The data subject can request the controller to restrict the processing of personal data concerning him or her.
The restriction of processing means that, in addition to storage, the personal data subject to the restriction can only be processed
- with the data subject’s consent
- for the establishment, exercise or defence of legal claims
- for the protection of the rights of another natural or legal person or
- for reasons of important public interest of the Union or a Member State.
The right to restriction exists in the following cases:
- The data subject contests the accuracy of the personal data. In such cases, the processing will be restricted for a period enabling the controller to verify the accuracy of the personal data.
- The processing is unlawful, but the data subject opposes the erasure of the personal data and requests the restriction of its use instead.
- The controller no longer needs the personal data for the purposes of the processing, but it is required by the data subject for the establishment, exercise or defence of legal claims.
- The data subject has objected to the processing of the personal data for purposes other than direct marketing and is awaiting verification on whether the legitimate grounds of the controller override those of the data subject.
If processing has been restricted, the controller must inform the data subject before the restriction is lifted.
Processing can be restricted, for example, by transferring the data to another processing system, preventing users from accessing the data or deleting published data from a website.
How quickly is the controller required to reply to the data subject’s request?
The controller must respond to the data subject without undue delay and not later than in one month from receiving the request. In the reply, the controller shall indicate the measures it has taken due to the request.
If the requests are numerous or complex, the controller can reply that it needs more time to process them. In such cases, the deadline can be extended by a maximum of two months. Justifications must be provided for the extension.
If the controller refuses the data subject's request, it must notify the data subject of this within one month of receiving the request. The refusal must be justified to the data subject. In addition, the controller must also inform the data subject of the possibility of lodging a complaint with the supervisory authority and the availability of judicial remedies.
Is it possible to charge a fee from the data subject?
As a rule, the exercise of rights is free of charge.
If the data subject’s requests for restriction are manifestly unfounded or excessive, the controller can either charge a reasonable fee from the data subject or refuse the request.
Requests can be considered manifestly unfounded or excessive particularly if they are made repeatedly. The controller bears the burden of demonstrating the manifestly unfounded or excessive nature of the request.
The administrative costs of supplying the information or messages or carrying out the requested measure must be taken into account when determining the amount of possible fee.
Can the request be refused?
The controller evaluates whether or not the conditions for restricting the processing of data are met. If the controller finds that the right to restriction of processing does not apply, it is entitled to refuse the request, and the data subject can then refer the matter to the Data Protection Ombudsman.
If the data subject’s requests are manifestly unfounded or excessive, the controller can either refuse the request or charge a reasonable fee for fulfilling it.
If the controller refuses the data subject's request, it must notify the data subject of this within one month of receiving the request. The refusal must be justified to the data subject. In addition, the controller must also inform the data subject of the possibility of lodging a complaint with the Data Protection Ombudsman and the availability of judicial remedies.
Inform recipients of the restriction of processing
Where viable, the controller must inform each recipient to whom the personal data has been disclosed of the restriction of processing. The controller is required to notify the data subject of these recipients if so requested by the data subject.
Confirming the identity of the data subject
The controller must be able to confirm the identity of the data subject exercising his or her data protection rights. If the controller has reasonable doubts concerning the identity of the person who made the request, it can request the provision of additional information necessary to confirm his or her identity.
The GDPR does not provide for the methods of confirming the data subject’s identity. Many controllers already have suitable procedures in place. For example, the controller may have verified the data subject's identity before entering into the agreement or obtaining consent for the processing. This personal data can then be used to confirm the data subject's identity also in connection with fulfilling the rights of the data subject.
If the controller requests additional information for confirming the data subject’s identity, this may not cause unreasonable demands or the collection of personal data that is not relevant or necessary.
If the controller is unable to identify the data subject, it must notify him or her of this if viable.
If the controller refuses the data subject’s request due to not being able to identify the data subject, it must demonstrate that it is unable to confirm the identity of the data subject.
If the data subject cannot be identified, he or she cannot exercise the right
- of access to data
- to rectification of data
- to erasure of data
- to restrict the processing of data or
- to data portability.
The data subject can provide additional information for the purposes of identification, however.
When is confirming the data subject's identity not necessary?
Personal data may be kept in a form which permits identification of data subjects for no longer than is necessary for the purposes of processing.
If the personal data that permit the identification of the data subject is not necessary for the purpose of processing, the GDPR does not obligate controllers to keep, obtain or process such additional data solely for the purpose of compliance with the GDPR.
GDPR: Articles 12, 18 and 19