To fully leverage data in any organization, the data needs to be processed. Without processing, analyzing mass amounts of data becomes nearly impossible. Oftentimes, organizations rely on third parties to process the data they collect and store. This helps drive insights from the data at a rapid pace without interrupting regular operations.
However, the GDPR gives citizens in the EU and UK the right to restrict the processing of their personal data. This right comes with specific rules data controllers must follow. Despite this right, citizens must meet certain circumstances to exercise their right to restrict processing.
This article covers your obligations when complying with the GDPR’s right to the restriction of processing.
- What is the Right to Restriction of Processing?
- How to Comply with the Right to Restrict Processing?
- Best Practices for Complying with the Right to Restriction of Processing
To learn more about Data Privacy with Satori read our Data Privacy Guide.
What is the Right to Restriction of Processing?
The right to restriction of processing is a fundamental right under the General Data Protection Regulation (GDPR). It gives individuals the right to request that a controller (an organization that processes personal data) restricts the processing of their personal data in certain circumstances.
By exercising the right to restriction of processing, individuals can request that the controller restricts the processing of their personal data. They can also request that the controller stores their personal data, but no longer processes it.
To exercise the right to restriction of processing, individuals must meet specific criteria. These criteria include any of the following circumstances:
- When the individual contests the accuracy of the personal data.
- When the processing is unlawful.
- When the controller no longer needs the personal data for processing.
- When the individual has objected to the processing and the controller is considering whether there is a legitimate interest in continuing the processing.
The right to restriction of processing gives individuals the right to temporarily suspend the processing of their personal data and helps protect their privacy. It also gives citizens more control over their personal data. So, organizations need processes to handle the right to restrict processing requests and respect the rights of individuals under the GDPR.
How to Comply with the Right to Restrict Processing?
To comply with the right to restrict processing, data controllers need a process for complying with requests. The process you use should contain the following steps at a minimum:
- Verify the identity of the requestor: It is important to verify the identity of the individual requesting so that the processing of personal data is only restricted to the correct person. This may involve requesting identification or other documentation.
- Confirm that the request is a valid right to restrict processing request: Make sure that the request is a valid right to restrict processing request and not something else, such as a request to erase personal data or object to its processing.
- Respond to the request: The data controller must respond to the right to restrict processing requests without undue delay, within one month of receiving the request. This period may be extended by two further months if the request is complex or if the controller has received a large number of requests.
- Locate and retrieve personal data: This may involve accessing electronic records or paper files.
- Store the personal data: Store but do not further process it unless the individual consents to the processing or the processing are necessary for the establishment, exercise, or defense of legal claims, for the protection of the rights of another natural or legal person, or for reasons of important public interest.
- Notify third parties: If the personal data has been disclosed to third parties, inform those third parties about all rights to restrict processing requests and take reasonable steps to ensure that the personal data is not further processed.
- Document the request: Keep a record of all rights to restrict processing requests and the action taken in response to the request.
Best Practices for Complying with the Right to Restriction of Processing
When creating a process for your organization on complying with the right to restrict processing requests, keep the following best practices in mind:
- Establish clear processes and procedures: Ensure that processes and procedures for handling the right to restrict processing requests are clearly defined. This includes procedures for verifying the identity of the requestor, locating and retrieving the personal data, and storing but not processing the personal data.
- Train employees: Employees should understand and know the processes and procedures for handling the right to restrict processing requests, as well as their obligations under the GDPR.
- Keep accurate records: Record all rights to restrict processing requests, including the date of the request, the personal data that was requested to be stored but not further processed, and the action taken in response to the request.
- Respond promptly: Make sure to respond to every right to restrict processing requests promptly and within the required timeframe.
- Record third-party data disclosures: Every time your organization discloses personal data to a third party, keep detailed records of the disclosure. These records can help you take reasonable steps to ensure that the personal data is not further processed when someone exercises their right to restrict processing.
The right to restrict the processing of personal data is a fundamental right of all EU and UK citizens outlined in the GDPR. So, every organization that collects, stores, or processes data on citizens in the EU or UK, regardless of the location of the organization, must comply with requests related to the right to restrict processing. But, complying with these requests can cause complications. The organization needs to stop all of its processing and any processing activities of third parties who received personal data from the organization.
Satori’s Data Security Platform can help you comply with all GDPR requirements without impacting the value of your data. maintain compliance with applicable data regulations.
To learn more:
- Book a demo with one of our experts
- Read about our Data Privacy Guide