Right to restriction: How to make a right to restriction request

–– 15 May 2019

Know your rights. It’s your right to limit how organisations use your data. This maybe because of the accuracy of your personal data or how it’s being used. If necessary, you can also stop an organisation deleting your data. This is called the right to restriction, or right to restrict processing.

This right is covered in Article 18 of the GDPR, as follows:

“The data subject shall have the right to obtain from the controller restriction of processing”

This guide will show you how to exercise your right to restriction, under what circumstances you can exercise this right and what to expect from organisations.

How do I make a right to restriction request?

To exercise your right to restriction, you should:

  • make your request directly to the organisation, and
  • say what data you want restricted and why.

A request can be verbal or in writing or using our free tool Tapmydata.

If you make a right to restriction request verbally we recommend that you follow up in writing because doing so gives you proof of your actions should you need to challenge that organisation at a later date.

An organisation cannot charge you for making such requests, unless they are deemed unreasonable or excessive (the jury’s currently out on how these are defined!).

Use a tool, make life easier

We built Tapmydata to make it easy for citizens to exercise their data rights. The app will always be free and is available on Apple and Android. We don’t collect or hold your personal data.

When can I ask an organisation to restrict the use of my data?

You can ask organisations to temporarily limit the use of your data when they are considering:

  • a challenge you have made to the accuracy of your data, or
  • an objection you have made to the use of your data.

You may also ask an organisation to limit the use of your data rather than delete it if:

  • the organisation processed your data unlawfully but you do not want it deleted, or
  • the organisation no longer needs your data but you want the organisation to keep it in order to create, exercise or defend legal claims.

I am not happy with the response, what can I do?

If you are unhappy with how the organisation has responded to your request, you should first look to complain to that organisation. You should try and contact their data protection officer or customer support team. You can usually find this on their website or privacy policy.

If you are still unsatisfied, you can make a complaint to the Information Commisioner’s Office (ICO).

What should organisations do?

The organisation should take steps to restrict the use of your data. These can include:

  • temporarily moving your data to another system
  • making it unavailable to users, or
  • temporarily removing it from a website, if it has been published.

The organisation should also inform any other organisations it has shared your data with about the erasure. It can only refuse your right to be forgotten request if it is impossible or involves a “disproportionate” effort.

If the organisation has shared the data with others, it must contact each recipient and inform them of the restriction – unless this is impossible or involves a disproportionate effort. It must also inform you about these recipients if you ask.

When can an organisation use restricted data?

The organisation should store the restricted data securely and should not use the data unless:

  • Gets your consent
  • The data is needed for legal stuff
  • The data is used to protect another individual’s rights
  • Or for public interest reasons

Once an organisation has investigated why the data has been restricted, it may decide to lift the restriction and continue using your data. Remember, they must inform you that they have done this.

Can the organisation say no?

In most cases no. But the organisation can refuse to comply with a right to rectification request if it believes that the request is what the law calls “manifestly unfounded or excessive”. Remember though, the organisation should inform you of this outcome.

If the right to restriction request is unreasonable or excessive the organisation can:

  • Request a reasonable fee to deal with the request
  • Refuse to deal with the request.

In either case it will need to tell you and justify its decision.

When should I get a response?

The organisation has one month to respond to your request. In certain circumstances it may need extra time to consider it and can take up to an extra two months. If it is going to do this, it should let you know within one month that it needs more time and why.

Will it cost me anything?

Generally, no! Organisations can only charge a fee if the request is as the law states “manifestly unfounded or excessive”. The organisation then may be able to ask for a fee for admin costs associated with your request.


Subscribe to the Tapmydata newsletter.

    Media coverage.

    Find out who’s talking about Tap in the media.

    Download press kit

    Our partners.

    Check out our tribe of talented partners.

    Contact Tapmydata