Know your rights. Right to restrict processing. How to limit the handling of data.

When you need more time to decide whether your data should be deleted from an organization's system, you can restrict processing. This right is important because it gives you time and assurance that your data won't be utilized while concerns or errors are being addressed.

What it is

The right to restrict processing allows you to request an organization to only store your data without using or sharing it. Typically, this occurs when you're exercising your right to object, erasure, or rectification, and you want the organization to refrain from using the disputed information for any purpose other than dealing with your request. Upon your request, the organization will continue storing your data but will do it in a different system or place a block on it.

This right is also an alternative to erasure. You might want to prevent an organization from using certain personal information for other purposes while still keeping that information on file.

You can use your right to restrict processing:

• If the use of your data is unlawful, but you don't want it to be deleted (to have proof of it).
• While the organization is responding to your rectification request, you don't want incorrect or incomplete data to be used.
• When you've objected to the processing of your data, and the organization is verifying the request.
• If the organization no longer needs your personal data for processing purposes, but you require them to keep it for a legal claim you're involved in.

Two important notes:

1. You cannot restrict processing forever. It can only be done until the reason for the restriction is resolved, such as when the organization corrects or deletes your data. In the case of unlawful processing, the restriction usually lasts until you consent to processing or delete your data from their system. Regardless, the organization must notify you before lifting the restriction.

2. You cannot request restriction if your data is needed for a legal purpose or in the public interest.

Example story

A new bank on the domestic market offers good home loan deals. Tom is buying a new house and so decides to switch banks. He asks the 'old' bank to close down all accounts and request to have all his personal details deleted. The old bank, however, is subject to a law obliging banks to store all customer details for 10 years. The old bank is legally obliged to store his data, but he can still ask for restrictions on the data to ensure that it's not accidentally used for unwanted purposes.

Curious to see all the organizations that are holding your data?

Bitdefender Digital Identity Protection shows you what companies and organizations have your information and comes with pre-written emails for them to retrieve or delete your information. All you have to do is fill in your name and press "send."

How to Restrict Processing:

• Reach out to the organization/ company and inform them you want to restrict the processing of your data. To be more efficient, consider combining this request with any requests to rectify data or object to processing for efficiency.

You can send your request through email, letter, fax, or an online form, as long as you have a written record of the request. Look for the relevant email address in the "privacy policy" or "contact us" section of the controller's website.

In your request:

• Include your name and details needed to find you in the system: username, phone number, username, account name, or IP address.
• Specify the data you want processing restricted and explain the reason for the restriction.
• If submitting your request as an attachment or in a letter, include the date to clarify the deadline for them.

What to Expect:

Once they receive your request, they have one month to respond, with a possible extension of two months in complex cases.

If the organization decides not to restrict processing, rejects your request, tries to unjustifiably charge you, or fails to confirm the restriction within the deadline, you have the right to file a complaint with a data protection authority in your country.

In the US. The CCPA, and the Nevada Privacy Law allow residents to prohibit a business from selling their personal information. The Virginia CDPA, Colorado Privacy Act, and Connecticut Privacy Act, provide a right to restrict processing for the purposes of sale, targeted advertising, and profiling. The Utah Consumer Privacy Act provides a slightly narrower right to restrict processing for the purposes of sale or targeted advertising.

Sources: European Commission, noyb.eu, Data Protection Laws and Regulations USA 2023