Controllers need to take various consequences into account when data are restricted. What are these?
Four consequences of data restriction
The GDPR describes four consequences following an invoked right to ristriction:
- Data may only be processed in specific situations;
- The data subject must be informed before lifting the data restriction;
- The data restriction must be communicated to the recipients;
- Upon his/her request, the data subject must be informed about the recipients.
Let’s investigate these consequences.
Process data only in specific situations
First, 18(2) GDPR states that, where processing has been restricted, personal data shall, with the exception of storage, only be processed:
- with the data subject’s consent, or;
- for the establishment, exercise or defence of legal claims, or;
- for the protection of the rights of another natural or legal person, or;
- for reasons of important public interest of the Union or of a Member State.
This list makes clear that the GDPR limits the controller’s freedom to process data. Since the storage of personal data is a processing activity, the GDPR underlines that this activity remains possible during the restriction of data. Next to storage, the data may only be processed in the four situations: with consent, for the establishment (etc.) of legal claims, for the protection of others or for reasons of important public interest.
Inform data subject before lifting restriction
Second, apart from the above-mentioned situations, the controller shall inform the data subject who has obtained restriction of processing before the restriction of processing is lifted (18(3) GDPR).
Communicate restriction to recipients
Third, the controller shall communicate any restriction of processing to each recipient to whom the personal data have been disclosed, unless this proves impossible or involves disproportionate effort (19 GDPR). In the context of Directive 2016/680, the WP29 stated that those recipients must also similarly restrict the processing of that personal data (WP258, p. 22). This is most likely also true under the GDPR, since recital 66 echoes this notion in the context of data rectification or erasure.
Inform data subject about recipients
Last and fourth, upon the data subject’s request, the controller shall inform him or her about those recipients (19 GDPR final sentence). In the context of Directive 2016/680, the WP29 stresses that this information should be given as soon as possible in order to avoid any adverse effect for the data subject who exercised his or her rights. (WP258, p. 22). There is no reason to think this term is longer under the GDPR, since the CJEU confirmed that the law mandates efficient and timely protection of the data subject’s rights (Fashion ID, par. 102).