1. Home
  2. Data subject's rights
  3. What are consequences of restricting personal data?
Searching...
EDPB - EDPB-EDPS Joint Opinion 03/2022 on the Proposal for a Regulation on the European Health Data Space
12 Jul. 2022
EDPB-EDPS Joint Opinion 03/2022
Download document
EDPB - Statement 02/2022 on personal data transfers to the Russian Federation
12 Jul. 2022
Statement 02/2022
Download document
EDPB - CSC Work Programme 2022-2024
6 Jul. 2022
CSC Work program 2022-2024
Download document
EDPB - Opinion 11/2022 on the draft decision of the competent supervisory authority of Poland regarding the approval of the requirements for accreditation of a certification body pursuant to Article 43.3 (GDPR)
4 Jul. 2022
Opinion 11/2022
Download document
EDPB - Opinion 12/2022 on the draft decision of the competent supervisory authority of France regarding the approval of the requirements for accreditation of a certification body pursuant to Article 43.3 (GDPR)
4 Jul. 2022
Opinion 12/2022
Download document
EDPB - Opinion 13/2022 on the draft decision of the competent supervisory authority of Bulgaria regarding the approval of the requirements for accreditation of a certification body pursuant to Article 43.3 (GDPR)
4 Jul. 2022
Opinion 13/2022
Download document
EDPB - Opinion 14/2022 on the draft decision of the competent supervisory authority of Bulgaria regarding the approval of the requirements for accreditation of a code of conduct monitoring body pursuant to article 41 GDPR
4 Jul. 2022
Opinion 14/2022
Download document
EDPB - Opinion 15/2022 on the draft decision of the competent supervisory authority of Luxembourg regarding the approval of the requirements for accreditation of a code of conduct monitoring body pursuant to article 41 GDPR
4 Jul. 2022
Opinion 15/2022
Download document
EDPB - Opinion 16/2022 on the draft decision of the competent supervisory authority of Slovenia regarding the approval of the requirements for accreditation of a code of conduct monitoring body pursuant to article 41 GDPR
4 Jul. 2022
Opinion 16/2022
Download document
CJEU – Ligue des droits humains v Conseil des ministres – C-817/19
21 Jun. 2022
Ligue des droits humains
EDPB - Response to EDRi regarding the structural and procedural enforcement of the GDPR and its work to promote and safeguard data protection
14 Jun. 2022
EDPB GDPR Enforcement Letter
Download document
EDPB - Response of the EDPB to the European Commission's targeted consultation on a digital euro
14 Jun. 2022
EDPB Digital Euro Letter
Download document
EDPB - Guidelines 07/2022 on certification as a tool for transfers - Version 1.0
14 Jun. 2022
Guidelines 07/2022
Download document
EDPB - EDPB response to the joint payments industry regarding the Guidelines on the interplay of Second Payment Services Directive (PSD2) and GDPR
12 May. 2022
EDPB Guidelines PSD2 and GDPR Letter
Download document
EDPB - Guidelines 06/2022 on the practical implementation of amicable settlements - Version 2.0
12 May. 2022
Guidelines 06/2022
Download document

What are consequences of restricting personal data?

Contents

Controllers need to take various consequences into account when data are restricted. What are these?

Four consequences of data restriction

The GDPR describes four consequences following an invoked right to ristriction:

  1. Data may only be processed in specific situations;
  2. The data subject must be informed before lifting the data restriction;
  3. The data restriction must be communicated to the recipients;
  4. Upon his/her request, the data subject must be informed about the recipients.

Let’s investigate these consequences.

Process data only in specific situations

First, 18(2) GDPR states that, where processing has been restricted, personal data shall, with the exception of storage, only be processed:

  • with the data subject’s consent, or;
  • for the establishment, exercise or defence of legal claims, or;
  • for the protection of the rights of another natural or legal person, or;
  • for reasons of important public interest of the Union or of a Member State.

This list makes clear that the GDPR limits the controller’s freedom to process data. Since the storage of personal data is a processing activity, the GDPR underlines that this activity remains possible during the restriction of data. Next to storage, the data may only be processed in the four situations: with consent, for the establishment (etc.) of legal claims, for the protection of others or for reasons of important public interest.

Inform data subject before lifting restriction

Second, apart from the above-mentioned situations, the controller shall inform the data subject who has obtained restriction of processing before the restriction of processing is lifted (18(3) GDPR).

Communicate restriction to recipients

Third, the controller shall communicate any restriction of processing to each recipient to whom the personal data have been disclosed, unless this proves impossible or involves disproportionate effort (19 GDPR). In the context of Directive 2016/680, the WP29 stated that those recipients must also similarly restrict the processing of that personal data (WP258, p. 22). This is most likely also true under the GDPR, since recital 66 echoes this notion in the context of data rectification or erasure.

Inform data subject about recipients

Last and fourth, upon the data subject’s request, the controller shall inform him or her about those recipients (19 GDPR final sentence). In the context of Directive 2016/680, the WP29 stresses that this information should be given as soon as possible in order to avoid any adverse effect for the data subject who exercised his or her rights. (WP258, p. 22). There is no reason to think this term is longer under the GDPR, since the CJEU confirmed that the law mandates efficient and timely protection of the data subject’s rights (Fashion ID, par. 102).

Was this article helpful?

Yes No

About The Author

Joost Gerritsen

Author and creator of GDPR Beetle Joost Gerritsen is a data protection lawyer since 2010. Based in The Netherlands, he advises companies and governments. His publications have been picked up by the European Commission (JRC), the Council of Europe and UNESCO.

Related Articles

Leave a Comment