Controllers need to take various consequences into account when data are restricted. What are these?
Four consequences of data restriction
The GDPR describes four consequences following an invoked right to ristriction:
- Data may only be processed in specific situations;
- The data subject must be informed before lifting the data restriction;
- The data restriction must be communicated to the recipients;
- Upon his/her request, the data subject must be informed about the recipients.
Let’s investigate these consequences.
Process data only in specific situations
- with the data subject’s consent, or;
- for the establishment, exercise or defence of legal claims, or;
- for the protection of the rights of another natural or legal person, or;
- for reasons of important public interest of the Union or of a Member State.
This list makes clear that the GDPR limits the controller’s freedom to process data. Since the storage of personal data is a processing activity, the GDPR underlines that this activity remains possible during the restriction of data. Next to storage, the data may only be processed in the four situations: with consent, for the establishment (etc.) of legal claims, for the protection of others or for reasons of important public interest.
Inform data subject before lifting restriction
Communicate restriction to recipients
Third, the controller shall communicate any restriction of processing to each recipient to whom the personal data have been disclosed, unless this proves impossible or involves disproportionate effort (19 GDPR). In the context of Directive 2016/680, the WP29 stated that those recipients must also similarly restrict the processing of that personal data (WP258, p. 22). This is most likely also true under the GDPR, since recital 66 echoes this notion in the context of data rectification or erasure.
Inform data subject about recipients
Last and fourth, upon the data subject’s request, the controller shall inform him or her about those recipients (19 GDPR final sentence). In the context of Directive 2016/680, the WP29 stresses that this information should be given as soon as possible in order to avoid any adverse effect for the data subject who exercised his or her rights. (WP258, p. 22). There is no reason to think this term is longer under the GDPR, since the CJEU confirmed that the law mandates efficient and timely protection of the data subject’s rights (Fashion ID, par. 102).