Guide to Data Protection Act for Data Controllers

Individual rights

The right to stop or restrict processing

At a glance

  • Individuals have the right to require that processing stop, or not begin, or cease processing for a specified purpose or in a specified way.
  • This is not an absolute right and does not apply in certain circumstances.
  • An individual must make a request to stop processing in writing.
  • You have one twenty-one days to respond to a request, or apply to the Ombudsman not to comply with the request.
  • This right has close links to other rights, including the right to rectification (the fourth data protection principle) and the right to object to direct marketing (section 11 of the DPA). 

Checklist 

Preparing for requests to stop or restrict processing 

  • We know how to recognize a request to stop or restrict processing and we understand when the right applies.
  • We have a log in place to record requests.
  • We understand when we can refuse a request and are aware of the information we need to provide to individuals when we do so.

 

Complying with requests to stop or restrict processing

  • We have processes in place to ensure that we respond to a request to stop or restrict processing without undue delay and within twenty-one days of receipt.
  • We have appropriate methods in place to stop or restrict the processing of personal data on our systems.
  • We have appropriate methods in place to indicate on our systems that processing has been restricted.
  • We understand we need to apply to the Ombudsman not to comply with a request to stop or restrict processing.
  • We have procedures in place to inform any recipients if we stop or restrict any data we have shared with them.  

In brief

What is the right to stop or restrict processing?

Section 10 of the DPA gives individuals the right to require organisations that process their personal data to stop processing, not begin processing, or cease processing for a specified purpose or in a specified way.

This means that an individual can stop or limit the way that a data controller uses their data. This is includes the erasure of their data.

Individuals have to notify you in writing, but they do not have to state a reason to have the right to stop or restrict the processing of their personal data.

This right does not apply in all circumstances. There are also certain exemptions from the right to stop or restrict processing.

The individual may agree to impose the restriction for a certain period of time. 

When does the right to stop or restrict processing apply?

Individuals have the right to demand that you stop processing, not begin processing, or cease processing their personal data for a specified purpose or in a specified way.

However, you do not have to comply with a request to stop or restrict processing if:

  • the processing is necessary for performance of a contract to which the individual is a party (or taking steps at the request of the individual towards entering into a contract;
  • the processing is necessary under a legal obligation to which the data controller is subject;
  • the processing is necessary to protect the vital interests of the individual; or
  • you have requested and received the approval of the Ombudsman.

Although this is distinct from the right to rectification and the right to object to direct marketing, there are close links between those rights and the right to stop or restrict processing:

  • under section 14 of the DPA individuals have the right to complain to the Ombudsman, and the Ombudsman may order that the personal data be blocked, erased or destroyed (as well as rectified); and
  • under section 11 of the DPA individuals have the right to object to direct marketing.

As a matter of best practice you should automatically temporarily restrict the processing while you or the Ombudsman are considering the request or complaint. 

How do you stop or restrict processing?

You need to have processes in place that enable you to stop or restrict processing personal data if required. It is important to note that the definition of processing includes a broad range of operations including collection, structuring, dissemination and erasure of data. Therefore, you should use methods of restriction that are appropriate for the type of processing you are carrying out.

Depending on the circumstances, if the request is to cease processing personal data for a specified purpose, in a specified way, or for a certain period of time, you may have to:

  • temporarily move the data to another processing system;
  • make the data unavailable to users; or
  • temporarily remove published data from a website.

If the individual has asked you not to erase the data, it is particularly important that you consider how you store personal data that you no longer need to process otherwise.

If you are using an automated filing system, you need to use technical measures to ensure that any further processing cannot take place and that the data cannot be changed while the restriction is in place. You should also note on your system that the processing of this data has been restricted. 

Can you do anything with restricted data?

Depending on the nature of the restriction the individual requested, you may not be able to process the data at all, and it should be erased. This is the case unless:

  • the individual has not demanded that you stop processing their data outright, but that you cease processing their personal data for a specified purpose or in a specified way only;
  • the data is being processing in the context of a contract, a legal obligation or to protect the vital interests of the individual; or
  • an exemption applies to the processing you undertake.

You can also apply to the Ombudsman for permission not to comply with a request to stop or restrict processing. If so, you must do so within twenty-one days from the date of the request, and inform the individual that you have applied to the Ombudsman.

Do you have to tell other organisations about ceasing or restricting processing of personal data following a request from an individual?

If the Ombudsman issues an order to block, erase or destroy data, she may if it is considered practicable order you to notify third parties to whom the data may have been disclosed of the blocking, erasure or destruction.

In any event, it is good practice to let any third parties to whom the personal data was disclosed know of the fact that you stop or restrict processing.

The DPA defines a third party as follows: 

 “third party”, in relation to personal data, means any person other than -

(a) the data subject;

(b) the data controller; or

(c) any data processor or other person authorised to process data for

the data controller or data processor.  

Can you refuse to comply with a request to cease or restrict processing?

If you do not wish to comply with a request to cease or restrict processing you can apply to the Ombudsman within twenty-one days from the date of the request.

If you apply to the Ombudsman you need to inform the individual that you did so.

As explained above, the right to demand that processing is stopped or restricted does not apply in all circumstances.

There are also certain exemptions from the right to stop or restrict processing. 

What are the exemptions to the right to stop or restrict processing?

Apart from the general circumstances when the right to stop or restrict processing does not apply, namely where the data is being processing in the context of a contract, a legal obligation or to protect the vital interests of the individual, the DPA recognizes the following exemptions from the right to stop or restrict processing:  

  • Section 18: exemption relating to national security;
  • Section 22: exemption relating to journalism, literature and art;
  • Section 24: exemption relating to information available to the public by the Act;
  • Section 25: exemption relating to disclosure required by the Act or made in connection with legal proceedings; and
  • Section 26: exemption relating to personal, family and household affairs. 

For more details on these and other exemptions, see here.

How do you recognize a request to stop or restrict processing?

The DPA does not specify how to make a valid request, except to say that it must be made in writing.

A request can be made to any part of your organisation and does not have to be to a specific person or contact point. You may need to consider which of your staff who regularly interact with individuals may need specific training to identify a request

A request does not have to include the phrase 'request for restriction' or section 10 of the DPA, as long it is writing and asks that data processing is stopped, not begun or that processing cease for a specified purpose or in a specified way

Additionally, it is good practice to have a policy for recording details of the requests you receive. You may wish to check with the requester that you have understood their request, as this can help avoid later disputes about how you have interpreted the request. 

Can you charge a fee for responding to a request to stop or restrict processing?

You cannot charge a fee to comply with a request for stopping or restricting processing personal data. 

How long do you have to comply with a request to stop or restrict processing?

The DPA does not set a timeline for your response to an individual’s request to cease or restrict processing under section 10. However, section 6(1) of the Data Protection Regulations, 2018, allows a period of twenty-one days from the date of the request, for you to apply to the Ombudsman not to comply with a request to cease or restrict processing. Therefore, in effect, a response to the request to cease or restrict processing should also be provided within twenty-one days. 

Can you ask an individual for ID?

If you have doubts about the identity of the person making the request you can ask for more information. However, it is important that you only request information that is necessary to confirm who they are. The key to this is proportionality. You should take into account what data you hold, the nature of the data, and what you are using it for.

You must let the individual know without undue delay and within one month that you need more information from them to confirm their identity. You do not need to comply with the request until you have received the additional information. 

Relevant provisions

Data Protection Act (2021 Revision)

Section 10: Right to stop processing                                                                                 

Section 14: Rectification, blocking, erasure or destruction                                                                               

Section 43: Complaints to the Ombudsman                                                                                

Section 45: Enforcement orders

Data Protection Regulations, 2018:

Regulation 6: Circumstances when data controller is not obliged to comply

Previous Next