Request restriction of personal data
Right to restriction is a data subject right under the Data Protection Act 2018 and UK GDPR 2018.
Our policy
This policy outlines our management of requests from data subjects to restrict processing of their personal information. This directive, as outlined in Article 18 of UK GDPR and Sections 47 and 48 of the Data Protection Act 2018, addresses the right of data subjects to request the restriction or suppression of personal data held about them by the data controller (the Council) and demonstrates how we will meet our legal obligations around this right.
It also outlines the procedure to be followed by data subjects when submitting a right to restriction request to us.
Review
This policy will be reviewed at least annually by the Data Protection Officer (DPO) to ensure alignment to appropriate risk management requirements and its continued relevance to legal developments and legislative obligations.
For further information on how we process your personal data and your rights in this regard please see our privacy notice.
Contact
The DPO is responsible for processing right to restriction requests received by the Council. All questions or comments related to this policy or a specific right to restriction request should be directed to DPO@richmondandwandsworth.gov.uk.
Right to restriction requests
A right to restriction request is a written or verbal request from an individual for use of the personal data held about them to be restricted. Data subjects have the right to restrict the processing of their personal data in certain circumstances. This means that an individual can limit the way we use their personal data.
When processing is restricted we have a right to store a data subject’s personal data but not use it unless:
- We have their consent to do so
- The data is needed for legal claims
- Its use is to protect another person’s rights, or
- Its use is for reasons of important public interest.
Data subjects have the right to have their personal data restricted if:
- They contest the accuracy of their personal data and we are verifying the accuracy
- The data has been processed unlawfully
- We no longer need the personal data but the data subject needs us to keep it order to establish, exercise or defend a legal claim
- The data subject has objected to us processing their personal data and we are considering this objection request.
The restriction in the processing of personal data is usually temporary and will be lifted once the initial reason for the request has been clarified. Data subjects will be informed of the lifting of this restriction prior to this action taking place.
Refusal
We can refuse to comply with a request for restriction if it is manifestly unfounded or excessive.
Making a request for restriction of personal data
To allow us to respond promptly to any right to restriction request please complete the online request form. Use of the form is not mandatory. However, completing the form should enable us to process your request more efficiently.
You can attach your proof of identity and address to the form, or alternatively you can email these documents to DPO@richmondandwandsworth.gov.uk, or post photocopies to:
The Data Protection Officer
Wandsworth Council
Town Hall
Wandsworth High Street
London
SW18 2PU
Verbal requests
If you wish to make a verbal request please call 020 8831 6328 (Information Governance team). We will still require proof of identity.
Fees
There is no charge for this service and we waive the right, in accordance with Article 12 of the GDPR to charge a 'reasonable fee' for administrative costs. We will instead refuse the request if we consider it to be 'manifestly unfounded or excessive'.
We will let you know if this is the case without undue delay. You have the right to challenge our decision.
What happens next
We will first check that we have enough information to be sure of your identity. In some cases we may request any additional evidence we reasonably need to confirm this. We do this to ensure that the correct data will be identified for restriction and that you have the authority to make this request.
We will then check that we have enough information to find the records that have been requested for restriction. If we feel we need more information, then we will ask for clarification without undue delay.
We will then conduct a full search of all our relevant databases and filing systems and locate all data relevant to your request. We will identify all third-party processors that may also have the personal data and instruct them to restrict the processing of the data until further notice from us. Once located, your personal data will then be restricted from processing in our digital and physical environments using the appropriate technical and organisational measures available to us.
Once we have agreed to the restriction request we will respond to you to confirm your personal data has been restricted until further notice.
Timescales
All right to restriction requests, once validated and accompanied by valid proof of identity, will be dealt with without undue delay and certainly within no later than one calendar month (from the day after we receive the request) in accordance with the GDPR and Data Protection Act 2018, Section 48.
This countdown only begins once we full satisfied around the validity of the request in terms of acceptable identification and clarity of the request.
In certain circumstances we can extend the time to respond by a further two calendar months. This will be advised to the data subject where we find the request to be complex or we have received a number of requests from the individual. We will let you know within the one calendar month of receiving the request if this is the case and explain why the extension is necessary.