Request restriction of personal data
Right to restriction is a data subject right under the Data Protection Act 2018 and GDPR 2018.
Our policy
This policy outlines our management of requests from data subjects to restrict processing of their personal information. This directive, as outlined in Article 18 of GDPR and Sections 47 and 48 of the Data Protection Act 2018, addresses the right of data subjects to request the restriction or suppression of personal data held about them by the data controller (the Council) and demonstrates how we will meet our legal obligations around this right.
It also outlines the procedure to be followed by data subjects when submitting a right to restriction request to us.
Review
This policy will be reviewed at least annually by the DPO to ensure alignment to appropriate risk management requirements and its continued relevance to current and planned operations, or legal developments and legislative obligations.
For further information on how we process your personal data and your rights in this regard please see our privacy notice.
Contact
The Data Protection Officer (DPO) is responsible for processing right to erasure requests received by the Council. All questions or comments related to this policy or a specific right to erasure request should be directed to DPO@richmondandwandsworth.gov.uk.
Right to restriction requests
A right to restriction request is a written or verbal request from an individual for personal data held about them by the us to be restricted. Data subjects have the right to restrict the processing of their personal data in certain circumstances. This means that an individual can limit the way we use their personal data.
When processing is restricted we have a right to store a data subject’s personal data but not use it unless:
- It has their consent to do so
- The data is needed for legal claims
- Its use is to protect another person’s rights, or
- Its use is for reasons of important public interest.
Data subjects have the right to have their personal data restricted if:
- They contest the accuracy of their personal data and we are verifying the accuracy
- The data has been processed unlawfully
- We no longer need the personal data but the data subject needs us to keep it order to establish, exercise or defend a legal claim
- The data subject has objected to us processing their personal data and we are considering this objection request.
The restriction in the processing of personal data is usually temporary and will be lifted once the initial reason for the request has been clarified. Data subjects will be informed of the lifting of this restriction prior to this action taking place.
Refusal
We can refuse to comply with a request for restriction if it is manifestly unfounded or excessive.
Making a request for restriction of personal data
To allow us to respond promptly to any right to erasure request we ask you to complete the online request form. Use of the form is not mandatory. However, completing the form should enable us to process your request more efficiently.
You can attach your proof of identity and address to the form, or alternatively you can email these documents to DPO@richmondandwandsworth.gov.uk, or post photocopies to:
The Data Protection Officer
Richmond and Wandsworth Councils
Ground Floor
Civic Centre
44 York Street
Twickenham
TW1 3BZ
Verbal requests
If you wish to make a verbal request please call 020 8831 6328 (Information Governance Office). We will still require proof of identity.
Fees
There is no charge for this service and we waive the right, in accordance with Article 12 of the GDPR to charge a 'reasonable fee' for administrative costs. We will instead refuse the request if we consider it to be 'manifestly unfounded or excessive'.
We will let you know if this is the case without undue delay. You have the right to challenge our decision.
What happens next
We will first check that we have enough information to be sure of the data subject’s identity. In some cases we may request any additional evidence we reasonably need to confirm the data subject’s identity. We do this to ensure that the correct data will be identified for restriction and that you have the authority to request this.
We will then check that we have enough information to find the records that have been requested for restriction. If we feel we need more information, then we will ask the data subject for clarification without undue delay.
We will then conduct a full search of all our relevant databases and filing systems and locate all data relevant to the data subject. We will identify all third-party processors that may also have the personal data and instruct them to restrict the processing of the data until further notice from us. Once located the data subject’s personal data will then be restricted from processing in our digital and physical environments using the appropriate technical and organisational measures available to us.
Once we have agreed to the restriction request we will respond to the data subject to confirm their personal data has been restricted until further notice.
Timescales
All right to restriction requests, once validated and accompanied by valid proof of identity, will be dealt with without undue delay and certainly within no later than one calendar month (from the day after we receive the request) in accordance with the GDPR and Data Protection Act 2018, Section 48.
This countdown only begins once we full satisfied around the validity of the request in terms of acceptable identification and clarity of the request.
In certain circumstances we can extend the time to respond by a further two calendar months. This will be advised to the data subject where we find the request to be complex or we have received a number of requests from the individual. We will let you know within the one calendar month of receiving the request if this is the case and explain why the extension is necessary.