Getting to grips with GDPR: The right to have data restricted

profile picture Yoti 3 min read

The sixth article in our series on GDPR rights is about the right to have data restricted. Catch up on previous articles on your right to be informed, the access right, correction rightdeletion right, and the right to object.


Part 6: The right to have data restricted

This right is not strictly new, as current law provides for a court to be able to order an organisation to restrict their processing of certain data, but GDPR makes it a right you can exercise directly with an organisation.

This right is essentially like putting your personal data in limbo – the organisation can continue to store it, but they cannot actively do anything with it.


What’s new?

You can ask an organisation to restrict your data in the following circumstances.

  • Where you dispute the accuracy of the personal data you can ask the organisation to restrict it until the dispute is resolved.
  • Where you have objected to the organisation processing your personal data (see part 5 of our blog post series for more information on the objecion right) you can ask the organisation to restrict it until the issue is resolved.
  • When the organisation has processed your data unlawfully, you can request restriction instead of deletion.
  • If the organisation no longer needs the personal data (and so would ordinarily delete it) but you need the data to establish, exercise or defend a legal claim.

The UK’s draft Data Protection Bill to implement GDPR is currently being finalised but the current version maintains exemptions that mean that an organisation may not have to comply with your request in certain circumstances.

The organisation also has to be able to verify your identity before taking action as a result of your request.


Fees and timescales

Under current UK law there are no set timescales for dealing with a deletion request, but organisations usually respond without delay. There is no charge for this kind of request.

Under GDPR the organisation has 30 days to respond and cannot charge a fee. However, organisations can charge for ‘manifestly unfounded or excessive’ requests. They must base the fee on the administrative cost of providing the information. The current version of the UK’s draft Data Protection Bill provides for the Government to set limits on the fees. Organisations can also extend the response time to two months depending on the complexity and number of the requests. If they need to extend the response time, they should tell you within the first month.

You can make a restriction request to