Your right to limit how organisations use your data
Latest updates
19 January 2024 - Change to opening paragraph to clarify that organisations only need to comply with requests to restrict processing in certain circumstances.
You can ask organisations to limit the ways they can use your personal data, including asking them not to delete it. This is known as the ‘right to restriction’. Organisations only need to comply with your request in certain circumstances, and they may only need to apply a temporary restriction.
This right is closely linked to your rights to challenge the accuracy of your data and to object to its use.
How you can ask an organisation to restrict the use of your data
To exercise your right to restriction, you should:
- make your request directly to the organisation, and
- say what data you want restricted and why.
If you want to, you can make a request for restriction at the same time as you raise another objection.
A request can be verbal or in writing. We recommend you follow up any verbal request in writing because this will allow you to explain your complaint, give evidence and state your desired solution. It will also provide clear proof of your actions if you decide to challenge the organisation’s initial response.
When you can ask an organisation to restrict the use of your data
You can ask organisations to temporarily limit the use of your data when they are considering:
- a challenge you have made to the accuracy of your data, or
- an objection you have made to the use of your data.
You may also ask an organisation to limit the use of your data rather than delete it if:
- the organisation processed your data unlawfully but you do not want it deleted, or
- the organisation no longer needs your data but you want the organisation to keep it in order to create, exercise or defend legal claims.
What to do if the organisation does not respond or you are dissatisfied with the outcome
If you are unhappy with how the organisation has handled your request, you should first complain to it.
Having done so, if you remain dissatisfied you can make a complaint to the ICO.
You can also seek to enforce your rights through the courts. If you decide to do this, we strongly advise you to seek independent legal advice first.
How should I raise my complaint about how an organisation has handled my information?
You can use the template letter below to help you raise your complaints.
[Your full address]
[Your phone number]
[The date]
[Name and address of the organisation]
[Reference number (if provided within the initial response)]
Dear [Sir or Madam / name of the person you have been in contact with]
Information rights complaint
[Your full name and address and any other details such as account number to help identify you]
I am concerned that you have not handled my personal information properly.
[Give details of your complaint, explaining clearly and simply what has happened and, where appropriate, the effect it has had on you.]
I understand that before reporting my complaint to the Information Commissioner’s Office (ICO) I should give you the chance to deal with it.
If, when I receive your response, I would still like to report my complaint to the ICO, I will give them a copy of it to consider.
You can find guidance on your obligations under information rights legislation on the ICO’s website (www.ico.org.uk) as well as information on their regulatory powers and the action they can take.
Please send a full response within one calendar month. If you cannot respond within that timescale, please tell me when you will be able to respond.
If there is anything you would like to discuss, please contact me on the following number [telephone number].
Yours faithfully
[Signature]
What organisations should do?
The organisation must take appropriate steps to restrict the use of your data. These could include:
- temporarily moving your data to another system
- making it unavailable to users, or
- temporarily removing it from a website, if it has been published.
If the organisation has shared the data with others, it must contact each recipient and inform them of the restriction – unless this is impossible or involves a disproportionate effort. It must also inform you about these recipients if you ask.
When can an organisation use restricted data?
The organisation should store the restricted data securely and should not use the data unless:
- it has your consent to do so
- the data is needed for legal claims
- its use is to protect another person’s rights, or
- its use is for reasons of important public interest.
Once the organisation has investigated your complaint, it may decide to lift the restriction and continue using your data. You should be informed before the restriction is lifted.
When can the organisation say no?
If it believes that a request is, as the law states, “manifestly unfounded or excessive”, an organisation can:
- request a reasonable fee to deal with the request, or
- refuse to deal with the request.
In either case it will need to tell you and justify its decision.
How long should the organisation take?
An organisation has one calendar month to respond to your request. In certain circumstances the organisation may need extra time to consider your request and can take up to an additional two months. If it is going to do this, it should let you know within one month that it needs extra time and the reason why. For more information, see our guidance on Time Limits.
Can it charge a fee for this?
An organisation can only charge a fee if the request is “manifestly unfounded or excessive”. It may then ask for a reasonable fee to cover administrative costs associated with the request.