7—Restriction to processing

7. (1) Pursuant to section 34 of the Act, a data subject may request a data controller or data processor to restrict the processing of their personal data on grounds that—

(a)  the data subject contests the accuracy of their personal data;

(b)  the personal data has been unlawfully processed and the data subject opposes the erasure and requests restriction instead;

(c)  the data subject no longer needs their personal data but the data controller or data processor requires the personal data to be kept in order to establish, exercise or defend a legal claim; or

(d)  a data subject has objected to the processing of their personal data under regulation 8 and a data controller or data processor is considering legitimate grounds that override those of the data subject.

(2) A request for restriction to processing of personal data on any of the grounds provided under section 34 of the Act may be made in Form DPG 1 set out in the First Schedule.

(3) A data controller or data processor shall within fourteen days of the request for restriction pursuant to sub-regulation (2), and without charging any fee—

(a)  admit and implement the request;

(b)  indicate on the data controller or data processors system that the processing of the personal data has been restricted; and

(c)  notify any relevant third party of the restriction where personal data, subject to such restriction, may have been shared.

(4) A data controller or a data processor may implement a restriction to processing request by—

        (a)  temporarily moving the personal data to another processing system;

(b)  making the personal data unavailable to third parties; or

(c)  temporarily removing published data specific to the data subject from its website or other public medium in its control.

(5) A data controller or data processor may decline to comply with a request for restriction in processing, where such request is manifestly unfounded or excessive.

(6) Where a data controller or data processor declines a request on any of the grounds provided under section 34(2) of the Act, the data controller or data processor shall within fourteen days of the refusal, notify the data subject of the refusal, in writing, and shall provide the reasons for the decision.

(7) A data controller or data processor shall not process personal data that has been restricted, except to store the personal data, in accordance with section 34(2)(a) of the Act.

232  PART II— ENABLING THE RIGHTS OF A DATA SUBJECT