Restriction of processing meaning

STOP PRESS: This document is currently being updated to take account of the full implementation of the Data (Use and Access) Act 2025 (DUAA 2025), which amends both the UK GDPR and the Data Protection Act 2018. For further guidance on the compliance consequences of DUAA 2025, see Practice Note: Data (Use and Access) Act 2025—compliance implications. The UK General Data Protection Regulation (UK GDPR) grants data subjects several rights, including, among others: access to their personal data rectification erasure restriction of processing data portability a right of data subjects Individuals may ask an organisation at any time of their choosing to exercise one or more of these rights, and strict time limits and deadlines apply to responding to such requests promptly. See Practice Note: How to handle data subject requests. This Flowchart sets out a process for dealing with data subject requests made under the UK GDPR and reflects the requirements in the UK GDPR together...

This diagram mirrors HMRC’s Flowchart 4, set out at paragraph 5.24 of the Guidance Note on residence, domicile and the remittance basis (RDR1). It is for use when a taxpayer clearly plans to depart the UK in the future...

The EU General Data Protection Regulation (EU GDPR) sets out several rights for data subjects, including the right to access their personal data, and rights to rectification, erasure, restriction of processing and data portability. Data subjects may ask an organisation to exercise one or more of these rights at any time, and strict deadlines apply to meeting such requests. For comprehensive guidance on managing data subject access requests, see Practice Note: Ireland-How to handle data subject access requests. This Flowchart outlines a process for dealing with data subject requests made under the EU GDPR. It reflects the Regulation’s requirements alongside guidance issued by the Data Protection Commissioner (DPC), and should be read with Practice Note: Ireland-How to handle data subject access requests and Ireland-Evaluating a data subject access request-flowchart, where relevant. Note 1-data subject requests The EU GDPR grants data subjects a number of rights, including: a right of access to their personal data rights to rectification, erasure and restriction of processing a...

In this issue: Brexit Headlines Brexit SIs Constitutional and administrative law Equality and human rights Judicial review Public procurement State security and intelligence State accountability and liability Information law Other Public Law news Daily and weekly news alerts New and updated content Free webinars Dates for your diary Trackers Useful information Brexit Headlines UK and EU reaffirm commitment to citizens’ rights under Withdrawal Agreement Following the 18 December 2025 meeting of the Specialised Committee on Citizens’ Rights, the Cabinet Office confirmed that the UK and the EU restated their pledge to fully deliver the citizens’ rights provisions of the Withdrawal Agreement. The session examined progress on Part Two (Citizens’ Rights) and considered continuing matters impacting EU nationals in the UK and UK citizens living in EU member states. The co-chairs welcomed recent legislation clarifying aspects of status for certain EU nationals within the EU Settlement Scheme (EUSS),...

In this issue: Financial sanctions Data protection Cybersecurity Other practice compliance updates this week Question of the week Daily and weekly news alerts Trackers New and updated content Financial sanctions Office of Trade Sanctions Implementation updates guidance on trade sanctions licence applications The Office of Trade Sanctions Implementation has updated its guidance for trade sanctions licence applications, with the latest revision on 10 February 2025 clarifying when an import licence cannot be issued. The guidance identifies three separate licensing authorities within the DBT: the Office of Trade Sanctions Implementation (OTSI) for standalone services, the Import Controls and Sanctions team for import licences, and the Export Control Joint Unit (ECJU) for strategic export licences. Import licences must be secured before goods are moved to the UK, and cannot be issued for consignments already at the UK border or held in storage before a customs declaration. The publication stresses that the appropriate licence must be in place...

Social media companies face two possible restrictions on the way they can process data for personalised ads if judges follow a legal opinion issued for the EU’s top court on 25 April 2024 A non-binding opinion by Advocate General Athanasios Rantos for the Court of Justice, in the dispute between Meta Platforms and Austrian privacy advocate Max Schrems, signals two curbs on how platforms handle data for personalised advertising. He indicated that EU privacy rules bar firms from processing such data indefinitely, and that the mere fact information is public does not automatically justify its use for targeting ads. Data minimisation under the EU GDPR means companies cannot run targeted advertising with open-ended scope, either in duration or in the breadth of data involved, ruling out processing ‘without restriction as to time or type of data’. The case also examines whether information disclosed in a statement becomes ‘manifestly public’ under the GDPR, and what that status would mean for deploying such data in ad targeting....

RoHS Regulations 2012 The Restriction of the Use of Certain Hazardous Substances in Electrical and Electronic Equipment Regulations 2012, SI 2012/3032 (the RoHS Regulations 2012), give effect to Directive 2011/65/EU on restricting the use of specified hazardous substances in electrical and electronic equipment (RoHS 2). RoHS 2 superseded Directive 2002/95/EC, which had been transposed in the UK by the 2006 Regulations, SI 2006/1463, and subsequently by the 2008 Regulations, SI 2008/37 (together, the Original RoHS Regulations). Under the RoHS Regulations 2012, duties are placed on economic operators across the supply chain—such as manufacturers, importers and distributors—regarding the placing on the market and the making available of electrical and electronic equipment (EEE). These Regulations took effect on 2 January 2013, replacing the Original RoHS Regulations. After IP completion day, the application of the RoHS Regulations 2012 differs as between GB and Northern Ireland. For further details, see the Brexit section below. This Practice Note concentrates on the scope of the RoHS Regulations 2012 and addresses principal requirements and compliance. For...

This Practice Note is aimed at general commercial organisations in the UK. It offers guidance on handling data subject access requests (DSARs) that could require sharing material that identifies other individuals. It reflects the UK General Data Protection Regulation (UK GDPR) and ICO guidance on the right of access. This Practice Note does not address processing for law enforcement purposes or the intelligence services. There is a separate Practice Note covering other third party rights, including trade secrets and intellectual property—see Practice Note: Responding to a data subject access request—protecting third party rights. The right of access The right of access is one of the data subject rights set out in the UK GDPR. DSARs are relatively frequent and are regarded as the gateway right, enabling individuals to use other rights such as rectification or erasure. They can be particularly burdensome for businesses. Under the right of access, data subjects are entitled to: confirmation of whether their personal data is processed access to the...

Summary of the UK GDPR regime This Practice Note condenses the UK GDPR framework. For a higher-level primer on UK data protection, see Practice Note: Data protection law—new starter guide. The UK data protection law collection assembles key guidance on this regime and is a recommended first stop for research. For information on the EU’s General Data Protection Regulation, Regulation (EU) 2016/679, see Practice Note: The EU’s General Data Protection Regulation (EU GDPR). This Practice Note covers: principal legislation substantive scope territorial reach core concepts data protection principles legal bases for processing special category personal data criminal conviction and offence data individual rights accountability and governance security personal data breaches international transfers of personal data exemptions the Information Commissioner data protection fees enforcement of the UK GDPR criminal offences Processing of personal data by competent authorities for law enforcement, or by the intelligence services—each governed...

STOP PRESS: This document is under revision to account for commencement of the Data (Use and Access) Act 2025 (DUAA 2025), which introduces amendments to UK GDPR and Data Protection Act 2018. For more detailed guidance on DUAA 2025 compliance ramifications, please consult Practice Note: Data (Use and Access) Act 2025—compliance implications...

STOP PRESS: This document is currently being revised to take account of the commencement of the Data (Use and Access) Act 2025 (DUAA 2025), which amends the UK GDPR and the Data Protection Act 2018. For further guidance on the compliance effects of DUAA 2025, see Practice Note: Data (Use and Access) Act 2025—compliance implications. [ Name of individual making request ] [ Address of individual making request ] [ Date of this response ] Dear [ insert name of individual making request ] I reply to your request dated [ insert date of request ]...

STOP PRESS: This document is being revised to reflect commencement of the Data (Use and Access) Act 2025 (DUAA 2025), which amends the UK GDPR and Data Protection Act 2018. For further guidance on DUAA 2025 compliance impacts, please consult the Practice Note: Data (Use and Access) Act 2025—compliance implications...