When submitting a data protection request (typically through a request form linked from a company’s privacy policy), there are two options that seem related to making sure your data isn’t sold or shared, but these forms don’t do a very good job of explaining the difference. The two options are:
1. Data Processing Objection Request
2. Data Processing Restriction Request
I feel like this is intentionally made to be confusing.
In: Other
Right to Object: Stop using my data. All of it. Just stop.
Right to Restriction of Processing: Something came up. Stop using my data *until that issue is resolved*.
The Right to Restriction of Processing is *very limited*. GDPR lists only four cases where it exists, and one of those four is in tandem with a Right to Object.
1. The data you have about me is wrong, stop using it until you fix it.
1. It was illegal for you to have the data in the first place, but I don’t want you to delete it.
1. Normally this data would be deleted, but it’s part of a lawsuit so hold on to it but stop using it.
1. I told you to stop using all my data forever, but the lawyers are arguing about that request, so stop using it until the shouting stops.
By contrast, the Right to Object is much more broad, but still not universal and will lots of exemptions. The only reason you need is “I don’t like it.” But whether the Controller has to honor it depends on what their original legal basis for processing was.
Latest Answers