Restricting processing

Article 18 of the Applied GDPR gives individuals a right to restrict the processing of their personal data.

Individuals can exercise their right to restrict processing in the four scenarios set out in Article 18(1) which are:

Methods of restricting the processing of data are suggested in Recital 67 and the use of warnings or flags in systems to ‘stop’ or ‘proceed with caution’ if that personal data is being considered for processing whilst the restriction is in place are encouraged.

During the term of the restriction, Article 18(2) sets out the circumstances in which personal data can be processed by the controller.

These are

The scenarios in which the right can be exercised relate to temporary and permanent restrictions. 

Temporary restrictions on processing

Temporary restrictions may be exercised in conjunction with other rights which require the controller to verify certain aspects of processing.  The length of time that the restriction remains in place will depend on the time taken by the controller to make the relevant verification, subject to the Article 12 overriding duty to comply without undue delay and within one month

1. Verification of accuracy

This restriction can be imposed by the individual to enable the controller to verify the accuracy of that data before any further processing occurs.  It is not for the data subject to prove inaccuracy.  Instead, it is explicitly the responsibility of  the controller to verify the accuracy of the data before any further processing can occur.  This aligns with the right to rectification of inaccurate data (Art 16) and the controller’s duty to comply with the accuracy principle (Art 5(1)(d)).  

2. Objection to certain grounds for processing

Where an individual has exercised their right to object to processing under Article 21(1) (see more under the Right to object to processing), the controller needs to restrict processing in order to verify whether or not its legitimate interests override those of the data subject.  This aligns with the controllers duty to process personal data lawfully (Art 5(1)(a)).

Permanent restrictions on processing

The individual must be informed of the action taken in respect of the exercise of the right to permanent restrictions within the time frame set out in Article 12(3), i.e. without undue delay and within a month. 

  1. Unlawful processing

An individual can request a controller not to erase personal data that it is unlawfully processing even if the controller wishes to delete it.  The controller will need to establish whether the personal data is, or is not, being unlawfully processed before implementing a permanent restriction. 

  1. Required by the data subject for the establishment, exercise or defence of legal claims

An individual has the right to prevent a controller processing (including erasing) personal data which that individual requires for legal proceedings, even if the controller has no purpose for processing, or holding, that data itself.   Controllers will, therefore, need to communicate with the individual and establish that the data is required for such a purpose when such a restriction of processing is received.

Action to be taken by controllers 

Controllers must

Refusing a request

Controllers may refuse to comply with all or part of the request for restriction of processing but must be able to justify its decision.

Requests may be refused in cases where:

Non-compliance with requests to exercise rights

If the controller is not taking action on the request of the individual to exercise any right, it must inform the individual “without delay” (and within ONE month of receipt of the request) about: