Restricting processing

Article 18 of the Applied GDPR gives individual a right to restrict the processing of their personal data.

Individuals can exercise their right to restrict processing in the four scenarios set out in Article 18(1) which are:

• the accuracy of the data is contested (for a period to enable the controller verify the accuracy)
• the processing is unlawful and the data subject objects to the erasure of the data and requests restrictions of their use instead
• the controller no longer requires the data for their purposes but the data subject require them for the establishment, exercise or defence of legal claims
• the data subject has objected to processing based on the grounds of legitimate interests or tasks carried out in the public interest under official authority, pending verification (i.e. Article 21(1) applies)

Methods of restricting the processing of data are suggested in Recital 67 and the use of warnings or flags in systems to ‘stop’ or ‘proceed with caution’  if that personal data is being considered for processing whilst the restriction is in place are encouraged.

During the term of the restriction, Article 18(2) sets out the circumstances in which personal data can be processed by the controller.

These are

• for storage
• with the consent of the data subject
• for the establishment, exercise or defence of legal claims
• for reasons of important public interest of the Island, Union or Member State

The scenarios in which the right can be exercised relate to temporary and permanent restrictions. 

Temporary restrictions on processing

Temporary restrictions may be exercised in conjunction with other rights which require the controller to verify certain aspects of processing.  The length of time that the restriction remains in place will depend on the time taken by the controller to make the relevant verification, subject to the Article 12 overriding duty to comply without undue delay and within one month

1. Verification of accuracy

This restriction can be imposed by the individual to enable the controller to verify the accuracy of that data before any further processing occurs.  It is not for the data subject to prove inaccuracy.  Instead, it is explicitly the responsibility of  the controller to verify the accuracy of the data before any further processing can occur.  This aligns with the right to rectification of inaccurate data (Art 16) and the controller’s duty to comply with the accuracy principle (Art 5(1)(d)).  

2. Objection to certain grounds for processing

Where an individual has exercised their right to object to processing under Article 21(1) (see more under the Right to object to processing), the controller needs to restrict processing in order to verify whether or not its legitimate interests override those of the data subject.  This aligns with the controllers duty to process personal data lawfully (Art 5(1)(a)).

Permanent restrictions on processing

The individual must be informed of the action taken in respect of the exercise of the right to permanent restrictions within the time frame set out in Article 12(3), i.e. without undue delay and within a month. 

3. Unlawful processing

An individual can request a controller not to erase personal data that it is unlawfully processing even if the controller wishes to delete it.  The controller will need to establish whether the personal data is, or is not, being unlawfully processed before implementing a permanent restriction. 

4. Required by the data subject for the establishment, exercise or defence of legal claims

An individual has the right to prevent a controller processing (including erasing) personal data which that individual requires for legal proceedings, even if the controller has no purpose for processing, or holding, that data itself.   Controllers will, therefore, need to communicate with the individual and establish that the data is required for such a purpose when such a restriction of processing is received.

Action to be taken by controllers 

Controllers must

• respond to the individual to advise them on the action, or inaction, taken on their request;
• communicate any actions to the individual;
• communicate the restriction to each recipient it has been disclosed to (Article 19)
• inform the data subject of the recipients if requested. (Article 19)
• inform the data subject prior to lifting the restriction (Article 18(3))

Refusing a request

Controllers may refuse to comply with all or part of the request for restriction of processing but must be able to justify its decision.

Requests may be refused in cases where:

• none of the grounds in Article 18(1) apply or can be established;
• the request is manifestly unfounded or excessive, in particular if it is repetitive;
• a restriction on the right can be justified in the particular circumstances (Art 23) 

Non-compliance with requests to exercise rights

If the controller is not taking action on the request of the individual to exercise any right, it must inform the individual “without delay” (and within ONE month of receipt of the request) about:

• the reasons for not taking action; and
• their remedies, in particular the right to lodge a complaint with a supervisory authority and to seek a judicial remedy.