Article 18 GDPR: Difference between revisions
Line 205: | Line 205: | ||
==Commentary on Article 18== | ==Commentary on Article 18== | ||
The right to restriction of processing is a right which allows the data subject to temporarily limit the type of processing operations that a controller or processor can perform on his or her personal data. | The right to restriction of processing is a right which allows the data subject to temporarily limit the type of processing operations that a controller or processor can perform on his or her personal data. When a data subject exercises the right to restriction of processing, the controller is under the obligation to passively hold the personal data, but is no longer allowed to use them, disclose them, erase them, or perform any other type of processing operation on them, unless a specific exception applies (e.g. consent of the data subject). | ||
The right to restriction of processing was introduced by the GDPR. | The right to restriction of processing was introduced by the GDPR. Although it did not have any identical equivalent under the Directive 95/46 (DPD), an embryonic form of that right could already be found under Article 12(2) DPD. That provision gave to data subjects the possibility to request the 'blocking of data' in case the processing was unlawful. The DPD did not specify, however, the meaning of 'blocking' or what this would concretely entail for the controller of the personal data. The lack of clarity of that provision prompted the Commission to replace any reference to the 'blocking' of personal by a new and more specific right: the right to restriction of processing. | ||
The right to restriction of processing can be invoked in four different situations by the data subjects, as further detailed below (see | The right to restriction of processing can be invoked in four different situations by the data subjects, as further detailed below (see 'Legal Grounds'). Each of these situations is characterized by the existence of an ongoing claim or objection relating to the personal data. For example, it could be the case that the accuracy of the personal data is being contested. In the context of that claim or objection, data subjects are offered the possibility to temporarily restrict the processing of their personal, in the sense that the controller is no longer allowed to process the personal data, except for storage. Article 18 GDPR therefore entails a dual obligation on the part of the controller: (1) the obligation to ''store'' the personal data; and (2) the obligation ''not to perform any other operation'' on the personal data, at least until the claim or objection is resolved. The second part of this obligation may however be tempered if an exception applies (e.g. the data subject explicitly consents to the controller processing the personal data for something else than storage during the restriction period). | ||
The four legal grounds on the basis of which data subjects may exercise their right to restriction of processing will be discussed here below, following which the limited exceptions to this right will then be analyzed. | |||
===(1) Legal Grounds=== | ===(1) Legal Grounds=== | ||
The right to restriction of processing can be effectively exercised only when one of the following grounds applies: | |||
====(a) Accuracy of Personal Data==== | ====(a) Accuracy of Personal Data==== | ||
Data subjects have a right to rectification of their personal data under [[Article 16 GDPR]]. The rectification of personal data may however take a | Data subjects have a right to rectification of their personal data under [[Article 16 GDPR]]. The rectification of personal data may however take a shorter or longer period of time depending on the nature and amount of data, the diligence of the controller, etc. While awaiting the rectification of their personal data, data subjects may want to protect themselves from any adverse effect linked to the processing of their inaccurate data by restricting the type of operations that the controller can still perform on them. In that context, the right to restriction of processing can apply upon request of the data subject for the limited period of time during which a controller is verifying the accuracy and/or rectifying the personal data. | ||
The right to restriction of processing may thus be exercised after or in parallel to the right to rectification. For example, if a data subject notices that a controller is processing inaccurate personal data, and that this may have an adverse effect on them (e.g. inaccurate bank account details which may lead to wrongful money transfers), they may invoke simultaneously [[Article 16 GDPR]] (right to rectification) and Article 18 GDPR (right to restriction) in order to request the controller to suspend the processing the personal data until the data has been corrected. | |||
====(b) Unlawful Processing==== | ====(b) Unlawful Processing==== | ||
The right to restriction can also be exercised by a data subject when it appears that a controller is processing personal data unlawfully. In that case, the purpose of exercising that right is often to prevent the data controller from erasing personal data, either because the data subject still need them, or because they constitute important evidence of the unlawful character of the processing. | |||
In that respect, it must first be recalled that deletion of personal data is a processing operation as such (Article 4(1) GDPR). Data controllers may decide to permanently delete personal data in various situations, for example if the period for lawfully storing the data has expired ([[Article 5 GDPR|Article 5(1)(e) GDPR]]) or if there is no longer a valid legal basis for processing the data (as listed in [[Article 6 GDPR|Article 6]] or [[Article 9 GDPR]]). The decision of a controller to delete personal data in order to put an end to unlawful processing may however be against the interests of the data subject. In some instances, the data subjects may thus want to prevent or temporarily suspend the erasure of their personal data by invoking Article 18 GDPR. <span id="1b">The controller would then be put under the obligation to keep the personal data until, for example, the data subject has been able to obtain a copy of them.</span> | |||
It is interesting to note in this respect that data subjects also have the right to object to the processing of personal data by exercising their right to object under [[Article 21 GDPR]]. Theoretically, | It is interesting to note in this respect that data subjects also have the right to object to the processing of personal data by exercising their right to object under [[Article 21 GDPR]]. Theoretically, data subjects could thus also object to the erasure of their personal data by a controller with a view of obtaining a copy of them or collecting useful evidence. One may thus question the relevance of the parallel right to restriction of the processing in the context of unlawful processing. It becomes however quickly apparent from a careful reading of Article 21 GDPR that the right to object can only be exercised where the controller is processing personal data either on the basis of (1) its legitimate interest ([[Article 6 GDPR|Article 6(1)(f) GDPR]]) or (2) the public interest ([[Article 6 GDPR|Article 6(1)(e) GDPR]]). Hence, data subjects may find themselves in a situation where the right to object does not apply, but the right to restriction of processing does. This is because the right to restriction of processing applies regardless of the legal basis used for processing the data. | ||
If a controller is processing personal data for the performance of a contract under Article 6(1)(b) GDPR, for example, a data subject cannot object to the erasure of his or her data on the basis of Article 21 GDPR. He or she may, however, exercises the right to restriction of processing in order to request the controller ''not to erase'' personal data upon termination of the contract, while addressing in parallel a request to obtain a copy of his or her personal data under [[Article 15 GDPR]]. | If a controller is processing personal data for the performance of a contract under Article 6(1)(b) GDPR, for example, a data subject cannot object to the erasure of his or her data on the basis of Article 21 GDPR. He or she may, however, exercises the right to restriction of processing in order to request the controller ''not to erase'' personal data upon termination of the contract, while addressing in parallel a request to obtain a copy of his or her personal data under [[Article 15 GDPR]]. |
Revision as of 12:00, 14 September 2021
Legal Text
Article 18 - Right to restriction of processing
1. The data subject shall have the right to obtain from the controller restriction of processing where one of the following applies:
- (a) the accuracy of the personal data is contested by the data subject, for a period enabling the controller to verify the accuracy of the personal data;
- (b) the processing is unlawful and the data subject opposes the erasure of the personal data and requests the restriction of their use instead;
- (c) the controller no longer needs the personal data for the purposes of the processing, but they are required by the data subject for the establishment, exercise or defence of legal claims;
- (d) the data subject has objected to processing pursuant to Article 21(1) pending the verification whether the legitimate grounds of the controller override those of the data subject.
2. Where processing has been restricted under paragraph 1, such personal data shall, with the exception of storage, only be processed with the data subject's consent or for the establishment, exercise or defence of legal claims or for the protection of the rights of another natural or legal person or for reasons of important public interest of the Union or of a Member State.
3. A data subject who has obtained restriction of processing pursuant to paragraph 1 shall be informed by the controller before the restriction of processing is lifted.
Relevant Recitals
Commentary on Article 18
The right to restriction of processing is a right which allows the data subject to temporarily limit the type of processing operations that a controller or processor can perform on his or her personal data. When a data subject exercises the right to restriction of processing, the controller is under the obligation to passively hold the personal data, but is no longer allowed to use them, disclose them, erase them, or perform any other type of processing operation on them, unless a specific exception applies (e.g. consent of the data subject).
The right to restriction of processing was introduced by the GDPR. Although it did not have any identical equivalent under the Directive 95/46 (DPD), an embryonic form of that right could already be found under Article 12(2) DPD. That provision gave to data subjects the possibility to request the 'blocking of data' in case the processing was unlawful. The DPD did not specify, however, the meaning of 'blocking' or what this would concretely entail for the controller of the personal data. The lack of clarity of that provision prompted the Commission to replace any reference to the 'blocking' of personal by a new and more specific right: the right to restriction of processing.
The right to restriction of processing can be invoked in four different situations by the data subjects, as further detailed below (see 'Legal Grounds'). Each of these situations is characterized by the existence of an ongoing claim or objection relating to the personal data. For example, it could be the case that the accuracy of the personal data is being contested. In the context of that claim or objection, data subjects are offered the possibility to temporarily restrict the processing of their personal, in the sense that the controller is no longer allowed to process the personal data, except for storage. Article 18 GDPR therefore entails a dual obligation on the part of the controller: (1) the obligation to store the personal data; and (2) the obligation not to perform any other operation on the personal data, at least until the claim or objection is resolved. The second part of this obligation may however be tempered if an exception applies (e.g. the data subject explicitly consents to the controller processing the personal data for something else than storage during the restriction period).
The four legal grounds on the basis of which data subjects may exercise their right to restriction of processing will be discussed here below, following which the limited exceptions to this right will then be analyzed.
(1) Legal Grounds
The right to restriction of processing can be effectively exercised only when one of the following grounds applies:
(a) Accuracy of Personal Data
Data subjects have a right to rectification of their personal data under Article 16 GDPR. The rectification of personal data may however take a shorter or longer period of time depending on the nature and amount of data, the diligence of the controller, etc. While awaiting the rectification of their personal data, data subjects may want to protect themselves from any adverse effect linked to the processing of their inaccurate data by restricting the type of operations that the controller can still perform on them. In that context, the right to restriction of processing can apply upon request of the data subject for the limited period of time during which a controller is verifying the accuracy and/or rectifying the personal data.
The right to restriction of processing may thus be exercised after or in parallel to the right to rectification. For example, if a data subject notices that a controller is processing inaccurate personal data, and that this may have an adverse effect on them (e.g. inaccurate bank account details which may lead to wrongful money transfers), they may invoke simultaneously Article 16 GDPR (right to rectification) and Article 18 GDPR (right to restriction) in order to request the controller to suspend the processing the personal data until the data has been corrected.
(b) Unlawful Processing
The right to restriction can also be exercised by a data subject when it appears that a controller is processing personal data unlawfully. In that case, the purpose of exercising that right is often to prevent the data controller from erasing personal data, either because the data subject still need them, or because they constitute important evidence of the unlawful character of the processing.
In that respect, it must first be recalled that deletion of personal data is a processing operation as such (Article 4(1) GDPR). Data controllers may decide to permanently delete personal data in various situations, for example if the period for lawfully storing the data has expired (Article 5(1)(e) GDPR) or if there is no longer a valid legal basis for processing the data (as listed in Article 6 or Article 9 GDPR). The decision of a controller to delete personal data in order to put an end to unlawful processing may however be against the interests of the data subject. In some instances, the data subjects may thus want to prevent or temporarily suspend the erasure of their personal data by invoking Article 18 GDPR. The controller would then be put under the obligation to keep the personal data until, for example, the data subject has been able to obtain a copy of them.
It is interesting to note in this respect that data subjects also have the right to object to the processing of personal data by exercising their right to object under Article 21 GDPR. Theoretically, data subjects could thus also object to the erasure of their personal data by a controller with a view of obtaining a copy of them or collecting useful evidence. One may thus question the relevance of the parallel right to restriction of the processing in the context of unlawful processing. It becomes however quickly apparent from a careful reading of Article 21 GDPR that the right to object can only be exercised where the controller is processing personal data either on the basis of (1) its legitimate interest (Article 6(1)(f) GDPR) or (2) the public interest (Article 6(1)(e) GDPR). Hence, data subjects may find themselves in a situation where the right to object does not apply, but the right to restriction of processing does. This is because the right to restriction of processing applies regardless of the legal basis used for processing the data.
If a controller is processing personal data for the performance of a contract under Article 6(1)(b) GDPR, for example, a data subject cannot object to the erasure of his or her data on the basis of Article 21 GDPR. He or she may, however, exercises the right to restriction of processing in order to request the controller not to erase personal data upon termination of the contract, while addressing in parallel a request to obtain a copy of his or her personal data under Article 15 GDPR.
(c) Legal Claims
In this case the data controller has to retain the personal data even though it might not need it anymore, in order to ensure the data subject's legitimate interests, and in particular the right of a data subject to gather information to defend himself or herself in the context of a legal claim. The restriction period should normally last until the data subject's legal claims are established, exercised or defended.
(d) Objection to Processing
Help us fill this section!
(2) Exceptions
Consent
Help us fill this section!
Legal Claims
Help us fill this section!
Protection of Others' Rights
Help us fill this section!
Important Public Interest
Help us fill this section!
(3) Information of the Data Subject
See also Article 19 GDPR.
Decisions
→ You can find all related decisions in Category:Article 18 GDPR