Article 18 GDPR: Difference between revisions

From GDPRhub
Line 242: Line 242:
A controller subject to a restriction request may still perform other processing operations than storage when this has been specifically allowed by the data subject. Data subjects can indeed consent to the processing of their personal data beyond passive storage after having exercised their right under Article 18 GDPR. As an illustration, one may imagine a data subject invoking Article 18 GDPR upon closing a bank account, in order to ensure that the bank does not delete important financial information relating to the preceding year, while allowing deletion of older data. Similarly, an employee may request for the restriction of the processing of some inaccurate personal data that appear in their personal profile on their employer's website, pending rectification, while allowing the latter to still display their name and profile picture.
A controller subject to a restriction request may still perform other processing operations than storage when this has been specifically allowed by the data subject. Data subjects can indeed consent to the processing of their personal data beyond passive storage after having exercised their right under Article 18 GDPR. As an illustration, one may imagine a data subject invoking Article 18 GDPR upon closing a bank account, in order to ensure that the bank does not delete important financial information relating to the preceding year, while allowing deletion of older data. Similarly, an employee may request for the restriction of the processing of some inaccurate personal data that appear in their personal profile on their employer's website, pending rectification, while allowing the latter to still display their name and profile picture.


====Legal Claims====
====Legal Claims ====
A controller subject to a restriction request may still perform other operations  
A controller subject to a restriction request may still perform other operations on the concerned personal data when this is necessary <span id="2">for the establishment, exercise or defence of legal claims or for the protection of the rights of another natural or legal person. This exception may of course become problematic when unduly or excessively relied on by controllers. This exception can indeed obstruct and thus defeat the very purpose of the right to restriction of processing, which was to provide data subjects with an easy and quick way to alleviate the immediate risks pertaining to the (unlawful) processing of (inaccurate) personal data by a data controller, pending verification of their original claim or objeciton.</span>


====Protection of Others' Rights====
====Protection of Others' Rights====
''Help us fill this section!''
A controller subject to a restriction request may still perform other operations on the concerned personal data when this is necessary <span id="2">for the protection of the rights of another natural or legal person. This exception may of course become problematic when unduly or excessively invoked by controllers. This exception can indeed obstruct and thus defeat the very purpose of the right to restriction of processing, which was to provide data subjects with an easy and quick way to alleviate the immediate risks pertaining to the (unlawful) processing of (inaccurate) personal data, pending verification of their original claim or objection</span>


====Important Public Interest====
====Important Public Interest====
''Help us fill this section!''
A controller subject to a restriction request may still perform other operations on the concerned personal data when this is necessary <span id="2">for reasons of important public interest of the Union or of a Member State. This exception may of course become problematic when unduly or excessively invoked by controllers. This exception can indeed obstruct and thus defeat the very purpose of the right to restriction of processing, which was to provide data subjects with an easy and quick way to alleviate the immediate risks pertaining to the (unlawful) processing of (inaccurate) personal data, pending verification of their original claim or objection.</span>


===(3) Information of the Data Subject===
===(3) Information of the Data Subject===
See also[[Article 19 GDPR| Article 19 GDPR]].  
Granting restriction of processing imposes on the controller the obligation to notify any recipients to whom the personal data have been disclosed about the restriction, so that they can themselves adapt the processing of personal data to what is allowed and required (that is, in most case, passive storage of the personal data). See also[[Article 19 GDPR| Article 19 GDPR]].  


==Decisions==
==Decisions==

Revision as of 14:14, 14 September 2021

Article 18 - Right to restriction of processing
Gdpricon.png
Chapter 10: Delegated and implementing acts

Legal Text


Article 18 - Right to restriction of processing

1. The data subject shall have the right to obtain from the controller restriction of processing where one of the following applies:

(a) the accuracy of the personal data is contested by the data subject, for a period enabling the controller to verify the accuracy of the personal data;
(b) the processing is unlawful and the data subject opposes the erasure of the personal data and requests the restriction of their use instead;
(c) the controller no longer needs the personal data for the purposes of the processing, but they are required by the data subject for the establishment, exercise or defence of legal claims;
(d) the data subject has objected to processing pursuant to Article 21(1) pending the verification whether the legitimate grounds of the controller override those of the data subject.

2. Where processing has been restricted under paragraph 1, such personal data shall, with the exception of storage, only be processed with the data subject's consent or for the establishment, exercise or defence of legal claims or for the protection of the rights of another natural or legal person or for reasons of important public interest of the Union or of a Member State.

3. A data subject who has obtained restriction of processing pursuant to paragraph 1 shall be informed by the controller before the restriction of processing is lifted.

Relevant Recitals

Recital 67: Right to Restriction of Processing
Methods by which to restrict the processing of personal data could include, inter alia, temporarily moving the selected data to another processing system, making the selected personal data unavailable to users, or temporarily removing published data from a website. In automated filing systems, the restriction of processing should in principle be ensured by technical means in such a manner that the personal data are not subject to further processing operations and cannot be changed. The fact that the processing of personal data is restricted should be clearly indicated in the system.

Recital 156: Processing of Personal Data for Archiving Purposes in the Public Interest, Scientific, Historical Research or Statistical Purposes
The processing of personal data for archiving purposes in the public interest, scientific or historical research purposes or statistical purposes should be subject to appropriate safeguards for the rights and freedoms of the data subject pursuant to this Regulation. Those safeguards should ensure that technical and organisational measures are in place in order to ensure, in particular, the principle of data minimisation. The further processing of personal data for archiving purposes in the public interest, scientific or historical research purposes or statistical purposes is to be carried out when the controller has assessed the feasibility to fulfil those purposes by processing data which do not permit or no longer permit the identification of data subjects, provided that appropriate safeguards exist (such as, for instance, pseudonymisation of the data). Member States should provide for appropriate safeguards for the processing of personal data for archiving purposes in the public interest, scientific or historical research purposes or statistical purposes. Member States should be authorised to provide, under specific conditions and subject to appropriate safeguards for data subjects, specifications and derogations with regard to the information requirements and rights to rectification, to erasure, to be forgotten, to restriction of processing, to data portability, and to object when processing personal data for archiving purposes in the public interest, scientific or historical research purposes or statistical purposes. The conditions and safeguards in question may entail specific procedures for data subjects to exercise those rights if this is appropriate in the light of the purposes sought by the specific processing along with technical and organisational measures aimed at minimising the processing of personal data in pursuance of the proportionality and necessity principles. The processing of personal data for scientific purposes should also comply with other relevant legislation such as on clinical trials.

Commentary on Article 18

The right to restriction of processing is a right which allows the data subject to temporarily limit the type of processing operations that a controller or processor can perform on his or her personal data. When a data subject exercises the right to restriction of processing, the controller is under the obligation to passively hold the personal data, but is no longer allowed to use them, disclose them, erase them, or perform any other type of processing operation on them, unless a specific exception applies (e.g. consent of the data subject).

The right to restriction of processing was introduced in 2016 in the GDPR. Although it did not have any identical equivalent under the Directive 95/46 (DPD), an embryonic form of that right could already be found under Article 12(2) DPD. That provision gave to data subjects the possibility to request the 'blocking of data' in case the processing was unlawful. The DPD did not specify, however, the meaning of 'blocking' or what this would concretely entail for the controller of the personal data. The lack of clarity of that provision prompted the Commission to replace any reference to the 'blocking' of personal by a new and more specific right: the right to restriction of processing.

The right to restriction of processing can be invoked in four different situations by the data subjects, as further detailed below (see 'Legal Grounds'). Each of these situations is characterized by the existence of an ongoing claim or objection relating to the personal data. For example, it could be the case that the accuracy of the personal data is being contested. In the context of that claim or objection, data subjects are offered the possibility to temporarily restrict the processing of their personal, in the sense that the controller is no longer allowed to process the personal data, except for storage. Article 18 GDPR therefore entails a dual obligation on the part of the controller: (1) the obligation to store the personal data; and (2) the obligation not to perform any other operation on the personal data, at least until the claim or objection is resolved. The second part of this obligation may however be tempered if an exception applies (e.g. the data subject explicitly consents to the controller processing the personal data for something else than storage during the restriction period).

The four legal grounds on the basis of which data subjects may exercise their right to restriction of processing will be discussed here below, following which the limited exceptions to this right will then be analyzed.

(1) Legal Grounds

The right to restriction of processing can be effectively exercised only when one of the following grounds applies:

(a) Accuracy of Personal Data

Data subjects have a right to rectification of their personal data under Article 16 GDPR. The rectification of personal data may however take a shorter or longer period of time depending on the nature and amount of data, the diligence of the controller, etc. While awaiting the rectification of their personal data, data subjects may want to protect themselves from any adverse effect linked to the processing of their inaccurate data by restricting the type of operations that the controller can still perform on them. In that context, the right to restriction of processing can apply upon request of the data subject for the limited period of time during which a controller is verifying the accuracy and/or rectifying the personal data.

The right to restriction of processing may thus be exercised after or in parallel to the right to rectification. For example, if a data subject notices that a controller is processing inaccurate personal data, and that this may have an adverse effect on them (e.g. inaccurate bank account details which may lead to wrongful money transfers), they may invoke simultaneously Article 16 GDPR (right to rectification) and Article 18 GDPR (right to restriction) in order to request the controller to suspend the processing the personal data until the data has been corrected.

(b) Unlawful Processing

The right to restriction can also be exercised when it appears that a controller is processing personal data unlawfully, but the data subject opposes the erasure of the data and request restriction of the processing instead. In that case, the purpose of exercising the right conferred by Article 18 GDPR is to put an end to the unlawful processing operation(s), while preventing the data controller from erasing the personal data. The data subjects may oppose the erasure of their personal data for different reasons, including the fact that they still need (a copy) of them (e.g. copy of bank account statements upon closing of bank account). It might also be the case that the personal data constitute important evidence of the unlawful processing itself (e.g. health data which were collected without the consent of the data subject).

In that respect, it must first be recalled that, in accordance with Article 4(1) GDPR, deletion of personal data is a processing operation as such. Data controllers may decide to permanently delete personal data for various reasons, for example if the period for lawfully storing the data has expired (Article 5(1)(e) GDPR) or if the legal basis for processing the data is no longer valid (e.g. consent withdrawal). In some instances, the decision of a controller to delete personal data may however be against the interest of the data subject. The data subjects may thus want to prevent or temporarily suspend the erasure of their personal data by invoking Article 18 GDPR. The controller would then be obliged to passively keep the personal data and not to erase them, until the matter has been clarified (e.g. the data subject has retrieved a copy of the personal data).

It is also interesting to note in this respect that data subjects have, in addition to the right to restriction, the right to object to the processing of personal data under Article 21 GDPR. Theoretically, data subjects could thus also object to the erasure of their personal data by a controller. One may thus question the relevance or added-value of the right to restriction of the processing in the context of unlawful processing. It becomes however quickly apparent from a careful reading of Article 21 GDPR that the right to object can only be exercised where the controller is processing personal data either on the basis of (1) its legitimate interest (Article 6(1)(f) GDPR) or (2) the public interest (Article 6(1)(e) GDPR). Hence, data subjects may find themselves in a situation where the right to object does not apply, but the right to restriction of processing does. For example, if a controller is processing personal data for the performance of a contract under Article 6(1)(b) GDPR, data subjects cannot object to the erasure of their data when the contract comes to and end on the basis of Article 21 GDPR. They may, however, exercise the right to restriction of processing in order to request the controller not to erase personal data upon termination of the contract, while addressing in parallel a request to obtain a copy of their personal data under Article 15 GDPR. This is because the right to restriction of processing can be effectively invoked regardless of the (absence of) legal basis for processing the data.

(c) Legal Claims

The third legal basis for exercising the right to restriction of processing concerns situations where the controller no longer needs the personal data, but the data subject might still want them for he establishment, exercise or defence of a legal claim. Once again, the right to restriction therefore offers the possibility for data subjects to prevent the erasure of their personal data by the controller. In this case, the data controller has to retain the personal data even though it might not need them anymore, in order to ensure the data subject's legitimate interests, and in particular the right of a data subject to gather information to defend themselves in the context of a legal claim. The restriction period should normally last until the data subject's legal claims are established, exercised or defended.

(d) Objection to Processing

The fourth and last legal basis concerns situations where a data subject has objected to the processing of personal data (Article 21 GDPR), and is also asking the controller (either right after or in parallel) to restrict the processing to passive storage, pending verification of whether the objection was justified.

To fully understand this legal basis, it is first important to recall that the right to object as enshrined in Article 21 GDPR is not absolute. As a matter of fact, data subjects may only object to the processing of their personal data when the controller argues that the legal basis for such processing is (i) their own legitimate interests, or (ii) the performance of a task carried out in the public interest. By way of illustration, an insurance company could decide to monitor and collect information about insured persons who are suspected of insurance fraud, without informing them about it, by invoking their legitimate interest to prevent such fraud. In that case, however, it must be ensured that the legitimate interests of the controller prevail over the interests or fundamental rights and freedoms of the data subjects (such assessment being made, presumably, by the data controller). This balancing exercise, incumbent on the controller, may however lead to divergences of opinions. A data subject may thus later object to the processing of the personal data by arguing that their rights and freedoms override the interests of the controller (Article 21 GDPR). If a dispute ensues, it will ultimately be for the competent data protection authorities or the national courts to determine whether the objection is justified. Because solving this question may take time, the EU legislator has given to the data subject the opportunity to request the restriction of the processing, pending a final decision.

(2) Exceptions

As a general principle, once a request under Article 18 GDPR reaches a controller, the latter is bound to passively hold the personal data and not to process them in any other way. Similarly to most data protection rights, however, the right to restriction of processing is not absolute. Hence, exceptions to the general principle may apply, as further discussed here below.

Consent

A controller subject to a restriction request may still perform other processing operations than storage when this has been specifically allowed by the data subject. Data subjects can indeed consent to the processing of their personal data beyond passive storage after having exercised their right under Article 18 GDPR. As an illustration, one may imagine a data subject invoking Article 18 GDPR upon closing a bank account, in order to ensure that the bank does not delete important financial information relating to the preceding year, while allowing deletion of older data. Similarly, an employee may request for the restriction of the processing of some inaccurate personal data that appear in their personal profile on their employer's website, pending rectification, while allowing the latter to still display their name and profile picture.

Legal Claims

A controller subject to a restriction request may still perform other operations on the concerned personal data when this is necessary for the establishment, exercise or defence of legal claims or for the protection of the rights of another natural or legal person. This exception may of course become problematic when unduly or excessively relied on by controllers. This exception can indeed obstruct and thus defeat the very purpose of the right to restriction of processing, which was to provide data subjects with an easy and quick way to alleviate the immediate risks pertaining to the (unlawful) processing of (inaccurate) personal data by a data controller, pending verification of their original claim or objeciton.

Protection of Others' Rights

A controller subject to a restriction request may still perform other operations on the concerned personal data when this is necessary for the protection of the rights of another natural or legal person. This exception may of course become problematic when unduly or excessively invoked by controllers. This exception can indeed obstruct and thus defeat the very purpose of the right to restriction of processing, which was to provide data subjects with an easy and quick way to alleviate the immediate risks pertaining to the (unlawful) processing of (inaccurate) personal data, pending verification of their original claim or objection

Important Public Interest

A controller subject to a restriction request may still perform other operations on the concerned personal data when this is necessary for reasons of important public interest of the Union or of a Member State. This exception may of course become problematic when unduly or excessively invoked by controllers. This exception can indeed obstruct and thus defeat the very purpose of the right to restriction of processing, which was to provide data subjects with an easy and quick way to alleviate the immediate risks pertaining to the (unlawful) processing of (inaccurate) personal data, pending verification of their original claim or objection.

(3) Information of the Data Subject

Granting restriction of processing imposes on the controller the obligation to notify any recipients to whom the personal data have been disclosed about the restriction, so that they can themselves adapt the processing of personal data to what is allowed and required (that is, in most case, passive storage of the personal data). See also Article 19 GDPR.

Decisions

→ You can find all related decisions in Category:Article 18 GDPR

References