Article 18 GDPR: Difference between revisions

From GDPRhub
No edit summary
 
(23 intermediate revisions by 3 users not shown)
Line 184: Line 184:
|}
|}
==Legal Text==
==Legal Text==
<br />'''Article 18 - Right to restriction of processing'''
<br /><center>'''Article 18 - Right to restriction of processing'''</center>


<span id="1">1.  The data subject shall have the right to obtain from the controller restriction of processing where one of the following applies:</span>
<span id="1">1.  The data subject shall have the right to obtain from the controller restriction of processing where one of the following applies:</span>
Line 203: Line 203:
{{Recital/67 GDPR}}{{Recital/156 GDPR}}
{{Recital/67 GDPR}}{{Recital/156 GDPR}}


==Commentary on Article 18==
==Commentary==


The right to restriction of processing is a right which allows the data subject to temporarily limit the type of processing operations that a controller or processor can perform on his or her personal data.  
When the conditions established by the GDPR are respected, the controller is generally able to decide over the use of personal data.  


The right to restriction of processing was introduced by the GDPR. It did not have any identical or close equivalent under the Directive 95/46 (DPD). Rather, Article 12(2) DPD referred to the possibility for the data subjects to request the 'blocking of data' in case the processing was unlawful. The DPD did not specify, however, the meaning of 'blocking' personal data would concretely entail. The lack of clarity of that provision prompted the Commission to replace any reference to the 'blocking' of personal by an additional and more specific right for the data subjects: the right to restriction of processing.   
However, during the processing activities, questions may arise regarding the appropriateness of the processing, such as when the controller may delete information that the data subject relies upon as evidence or there is a dispute between the controller and the data subject about the accuracy of personal data.   


The right to restriction of processing can be invoked in four different situations by the data subjects, as further detailed below (see below 'Legal Grounds'). Those situations have two elements in common: (1) the existence of an ongoing claim or objection relating to the personal data, and (2) the possibility for the data subject to temporarily restrict the processing of his or her data, awaiting the resolution of that claim or objection. More specifically, when a data subject exercises his right to restriction of processing under Article 18 GDPR, the controller or processor becomes subject to a dual obligation: (1) the obligation to ''store'' the personal data; and (2) the obligation ''not to perform any other operation'' on the personal data. The controller or processor therefore becomes a passive holder of the personal data, and is not allowed to disclose them, erase them, or perform any other operation on them, unless a specific exception applies (e.g. consent of the data subject).  
To avoid potentially deletion, sharing or other processing leading to further harm to the data subject, the right to restriction of processing allows data subjects to temporarily limit the type of processing operations that a controller can perform on their personal data.<ref>The right to restriction of processing was introduced in 2016 by the GDPR although a somewhat similar protection could already be found in Article 12(2) of Directive 95/46 (DPD). That provision gave data subjects the possibility to request the ''“blocking of data”'' where the processing was unlawful. However, the DPD did not specify the meaning of 'blocking' or what it would actually require from the controller. The lack of clarity of that provision prompted the Commission to replace any reference to the 'blocking' of personal by a new and more specific right under the GDPR. See, ''Gonzáles Fuster'', in Kuner, Bygrave and Docksey, The EU General Data Protection Regulation (GDPR), A commentary, Article 18 GDPR, p. 487 (Oxford University Press, 2020).</ref> In such case, the controller is only allowed to passively store the personal data, but can no longer share, disclose, erase, or perform any other type of processing operation on them. The personal data gets "frozen", unless any of the specific exceptions under paragraph 2 applies.


===(1) Legal Grounds===
The right to restriction of processing only applies during a limited period (the ''“restriction period”''), at the end of which the controller is no longer bound to limit the processing. The length of this restriction period will vary from one case to another. 
As previously mentioned, the right to restriction of processing can be effectively exercised only when one of the following grounds applies:


====(a) The Accuracy of the Personal Data is Contested====
===(1) Right to restriction of processing===
Data subjects have a right to rectification of their personal data under [[Article 16 GDPR]]. The rectification of personal data may however take a short or longer period of time depending on various factors, such as the diligence of the controller, the amount of data, or the scope of the error. While awaiting the rectification of their personal data, data subjects may want to protect themselves from any adverse effect linked to the continuous processing of erroneous or incomplete data. In that context, the right to restriction of processing can apply upon request of the data subject for the limited period of time during which a controller is verifying the accuracy and/or rectifying the personal data. The right to restriction of processing may be exercised after or in parallel to the right to rectification. For example, if a data subject notices that a controller is processing inaccurate personal data and that such processing can have adverse consequences for him or her, he or she may invoke simultaneously [[Article 16 GDPR]] (right to rectification) and Article 18 GDPR in order to request the controller to stop processing the personal data (except for storage) until the personal data have been rectified.  
The right to restriction of processing can be invoked by the data subjects in four different situations: (a) the accuracy of personal data is contested; (b) the processing is unlawful, data should be erased under Article 17, but the data subject opposes the erasure; (c) the purpose of the processing has been achieved, personal data should be deleted under Article 17(1)(a), but the data subject opposes the erasure since personal data are needed for the establishment, exercise or defence of legal claims; and (d) the data subject has objected to processing under Article 21 GDPR and request restriction while the interests assessment is carried out.<ref>Each of these situations is characterised by the existence of an ongoing claim or objection relating to the processing of the personal data. For example, when the accuracy of the personal data is contested under Article 16 GDPR. In that case, Article 18 GDPR offers data subjects the possibility to temporarily require controllers to restrict the processing of their inaccurate personal data, pending its rectification. This mitigates immediate risks caused by the continuous processing of inaccurate personal data.</ref>


====(b) Unlawful Processing====
==== The data subject has the right to obtain... ====
If it is found that a controller is processing personal data unlawfully, for example because the processing does not have any valid legal basis (as listed in [[Article 6 GDPR|Article 6]] or [[Article 9 GDPR]]), the controller or processor may decide to erase the personal data in order to put an end to the unlawful processing operations. Similarly, a controller may have planned to delete personal data at a given date in order to comply with the GDPR, including the storage limitation principle enshrined in [[Article 5 GDPR|Article 5(1)(e) GDPR]]. In some instances, however, the data subjects may want to prevent or temporarily suspend the erasure of the personal data because the latter are still useful or necessary for his or her own purpose. The right to restriction of processing enables data subjects to <span id="1b">oppose the erasure of their personal data and to request the restriction of their use instead. The controller or processor are then put under the obligation to keep the personal data until, for example, the data subject has been able to obtain a copy of them.</span>
Whether or not the right to restriction applies is dependent on the specific circumstances outlined in Article 18(a) to (d) GDPR. In any case, the data subject is required to make certain declarations, such as disputing the accuracy of the data under (a), refusing deletion under (b), declaring the data is still needed for legal claims under (c), or objecting to the processing under (d). It is the responsibility of the data subject to present and provide evidence for the fulfillment of the requirements for a restriction.<ref>''Kamann, Braun'' in Ehmann, Selmayr, Datenschutz-Grundverordnung, Article 18 GDPR, margin number 10 (C.H. Beck 2018, 2nd Edition).</ref> <blockquote><u>Example</u>: XXX</blockquote>That said, similar to the exercise of the right to rectification and erasure, the rules set out in Article 12, paragraphs 2 and following, apply to the submission of a request, including the obligation to facilitate the data subject (Article 12(2) and (3) GDPR), inform him or her about the measures taken (Article 12(3) and (4) GDPR), the right to receive this service free of charge (Article 12(5) GDPR) and the procedure for verifying the identity of the data subject in case of doubts (Articles 11 and Article 12(6) GDPR).<blockquote><u>Example</u>: XXX</blockquote>


It is interesting to note in this respect that data subjects also have the right to object to the processing of personal data by exercising their right to object under [[Article 21 GDPR]]. Theoretically, a data subject could thus also object to the erasure of his or her personal data by a controller or processor. One may thus question the relevance of this parallel right to restriction of the processing. It becomes however apparent from a careful reading of Article 21 GDPR that the right to object can only be exercised where the controller is processing personal data on the basis of (1) its legitimate interest ([[Article 6 GDPR|Article 6(1)(f) GDPR]]) or (2) the public interest ([[Article 6 GDPR|Article 6(1)(e) GDPR]]). By contrast, the right to restriction of processing applies regardless of the legal basis used for processing the data.  
==== Restriction of processing ====
Under Article 4(3) GDPR, "''restriction of processing''" means "''the marking of stored personal data with the aim of limiting their processing in the future''". According to Recital 67 GDPR, methods to restrict the processing of personal data include temporarily moving the selected data to another processing system, making the selected personal data unavailable to users, or temporarily removing published data from a website. In automated filing systems, the restriction of processing should be ensured by technical means in such a manner that the personal data are not subject to further processing operations and cannot be changed. In particular, the fact that the processing of personal data is restricted should clearly be indicated in the system.<ref>In case of automated processing, marking the data records as "blocked" is sufficient but only if the software accessing the marked data sets is able to recognise that only permitted processing operations under Article 18(2) are possible. See, ''Herbst'', in Kühling, Buchner, DS-GVO BDSG, Article 18 GDPR, margin number 30 (C.H. Beck 2020, 3rd Edition).</ref>


If a controller is processing personal data for the performance of a contract under Article 6(1)(b) GDPR, for example, a data subject cannot object to the erasure of his or her data on the basis of Article 21 GDPR. He or she may, however, exercises the right to restriction of processing in order to request the controller ''not to erase'' personal data upon termination of the contract, while addressing in parallel a request to obtain a copy of his or her personal data under [[Article 15 GDPR]].
==== Where one of the following applies ====
The right to restriction of processing can be effectively exercised by data subjects when one of the following grounds applies:


====(c) Legal Claims====
===== (a) Accuracy of personal data is contested =====
In this case the data controller has to retain the personal data even though it might not need it anymore, in order to ensure the data subject's legitimate interests, and in particular the right of a data subject to gather information to defend himself or herself in the context of a legal claim. The restriction period should normally last until the data subject's legal claims are established, exercised or defended.  
Data subjects can exercise their right to restriction of the processing when it appears that their personal data are inaccurate and must be rectified under [[Article 16 GDPR]]. The rectification of personal data may take a variable period of time depending on the nature and amount of data, the diligence of the controller, etc. While awaiting the rectification of their personal data, data subjects may want to protect themselves from any adverse effect linked to the processing of their inaccurate data by restricting the type of operations that the controller can still perform on them. In that context, the right to restriction of processing can apply upon request of the data subject for the limited period of time during which a controller is verifying the accuracy and/or rectifying the personal data. Thus, the right to restriction of processing may be exercised after or in parallel to the right to rectification. For example, if a data subject notices that a controller is processing inaccurate personal data and that this may have an adverse effect on them (e.g. inaccurate bank account details which may lead to wrongful money transfers), they may simultaneously invoke [[Article 16 GDPR]] (right to rectification) and Article 18 GDPR (right to restriction) in order to request the controller to suspend the processing the personal data until the data has been corrected.


====(d) Objection to Processing====
===== (b) Processing is unlawful, data should be erased, but the data subject opposes the erasure =====
''Help us fill this section!''
The right to restriction can also be exercised when it appears that a controller is processing personal data unlawfully, but the data subject requests restriction of the processing instead of the erasure of the personal data under Article 17 GDPR. The data subject does not have to justify this choice.<ref>''Dix,'' in Simitis, Hornung, Spiecker gen. Döhmann, Datenschutzrecht, Article 17 GDPR, margin number 6 (C.H. Beck 2019). Along the same line, ''Herbst'', in Kühling, Buchner, DS-GVO BDSG, Article 18 GDPR, margin number 18 (C.H. Beck 2020, 3rd Edition).</ref> In such a case, the purpose of exercising the right conferred by Article 18 GDPR is to interrupt the unlawful processing operation whilst also preventing the data controller from erasing the personal data. The data subjects may want to oppose the erasure of their personal data for different reasons, including the fact that they still need (a copy) for their personal use.<ref>It might also be the case that the personal data constitute important evidence of the unlawful processing itself (e.g. health data which were collected without the consent of the data subject).</ref> The exercise of the right of restriction should automatically exclude any other processing of the data. However, it has been suggested that specifying the intention to exclude deletion could avoid any kind of misunderstanding with the controller.<ref>''Herbst'', in Kühling, Buchner, DS-GVO BDSG, Article 18 GDPR, margin number 16 (C.H. Beck 2020, 3rd Edition).</ref>


Theoretically, data subjects could also prevent a controller from erasing their data by invoking [[Article 21 GDPR]].<ref>It must be recalled that, in accordance with Article 4(1) GDPR, deletion of personal data is a processing operation as such. By exercising their right to restriction of the processing, data subjects are therefore automatically putting controllers under the obligation ''not to'' erase their data, pending clarification of the unlawful nature of the processing.</ref> One may then question the relevance or added value of the right to restriction of the processing in the context of unlawful processing. However, it quickly becomes apparent from a careful reading of Article 21 GDPR that the right to object can only be exercised where the controller is processing personal data either on the basis of (i) its legitimate interest ([[Article 6 GDPR|Article 6(1)(f) GDPR]]) or (ii) the public interest ([[Article 6 GDPR|Article 6(1)(e) GDPR]]). Hence, data subjects may find themselves in a situation where the right to object does not apply, but the right to restriction of processing does. For example, if a controller is processing personal data for the performance of a contract under [[Article 6 GDPR|Article 6(1)(b) GDPR]], data subjects cannot object to the erasure of their data on the basis of Article 21 GDPR.<ref>They may, however, exercise the right to restriction of processing in order to request the controller ''not to erase'' personal data, while addressing the potential unlawful character of such processing.</ref>
===== (c) Purpose is achieved, data should be erased, but data subject opposes it to establish legal claims =====
Letter c) applies when the purpose of the processing has been achieved, personal data should be deleted under Article 17(1)(a), but the data subject opposes the erasure since the information is needed for the establishment, exercise or defence of legal claims. 
Once again, the right to restriction offers the possibility for data subjects to prevent the erasure of their personal data by the controller.<ref>In this case, there is a significant issue regarding the knowledge of the condition that permits the exercise of the right to restriction, which is when the purpose of the processing has been fulfilled. The data subject is often unaware of this circumstance, and their data may be deleted without giving them the opportunity to exercise their right. To address this, we suggest that the controller should inform the data subject when the purpose of the processing has been achieved to facilitate the exercise of their right under Article 12(2) of the GDPR.</ref> In this case, the data controller has to retain the personal data even though it might not need them anymore, in order to safeguard the data subject's legitimate interests, and in particular the right of a data subject to gather information to establish, exercise or defend themselves in the context of an ongoing or otherwise imminent legal claim.<ref>''Herbst'', in Kühling, Buchner, DS-GVO BDSG, Article 18 GDPR, margin numbers 22-23 (C.H. Beck 2020, 3rd Edition).</ref> 
The restriction period should normally last until the data subject has been able to retrieve a copy of the relevant data, or until the legal claims are established, exercised or defended.  <blockquote><u>Example</u>: following the end of a work relationship, a data subject exercise their right to restriction of processing in order to prevent his prior employer from erasing personal data that are needed for his defence in the context of an action relating to unpaid wages or abusive dismissal. </blockquote>
===== (d) Objection to processing under Article 21(1) GDPR =====
The fourth and last legal basis concerns situations where a data subject has objected to the processing of personal data on the basis of [[Article 21 GDPR]], because the latter considers that the legitimate interests of the data controller in processing their personal data do not prevail over their interests, rights or freedoms. In parallel to exercising this right to object to the processing under [[Article 21 GDPR]], the data subject can also rely on Article 18 GDPR to force the controller to limit the processing of personal data to passive storage, pending a final decision on the underlying objection.<ref>To fully understand the relevance of this legal ground, it is first important to recall that the right to object as enshrined in [[Article 21 GDPR]] is not always absolute. As a matter of fact, data subjects may only object to the processing of their personal data in a limited number of situations, for example when the legal basis for such processing is a 'legitimate interest' invoked by the controller.</ref> <blockquote><u>Example</u>: an insurance company could decide to monitor and collect information about insured persons who are suspected of insurance fraud based on the company's legitimate interests. However, it must be ensured that the interests or fundamental rights and freedoms of the data subjects do not prevail over the legitimate interest invoked by the controller. </blockquote>This balancing exercise, which is incumbent on the controller, may nonetheless lead to discrepancies in opinion. If a dispute ensues, it will ultimately be for the competent data protection authority or national court to determine whether the objection was justified. However, this may take a more or less long period of time during which the data subjects may suffer harm. Hence, Article 18 GDPR may prove to be particularity useful in those instances since it confers data subjects the right to request the controller to also temporarily restrict the processing of their personal data, pending a final decision by the controller or, potentially, a court.<ref>''Herbst'', in Kühling, Buchner, DS-GVO BDSG, Article 18 GDPR, margin number 27 (C.H. Beck 2020, 3rd ed.). Shares this view, ''Dix'', in Simitis, Hornung, Spiecker gen. Döhmann, Datenschutzrecht, Article 18 GDPR, margin number 9 (C.H. Beck 2019).</ref>
===(2) Exceptions===
===(2) Exceptions===
Once activated, Article 18 GDPR places a dual obligation on the controller during the restriction period: (i) the obligation to ''store'' the personal data; and (ii) the obligation ''not to'' perform any other operation on the "''restricted''" data. The obligation ''not to'' process the personal data in any other way than storage may nevertheless be tempered if either of the following exceptions apply.


====Consent====
====Data subject's consent====
''Help us fill this section!''
A controller subject to a restriction request may still perform other processing operations than storage when this has been specifically allowed by the data subject. Indeed, data subjects can consent to the processing of their personal data beyond passive storage after having exercised their right under Article 18 GDPR.  <blockquote><u>Example</u>: A data subject invokes Article 18 GDPR upon closing a bank account, in order to ensure that the bank does not delete important financial information relating to money transfers made in the last two preceding years. However, the data subject may in parallel consent to the bank deleting data which are older than two years. </blockquote>


====Legal Claims====
====Legal claims ====
''Help us fill this section!''
A controller may reject a restriction request if processing is required for the establishment, exercise or defence of legal claims. This exception may of course become problematic when unduly or excessively relied on by controllers. By invoking it, controllers can indeed easily defeat the very purpose of the right to restriction of processing, which was to provide data subjects with an easy and quick way to alleviate the immediate risks pertaining to the processing of personal data. However, a controller may incur a fine if it wrongfully relies on that exception, in accordance with [[Article 83 GDPR|Article 83(5) GDPR]]. 


====Protection of Others' Rights====
====Protection of others' rights====
''Help us fill this section!''
A controller subject to a restriction request may decide to partly or fully reject that request, and therefore to continue processing the personal data of the data subject beyond passive storage, when this would be necessary for the protection of the rights of another natural or legal person. Also this exception may become problematic when unduly or excessively relied on by controllers, as already explained above. A fine under [[Article 83 GDPR|Article 83(5) GDPR]] is also possible in this case.


====Important Public Interest====
====Important public interest====
''Help us fill this section!''
A controller subject to a restriction request may decide to partly or fully reject it, and therefore to continue processing the personal data beyond passive storage when this would be necessary for reasons of important public interest of the EU or of a Member State. In contrast to Article 23(1)(e) GDPR, which sets out strict requirements for the Union or Member State's law restricting GDPR rights, Article 18(2) GDPR does not make any reference to the law and merely refers to the public interest.<ref>The list under Article 23 is however useful to delineate a definition of "public interest", among the others, national security, defence, public security, law enforcement and law enforcement, important economic or financial interests of the Union or of a Member State, such as monetary, budgetary, taxation, public health and social security, independence of the judiciary. Moreover, the GDPR acknowledges various other public interests. These may include public archival purposes, public scientific or historical research, or statistical purposes (Article 89), as well as the protection of public health (Article 9(2)(h) GDPR), public access to official documents (Article 86), and more. In these cases, a greater public interest must be demonstrated through a comprehensive balancing of interests. See, ''Kamann, Braun'' in Ehmann, Selmayr, Datenschutz-Grundverordnung, Article 18 GDPR, margin numbers 34-35 (C.H. Beck 2018, 2nd edition).</ref> This makes it all the more important to have a restrictive interpretation of the provision, which results in a directly applicable limitation of the data subject's right to data protection.<ref>''Dix,'' in Simitis, Hornung, Spiecker gen. Döhmann, Datenschutzrecht, Article 17 GDPR, margin number 13 (C.H. Beck 2019).</ref> A controller may incur a fine if it wrongfully relies on this exception, in accordance with [[Article 83 GDPR|Article 83(5) GDPR]].


===(3) Information of the Data Subject===
===(3) Information to the Data Subject===
See also[[Article 19 GDPR| Article 19 GDPR]].  
Finally, the third paragraph of Article 18 GDPR specifies that a data subject who has obtained restriction of processing must be informed by the controller before the restriction of processing is lifted. This provides the data subject with the possibility to argue that the restriction period is not over yet, for example, if the latter considers that the underlying request, claim or objection has not been properly addressed or solved. Furthermore, granting restriction of processing imposes on the controller the obligation to notify any recipients to whom the personal data have been disclosed about the restriction, so that they can themselves adapt the processing of personal data to what is allowed and required.<ref>''Herbst'', in Kühling, Buchner, DS-GVO BDSG, Article 18 GDPR, margin number 43 (C.H. Beck 2020, 3rd Edition).</ref> See also [[Article 19 GDPR]].  


==Decisions==
==Decisions==
Line 252: Line 265:
==References==
==References==
<references />
<references />
[[Category:GDPR Articles]]
[[Category:GDPR Articles]]

Latest revision as of 08:43, 7 March 2024

Article 18 - Right to restriction of processing
Gdpricon.png
Chapter 10: Delegated and implementing acts

Legal Text


Article 18 - Right to restriction of processing

1. The data subject shall have the right to obtain from the controller restriction of processing where one of the following applies:

(a) the accuracy of the personal data is contested by the data subject, for a period enabling the controller to verify the accuracy of the personal data;
(b) the processing is unlawful and the data subject opposes the erasure of the personal data and requests the restriction of their use instead;
(c) the controller no longer needs the personal data for the purposes of the processing, but they are required by the data subject for the establishment, exercise or defence of legal claims;
(d) the data subject has objected to processing pursuant to Article 21(1) pending the verification whether the legitimate grounds of the controller override those of the data subject.

2. Where processing has been restricted under paragraph 1, such personal data shall, with the exception of storage, only be processed with the data subject's consent or for the establishment, exercise or defence of legal claims or for the protection of the rights of another natural or legal person or for reasons of important public interest of the Union or of a Member State.

3. A data subject who has obtained restriction of processing pursuant to paragraph 1 shall be informed by the controller before the restriction of processing is lifted.

Relevant Recitals

Recital 67: Right to Restriction of Processing
Methods by which to restrict the processing of personal data could include, inter alia, temporarily moving the selected data to another processing system, making the selected personal data unavailable to users, or temporarily removing published data from a website. In automated filing systems, the restriction of processing should in principle be ensured by technical means in such a manner that the personal data are not subject to further processing operations and cannot be changed. The fact that the processing of personal data is restricted should be clearly indicated in the system.

Recital 156: Processing of Personal Data for Archiving Purposes in the Public Interest, Scientific, Historical Research or Statistical Purposes
The processing of personal data for archiving purposes in the public interest, scientific or historical research purposes or statistical purposes should be subject to appropriate safeguards for the rights and freedoms of the data subject pursuant to this Regulation. Those safeguards should ensure that technical and organisational measures are in place in order to ensure, in particular, the principle of data minimisation. The further processing of personal data for archiving purposes in the public interest, scientific or historical research purposes or statistical purposes is to be carried out when the controller has assessed the feasibility to fulfil those purposes by processing data which do not permit or no longer permit the identification of data subjects, provided that appropriate safeguards exist (such as, for instance, pseudonymisation of the data). Member States should provide for appropriate safeguards for the processing of personal data for archiving purposes in the public interest, scientific or historical research purposes or statistical purposes. Member States should be authorised to provide, under specific conditions and subject to appropriate safeguards for data subjects, specifications and derogations with regard to the information requirements and rights to rectification, to erasure, to be forgotten, to restriction of processing, to data portability, and to object when processing personal data for archiving purposes in the public interest, scientific or historical research purposes or statistical purposes. The conditions and safeguards in question may entail specific procedures for data subjects to exercise those rights if this is appropriate in the light of the purposes sought by the specific processing along with technical and organisational measures aimed at minimising the processing of personal data in pursuance of the proportionality and necessity principles. The processing of personal data for scientific purposes should also comply with other relevant legislation such as on clinical trials.

Commentary

When the conditions established by the GDPR are respected, the controller is generally able to decide over the use of personal data.

However, during the processing activities, questions may arise regarding the appropriateness of the processing, such as when the controller may delete information that the data subject relies upon as evidence or there is a dispute between the controller and the data subject about the accuracy of personal data.

To avoid potentially deletion, sharing or other processing leading to further harm to the data subject, the right to restriction of processing allows data subjects to temporarily limit the type of processing operations that a controller can perform on their personal data.[1] In such case, the controller is only allowed to passively store the personal data, but can no longer share, disclose, erase, or perform any other type of processing operation on them. The personal data gets "frozen", unless any of the specific exceptions under paragraph 2 applies.

The right to restriction of processing only applies during a limited period (the “restriction period”), at the end of which the controller is no longer bound to limit the processing. The length of this restriction period will vary from one case to another.

(1) Right to restriction of processing

The right to restriction of processing can be invoked by the data subjects in four different situations: (a) the accuracy of personal data is contested; (b) the processing is unlawful, data should be erased under Article 17, but the data subject opposes the erasure; (c) the purpose of the processing has been achieved, personal data should be deleted under Article 17(1)(a), but the data subject opposes the erasure since personal data are needed for the establishment, exercise or defence of legal claims; and (d) the data subject has objected to processing under Article 21 GDPR and request restriction while the interests assessment is carried out.[2]

The data subject has the right to obtain...

Whether or not the right to restriction applies is dependent on the specific circumstances outlined in Article 18(a) to (d) GDPR. In any case, the data subject is required to make certain declarations, such as disputing the accuracy of the data under (a), refusing deletion under (b), declaring the data is still needed for legal claims under (c), or objecting to the processing under (d). It is the responsibility of the data subject to present and provide evidence for the fulfillment of the requirements for a restriction.[3]

Example: XXX

That said, similar to the exercise of the right to rectification and erasure, the rules set out in Article 12, paragraphs 2 and following, apply to the submission of a request, including the obligation to facilitate the data subject (Article 12(2) and (3) GDPR), inform him or her about the measures taken (Article 12(3) and (4) GDPR), the right to receive this service free of charge (Article 12(5) GDPR) and the procedure for verifying the identity of the data subject in case of doubts (Articles 11 and Article 12(6) GDPR).

Example: XXX

Restriction of processing

Under Article 4(3) GDPR, "restriction of processing" means "the marking of stored personal data with the aim of limiting their processing in the future". According to Recital 67 GDPR, methods to restrict the processing of personal data include temporarily moving the selected data to another processing system, making the selected personal data unavailable to users, or temporarily removing published data from a website. In automated filing systems, the restriction of processing should be ensured by technical means in such a manner that the personal data are not subject to further processing operations and cannot be changed. In particular, the fact that the processing of personal data is restricted should clearly be indicated in the system.[4]

Where one of the following applies

The right to restriction of processing can be effectively exercised by data subjects when one of the following grounds applies:

(a) Accuracy of personal data is contested

Data subjects can exercise their right to restriction of the processing when it appears that their personal data are inaccurate and must be rectified under Article 16 GDPR. The rectification of personal data may take a variable period of time depending on the nature and amount of data, the diligence of the controller, etc. While awaiting the rectification of their personal data, data subjects may want to protect themselves from any adverse effect linked to the processing of their inaccurate data by restricting the type of operations that the controller can still perform on them. In that context, the right to restriction of processing can apply upon request of the data subject for the limited period of time during which a controller is verifying the accuracy and/or rectifying the personal data. Thus, the right to restriction of processing may be exercised after or in parallel to the right to rectification. For example, if a data subject notices that a controller is processing inaccurate personal data and that this may have an adverse effect on them (e.g. inaccurate bank account details which may lead to wrongful money transfers), they may simultaneously invoke Article 16 GDPR (right to rectification) and Article 18 GDPR (right to restriction) in order to request the controller to suspend the processing the personal data until the data has been corrected.

(b) Processing is unlawful, data should be erased, but the data subject opposes the erasure

The right to restriction can also be exercised when it appears that a controller is processing personal data unlawfully, but the data subject requests restriction of the processing instead of the erasure of the personal data under Article 17 GDPR. The data subject does not have to justify this choice.[5] In such a case, the purpose of exercising the right conferred by Article 18 GDPR is to interrupt the unlawful processing operation whilst also preventing the data controller from erasing the personal data. The data subjects may want to oppose the erasure of their personal data for different reasons, including the fact that they still need (a copy) for their personal use.[6] The exercise of the right of restriction should automatically exclude any other processing of the data. However, it has been suggested that specifying the intention to exclude deletion could avoid any kind of misunderstanding with the controller.[7]

Theoretically, data subjects could also prevent a controller from erasing their data by invoking Article 21 GDPR.[8] One may then question the relevance or added value of the right to restriction of the processing in the context of unlawful processing. However, it quickly becomes apparent from a careful reading of Article 21 GDPR that the right to object can only be exercised where the controller is processing personal data either on the basis of (i) its legitimate interest (Article 6(1)(f) GDPR) or (ii) the public interest (Article 6(1)(e) GDPR). Hence, data subjects may find themselves in a situation where the right to object does not apply, but the right to restriction of processing does. For example, if a controller is processing personal data for the performance of a contract under Article 6(1)(b) GDPR, data subjects cannot object to the erasure of their data on the basis of Article 21 GDPR.[9]

(c) Purpose is achieved, data should be erased, but data subject opposes it to establish legal claims

Letter c) applies when the purpose of the processing has been achieved, personal data should be deleted under Article 17(1)(a), but the data subject opposes the erasure since the information is needed for the establishment, exercise or defence of legal claims.

Once again, the right to restriction offers the possibility for data subjects to prevent the erasure of their personal data by the controller.[10] In this case, the data controller has to retain the personal data even though it might not need them anymore, in order to safeguard the data subject's legitimate interests, and in particular the right of a data subject to gather information to establish, exercise or defend themselves in the context of an ongoing or otherwise imminent legal claim.[11]

The restriction period should normally last until the data subject has been able to retrieve a copy of the relevant data, or until the legal claims are established, exercised or defended.

Example: following the end of a work relationship, a data subject exercise their right to restriction of processing in order to prevent his prior employer from erasing personal data that are needed for his defence in the context of an action relating to unpaid wages or abusive dismissal.

(d) Objection to processing under Article 21(1) GDPR

The fourth and last legal basis concerns situations where a data subject has objected to the processing of personal data on the basis of Article 21 GDPR, because the latter considers that the legitimate interests of the data controller in processing their personal data do not prevail over their interests, rights or freedoms. In parallel to exercising this right to object to the processing under Article 21 GDPR, the data subject can also rely on Article 18 GDPR to force the controller to limit the processing of personal data to passive storage, pending a final decision on the underlying objection.[12]

Example: an insurance company could decide to monitor and collect information about insured persons who are suspected of insurance fraud based on the company's legitimate interests. However, it must be ensured that the interests or fundamental rights and freedoms of the data subjects do not prevail over the legitimate interest invoked by the controller.

This balancing exercise, which is incumbent on the controller, may nonetheless lead to discrepancies in opinion. If a dispute ensues, it will ultimately be for the competent data protection authority or national court to determine whether the objection was justified. However, this may take a more or less long period of time during which the data subjects may suffer harm. Hence, Article 18 GDPR may prove to be particularity useful in those instances since it confers data subjects the right to request the controller to also temporarily restrict the processing of their personal data, pending a final decision by the controller or, potentially, a court.[13]

(2) Exceptions

Once activated, Article 18 GDPR places a dual obligation on the controller during the restriction period: (i) the obligation to store the personal data; and (ii) the obligation not to perform any other operation on the "restricted" data. The obligation not to process the personal data in any other way than storage may nevertheless be tempered if either of the following exceptions apply.

Data subject's consent

A controller subject to a restriction request may still perform other processing operations than storage when this has been specifically allowed by the data subject. Indeed, data subjects can consent to the processing of their personal data beyond passive storage after having exercised their right under Article 18 GDPR.

Example: A data subject invokes Article 18 GDPR upon closing a bank account, in order to ensure that the bank does not delete important financial information relating to money transfers made in the last two preceding years. However, the data subject may in parallel consent to the bank deleting data which are older than two years.

Legal claims

A controller may reject a restriction request if processing is required for the establishment, exercise or defence of legal claims. This exception may of course become problematic when unduly or excessively relied on by controllers. By invoking it, controllers can indeed easily defeat the very purpose of the right to restriction of processing, which was to provide data subjects with an easy and quick way to alleviate the immediate risks pertaining to the processing of personal data. However, a controller may incur a fine if it wrongfully relies on that exception, in accordance with Article 83(5) GDPR.

Protection of others' rights

A controller subject to a restriction request may decide to partly or fully reject that request, and therefore to continue processing the personal data of the data subject beyond passive storage, when this would be necessary for the protection of the rights of another natural or legal person. Also this exception may become problematic when unduly or excessively relied on by controllers, as already explained above. A fine under Article 83(5) GDPR is also possible in this case.

Important public interest

A controller subject to a restriction request may decide to partly or fully reject it, and therefore to continue processing the personal data beyond passive storage when this would be necessary for reasons of important public interest of the EU or of a Member State. In contrast to Article 23(1)(e) GDPR, which sets out strict requirements for the Union or Member State's law restricting GDPR rights, Article 18(2) GDPR does not make any reference to the law and merely refers to the public interest.[14] This makes it all the more important to have a restrictive interpretation of the provision, which results in a directly applicable limitation of the data subject's right to data protection.[15] A controller may incur a fine if it wrongfully relies on this exception, in accordance with Article 83(5) GDPR.

(3) Information to the Data Subject

Finally, the third paragraph of Article 18 GDPR specifies that a data subject who has obtained restriction of processing must be informed by the controller before the restriction of processing is lifted. This provides the data subject with the possibility to argue that the restriction period is not over yet, for example, if the latter considers that the underlying request, claim or objection has not been properly addressed or solved. Furthermore, granting restriction of processing imposes on the controller the obligation to notify any recipients to whom the personal data have been disclosed about the restriction, so that they can themselves adapt the processing of personal data to what is allowed and required.[16] See also Article 19 GDPR.

Decisions

→ You can find all related decisions in Category:Article 18 GDPR

References

  1. The right to restriction of processing was introduced in 2016 by the GDPR although a somewhat similar protection could already be found in Article 12(2) of Directive 95/46 (DPD). That provision gave data subjects the possibility to request the “blocking of data” where the processing was unlawful. However, the DPD did not specify the meaning of 'blocking' or what it would actually require from the controller. The lack of clarity of that provision prompted the Commission to replace any reference to the 'blocking' of personal by a new and more specific right under the GDPR. See, Gonzáles Fuster, in Kuner, Bygrave and Docksey, The EU General Data Protection Regulation (GDPR), A commentary, Article 18 GDPR, p. 487 (Oxford University Press, 2020).
  2. Each of these situations is characterised by the existence of an ongoing claim or objection relating to the processing of the personal data. For example, when the accuracy of the personal data is contested under Article 16 GDPR. In that case, Article 18 GDPR offers data subjects the possibility to temporarily require controllers to restrict the processing of their inaccurate personal data, pending its rectification. This mitigates immediate risks caused by the continuous processing of inaccurate personal data.
  3. Kamann, Braun in Ehmann, Selmayr, Datenschutz-Grundverordnung, Article 18 GDPR, margin number 10 (C.H. Beck 2018, 2nd Edition).
  4. In case of automated processing, marking the data records as "blocked" is sufficient but only if the software accessing the marked data sets is able to recognise that only permitted processing operations under Article 18(2) are possible. See, Herbst, in Kühling, Buchner, DS-GVO BDSG, Article 18 GDPR, margin number 30 (C.H. Beck 2020, 3rd Edition).
  5. Dix, in Simitis, Hornung, Spiecker gen. Döhmann, Datenschutzrecht, Article 17 GDPR, margin number 6 (C.H. Beck 2019). Along the same line, Herbst, in Kühling, Buchner, DS-GVO BDSG, Article 18 GDPR, margin number 18 (C.H. Beck 2020, 3rd Edition).
  6. It might also be the case that the personal data constitute important evidence of the unlawful processing itself (e.g. health data which were collected without the consent of the data subject).
  7. Herbst, in Kühling, Buchner, DS-GVO BDSG, Article 18 GDPR, margin number 16 (C.H. Beck 2020, 3rd Edition).
  8. It must be recalled that, in accordance with Article 4(1) GDPR, deletion of personal data is a processing operation as such. By exercising their right to restriction of the processing, data subjects are therefore automatically putting controllers under the obligation not to erase their data, pending clarification of the unlawful nature of the processing.
  9. They may, however, exercise the right to restriction of processing in order to request the controller not to erase personal data, while addressing the potential unlawful character of such processing.
  10. In this case, there is a significant issue regarding the knowledge of the condition that permits the exercise of the right to restriction, which is when the purpose of the processing has been fulfilled. The data subject is often unaware of this circumstance, and their data may be deleted without giving them the opportunity to exercise their right. To address this, we suggest that the controller should inform the data subject when the purpose of the processing has been achieved to facilitate the exercise of their right under Article 12(2) of the GDPR.
  11. Herbst, in Kühling, Buchner, DS-GVO BDSG, Article 18 GDPR, margin numbers 22-23 (C.H. Beck 2020, 3rd Edition).
  12. To fully understand the relevance of this legal ground, it is first important to recall that the right to object as enshrined in Article 21 GDPR is not always absolute. As a matter of fact, data subjects may only object to the processing of their personal data in a limited number of situations, for example when the legal basis for such processing is a 'legitimate interest' invoked by the controller.
  13. Herbst, in Kühling, Buchner, DS-GVO BDSG, Article 18 GDPR, margin number 27 (C.H. Beck 2020, 3rd ed.). Shares this view, Dix, in Simitis, Hornung, Spiecker gen. Döhmann, Datenschutzrecht, Article 18 GDPR, margin number 9 (C.H. Beck 2019).
  14. The list under Article 23 is however useful to delineate a definition of "public interest", among the others, national security, defence, public security, law enforcement and law enforcement, important economic or financial interests of the Union or of a Member State, such as monetary, budgetary, taxation, public health and social security, independence of the judiciary. Moreover, the GDPR acknowledges various other public interests. These may include public archival purposes, public scientific or historical research, or statistical purposes (Article 89), as well as the protection of public health (Article 9(2)(h) GDPR), public access to official documents (Article 86), and more. In these cases, a greater public interest must be demonstrated through a comprehensive balancing of interests. See, Kamann, Braun in Ehmann, Selmayr, Datenschutz-Grundverordnung, Article 18 GDPR, margin numbers 34-35 (C.H. Beck 2018, 2nd edition).
  15. Dix, in Simitis, Hornung, Spiecker gen. Döhmann, Datenschutzrecht, Article 17 GDPR, margin number 13 (C.H. Beck 2019).
  16. Herbst, in Kühling, Buchner, DS-GVO BDSG, Article 18 GDPR, margin number 43 (C.H. Beck 2020, 3rd Edition).