Article 18 GDPR

From GDPRhub
Article 18 - Right to restriction of processing
Gdpricon.png
Chapter 10: Delegated and implementing acts

Legal Text


Article 18 - Right to restriction of processing

1. The data subject shall have the right to obtain from the controller restriction of processing where one of the following applies:

(a) the accuracy of the personal data is contested by the data subject, for a period enabling the controller to verify the accuracy of the personal data;
(b) the processing is unlawful and the data subject opposes the erasure of the personal data and requests the restriction of their use instead;
(c) the controller no longer needs the personal data for the purposes of the processing, but they are required by the data subject for the establishment, exercise or defence of legal claims;
(d) the data subject has objected to processing pursuant to Article 21(1) pending the verification whether the legitimate grounds of the controller override those of the data subject.

2. Where processing has been restricted under paragraph 1, such personal data shall, with the exception of storage, only be processed with the data subject's consent or for the establishment, exercise or defence of legal claims or for the protection of the rights of another natural or legal person or for reasons of important public interest of the Union or of a Member State.

3. A data subject who has obtained restriction of processing pursuant to paragraph 1 shall be informed by the controller before the restriction of processing is lifted.

Relevant Recitals

Recital 67: Right to Restriction of Processing
Methods by which to restrict the processing of personal data could include, inter alia, temporarily moving the selected data to another processing system, making the selected personal data unavailable to users, or temporarily removing published data from a website. In automated filing systems, the restriction of processing should in principle be ensured by technical means in such a manner that the personal data are not subject to further processing operations and cannot be changed. The fact that the processing of personal data is restricted should be clearly indicated in the system.

Recital 156: Processing of Personal Data for Archiving Purposes in the Public Interest, Scientific, Historical Research or Statistical Purposes
The processing of personal data for archiving purposes in the public interest, scientific or historical research purposes or statistical purposes should be subject to appropriate safeguards for the rights and freedoms of the data subject pursuant to this Regulation. Those safeguards should ensure that technical and organisational measures are in place in order to ensure, in particular, the principle of data minimisation. The further processing of personal data for archiving purposes in the public interest, scientific or historical research purposes or statistical purposes is to be carried out when the controller has assessed the feasibility to fulfil those purposes by processing data which do not permit or no longer permit the identification of data subjects, provided that appropriate safeguards exist (such as, for instance, pseudonymisation of the data). Member States should provide for appropriate safeguards for the processing of personal data for archiving purposes in the public interest, scientific or historical research purposes or statistical purposes. Member States should be authorised to provide, under specific conditions and subject to appropriate safeguards for data subjects, specifications and derogations with regard to the information requirements and rights to rectification, to erasure, to be forgotten, to restriction of processing, to data portability, and to object when processing personal data for archiving purposes in the public interest, scientific or historical research purposes or statistical purposes. The conditions and safeguards in question may entail specific procedures for data subjects to exercise those rights if this is appropriate in the light of the purposes sought by the specific processing along with technical and organisational measures aimed at minimising the processing of personal data in pursuance of the proportionality and necessity principles. The processing of personal data for scientific purposes should also comply with other relevant legislation such as on clinical trials.

Commentary

When the conditions established by the GDPR are respected, the controller is generally able to decide over the use of personal data.

However, during the processing activities, questions may arise regarding the appropriateness of the processing, such as when the controller may delete information that the data subject relies upon as evidence or there is a dispute between the controller and the data subject about the accuracy of personal data.

To avoid potentially deletion, sharing or other processing leading to further harm to the data subject, the right to restriction of processing allows data subjects to temporarily limit the type of processing operations that a controller can perform on their personal data.[1] In such case, the controller is only allowed to passively store the personal data, but can no longer share, disclose, erase, or perform any other type of processing operation on them. The personal data gets "frozen", unless any of the specific exceptions under paragraph 2 applies.

The right to restriction of processing only applies during a limited period (the “restriction period”), at the end of which the controller is no longer bound to limit the processing. The length of this restriction period will vary from one case to another.

(1) Right to restriction of processing

The right to restriction of processing can be invoked by the data subjects in four different situations: (a) the accuracy of personal data is contested; (b) the processing is unlawful, data should be erased under Article 17, but the data subject opposes the erasure; (c) the purpose of the processing has been achieved, personal data should be deleted under Article 17(1)(a), but the data subject opposes the erasure since personal data are needed for the establishment, exercise or defence of legal claims; and (d) the data subject has objected to processing under Article 21 GDPR and request restriction while the interests assessment is carried out.[2]

The data subject has the right to obtain...

Whether or not the right to restriction applies is dependent on the specific circumstances outlined in Article 18(a) to (d) GDPR. In any case, the data subject is required to make certain declarations, such as disputing the accuracy of the data under (a), refusing deletion under (b), declaring the data is still needed for legal claims under (c), or objecting to the processing under (d). It is the responsibility of the data subject to present and provide evidence for the fulfillment of the requirements for a restriction.[3]

Example: XXX

That said, similar to the exercise of the right to rectification and erasure, the rules set out in Article 12, paragraphs 2 and following, apply to the submission of a request, including the obligation to facilitate the data subject (Article 12(2) and (3) GDPR), inform him or her about the measures taken (Article 12(3) and (4) GDPR), the right to receive this service free of charge (Article 12(5) GDPR) and the procedure for verifying the identity of the data subject in case of doubts (Articles 11 and Article 12(6) GDPR).

Example: XXX

Restriction of processing

Under Article 4(3) GDPR, "restriction of processing" means "the marking of stored personal data with the aim of limiting their processing in the future". According to Recital 67 GDPR, methods to restrict the processing of personal data include temporarily moving the selected data to another processing system, making the selected personal data unavailable to users, or temporarily removing published data from a website. In automated filing systems, the restriction of processing should be ensured by technical means in such a manner that the personal data are not subject to further processing operations and cannot be changed. In particular, the fact that the processing of personal data is restricted should clearly be indicated in the system.[4]

Where one of the following applies

The right to restriction of processing can be effectively exercised by data subjects when one of the following grounds applies:

(a) Accuracy of personal data is contested

Data subjects can exercise their right to restriction of the processing when it appears that their personal data are inaccurate and must be rectified under Article 16 GDPR. The rectification of personal data may take a variable period of time depending on the nature and amount of data, the diligence of the controller, etc. While awaiting the rectification of their personal data, data subjects may want to protect themselves from any adverse effect linked to the processing of their inaccurate data by restricting the type of operations that the controller can still perform on them. In that context, the right to restriction of processing can apply upon request of the data subject for the limited period of time during which a controller is verifying the accuracy and/or rectifying the personal data. Thus, the right to restriction of processing may be exercised after or in parallel to the right to rectification. For example, if a data subject notices that a controller is processing inaccurate personal data and that this may have an adverse effect on them (e.g. inaccurate bank account details which may lead to wrongful money transfers), they may simultaneously invoke Article 16 GDPR (right to rectification) and Article 18 GDPR (right to restriction) in order to request the controller to suspend the processing the personal data until the data has been corrected.

(b) Processing is unlawful, data should be erased, but the data subject opposes the erasure

The right to restriction can also be exercised when it appears that a controller is processing personal data unlawfully, but the data subject requests restriction of the processing instead of the erasure of the personal data under Article 17 GDPR. The data subject does not have to justify this choice.[5] In such a case, the purpose of exercising the right conferred by Article 18 GDPR is to interrupt the unlawful processing operation whilst also preventing the data controller from erasing the personal data. The data subjects may want to oppose the erasure of their personal data for different reasons, including the fact that they still need (a copy) for their personal use.[6] The exercise of the right of restriction should automatically exclude any other processing of the data. However, it has been suggested that specifying the intention to exclude deletion could avoid any kind of misunderstanding with the controller.[7]

Theoretically, data subjects could also prevent a controller from erasing their data by invoking Article 21 GDPR.[8] One may then question the relevance or added value of the right to restriction of the processing in the context of unlawful processing. However, it quickly becomes apparent from a careful reading of Article 21 GDPR that the right to object can only be exercised where the controller is processing personal data either on the basis of (i) its legitimate interest (Article 6(1)(f) GDPR) or (ii) the public interest (Article 6(1)(e) GDPR). Hence, data subjects may find themselves in a situation where the right to object does not apply, but the right to restriction of processing does. For example, if a controller is processing personal data for the performance of a contract under Article 6(1)(b) GDPR, data subjects cannot object to the erasure of their data on the basis of Article 21 GDPR.[9]

(c) Purpose is achieved, data should be erased, but data subject opposes it to establish legal claims

Letter c) applies when the purpose of the processing has been achieved, personal data should be deleted under Article 17(1)(a), but the data subject opposes the erasure since the information is needed for the establishment, exercise or defence of legal claims.

Once again, the right to restriction offers the possibility for data subjects to prevent the erasure of their personal data by the controller.[10] In this case, the data controller has to retain the personal data even though it might not need them anymore, in order to safeguard the data subject's legitimate interests, and in particular the right of a data subject to gather information to establish, exercise or defend themselves in the context of an ongoing or otherwise imminent legal claim.[11]

The restriction period should normally last until the data subject has been able to retrieve a copy of the relevant data, or until the legal claims are established, exercised or defended.

Example: following the end of a work relationship, a data subject exercise their right to restriction of processing in order to prevent his prior employer from erasing personal data that are needed for his defence in the context of an action relating to unpaid wages or abusive dismissal.

(d) Objection to processing under Article 21(1) GDPR

The fourth and last legal basis concerns situations where a data subject has objected to the processing of personal data on the basis of Article 21 GDPR, because the latter considers that the legitimate interests of the data controller in processing their personal data do not prevail over their interests, rights or freedoms. In parallel to exercising this right to object to the processing under Article 21 GDPR, the data subject can also rely on Article 18 GDPR to force the controller to limit the processing of personal data to passive storage, pending a final decision on the underlying objection.[12]

Example: an insurance company could decide to monitor and collect information about insured persons who are suspected of insurance fraud based on the company's legitimate interests. However, it must be ensured that the interests or fundamental rights and freedoms of the data subjects do not prevail over the legitimate interest invoked by the controller.

This balancing exercise, which is incumbent on the controller, may nonetheless lead to discrepancies in opinion. If a dispute ensues, it will ultimately be for the competent data protection authority or national court to determine whether the objection was justified. However, this may take a more or less long period of time during which the data subjects may suffer harm. Hence, Article 18 GDPR may prove to be particularity useful in those instances since it confers data subjects the right to request the controller to also temporarily restrict the processing of their personal data, pending a final decision by the controller or, potentially, a court.[13]

(2) Exceptions

Once activated, Article 18 GDPR places a dual obligation on the controller during the restriction period: (i) the obligation to store the personal data; and (ii) the obligation not to perform any other operation on the "restricted" data. The obligation not to process the personal data in any other way than storage may nevertheless be tempered if either of the following exceptions apply.

Data subject's consent

A controller subject to a restriction request may still perform other processing operations than storage when this has been specifically allowed by the data subject. Indeed, data subjects can consent to the processing of their personal data beyond passive storage after having exercised their right under Article 18 GDPR.

Example: A data subject invokes Article 18 GDPR upon closing a bank account, in order to ensure that the bank does not delete important financial information relating to money transfers made in the last two preceding years. However, the data subject may in parallel consent to the bank deleting data which are older than two years.

Legal claims

A controller may reject a restriction request if processing is required for the establishment, exercise or defence of legal claims. This exception may of course become problematic when unduly or excessively relied on by controllers. By invoking it, controllers can indeed easily defeat the very purpose of the right to restriction of processing, which was to provide data subjects with an easy and quick way to alleviate the immediate risks pertaining to the processing of personal data. However, a controller may incur a fine if it wrongfully relies on that exception, in accordance with Article 83(5) GDPR.

Protection of others' rights

A controller subject to a restriction request may decide to partly or fully reject that request, and therefore to continue processing the personal data of the data subject beyond passive storage, when this would be necessary for the protection of the rights of another natural or legal person. Also this exception may become problematic when unduly or excessively relied on by controllers, as already explained above. A fine under Article 83(5) GDPR is also possible in this case.

Important public interest

A controller subject to a restriction request may decide to partly or fully reject it, and therefore to continue processing the personal data beyond passive storage when this would be necessary for reasons of important public interest of the EU or of a Member State. In contrast to Article 23(1)(e) GDPR, which sets out strict requirements for the Union or Member State's law restricting GDPR rights, Article 18(2) GDPR does not make any reference to the law and merely refers to the public interest.[14] This makes it all the more important to have a restrictive interpretation of the provision, which results in a directly applicable limitation of the data subject's right to data protection.[15] A controller may incur a fine if it wrongfully relies on this exception, in accordance with Article 83(5) GDPR.

(3) Information to the Data Subject

Finally, the third paragraph of Article 18 GDPR specifies that a data subject who has obtained restriction of processing must be informed by the controller before the restriction of processing is lifted. This provides the data subject with the possibility to argue that the restriction period is not over yet, for example, if the latter considers that the underlying request, claim or objection has not been properly addressed or solved. Furthermore, granting restriction of processing imposes on the controller the obligation to notify any recipients to whom the personal data have been disclosed about the restriction, so that they can themselves adapt the processing of personal data to what is allowed and required.[16] See also Article 19 GDPR.

Decisions

→ You can find all related decisions in Category:Article 18 GDPR

References

  1. The right to restriction of processing was introduced in 2016 by the GDPR although a somewhat similar protection could already be found in Article 12(2) of Directive 95/46 (DPD). That provision gave data subjects the possibility to request the “blocking of data” where the processing was unlawful. However, the DPD did not specify the meaning of 'blocking' or what it would actually require from the controller. The lack of clarity of that provision prompted the Commission to replace any reference to the 'blocking' of personal by a new and more specific right under the GDPR. See, Gonzáles Fuster, in Kuner, Bygrave and Docksey, The EU General Data Protection Regulation (GDPR), A commentary, Article 18 GDPR, p. 487 (Oxford University Press, 2020).
  2. Each of these situations is characterised by the existence of an ongoing claim or objection relating to the processing of the personal data. For example, when the accuracy of the personal data is contested under Article 16 GDPR. In that case, Article 18 GDPR offers data subjects the possibility to temporarily require controllers to restrict the processing of their inaccurate personal data, pending its rectification. This mitigates immediate risks caused by the continuous processing of inaccurate personal data.
  3. Kamann, Braun in Ehmann, Selmayr, Datenschutz-Grundverordnung, Article 18 GDPR, margin number 10 (C.H. Beck 2018, 2nd Edition).
  4. In case of automated processing, marking the data records as "blocked" is sufficient but only if the software accessing the marked data sets is able to recognise that only permitted processing operations under Article 18(2) are possible. See, Herbst, in Kühling, Buchner, DS-GVO BDSG, Article 18 GDPR, margin number 30 (C.H. Beck 2020, 3rd Edition).
  5. Dix, in Simitis, Hornung, Spiecker gen. Döhmann, Datenschutzrecht, Article 17 GDPR, margin number 6 (C.H. Beck 2019). Along the same line, Herbst, in Kühling, Buchner, DS-GVO BDSG, Article 18 GDPR, margin number 18 (C.H. Beck 2020, 3rd Edition).
  6. It might also be the case that the personal data constitute important evidence of the unlawful processing itself (e.g. health data which were collected without the consent of the data subject).
  7. Herbst, in Kühling, Buchner, DS-GVO BDSG, Article 18 GDPR, margin number 16 (C.H. Beck 2020, 3rd Edition).
  8. It must be recalled that, in accordance with Article 4(1) GDPR, deletion of personal data is a processing operation as such. By exercising their right to restriction of the processing, data subjects are therefore automatically putting controllers under the obligation not to erase their data, pending clarification of the unlawful nature of the processing.
  9. They may, however, exercise the right to restriction of processing in order to request the controller not to erase personal data, while addressing the potential unlawful character of such processing.
  10. In this case, there is a significant issue regarding the knowledge of the condition that permits the exercise of the right to restriction, which is when the purpose of the processing has been fulfilled. The data subject is often unaware of this circumstance, and their data may be deleted without giving them the opportunity to exercise their right. To address this, we suggest that the controller should inform the data subject when the purpose of the processing has been achieved to facilitate the exercise of their right under Article 12(2) of the GDPR.
  11. Herbst, in Kühling, Buchner, DS-GVO BDSG, Article 18 GDPR, margin numbers 22-23 (C.H. Beck 2020, 3rd Edition).
  12. To fully understand the relevance of this legal ground, it is first important to recall that the right to object as enshrined in Article 21 GDPR is not always absolute. As a matter of fact, data subjects may only object to the processing of their personal data in a limited number of situations, for example when the legal basis for such processing is a 'legitimate interest' invoked by the controller.
  13. Herbst, in Kühling, Buchner, DS-GVO BDSG, Article 18 GDPR, margin number 27 (C.H. Beck 2020, 3rd ed.). Shares this view, Dix, in Simitis, Hornung, Spiecker gen. Döhmann, Datenschutzrecht, Article 18 GDPR, margin number 9 (C.H. Beck 2019).
  14. The list under Article 23 is however useful to delineate a definition of "public interest", among the others, national security, defence, public security, law enforcement and law enforcement, important economic or financial interests of the Union or of a Member State, such as monetary, budgetary, taxation, public health and social security, independence of the judiciary. Moreover, the GDPR acknowledges various other public interests. These may include public archival purposes, public scientific or historical research, or statistical purposes (Article 89), as well as the protection of public health (Article 9(2)(h) GDPR), public access to official documents (Article 86), and more. In these cases, a greater public interest must be demonstrated through a comprehensive balancing of interests. See, Kamann, Braun in Ehmann, Selmayr, Datenschutz-Grundverordnung, Article 18 GDPR, margin numbers 34-35 (C.H. Beck 2018, 2nd edition).
  15. Dix, in Simitis, Hornung, Spiecker gen. Döhmann, Datenschutzrecht, Article 17 GDPR, margin number 13 (C.H. Beck 2019).
  16. Herbst, in Kühling, Buchner, DS-GVO BDSG, Article 18 GDPR, margin number 43 (C.H. Beck 2020, 3rd Edition).