Article 18 GDPR

From GDPRhub
Article 18 - Right to restriction of processing
Gdpricon.png
Chapter 10: Delegated and implementing acts

Legal Text[edit | edit source]


Article 18 - Right to restriction of processing

1. The data subject shall have the right to obtain from the controller restriction of processing where one of the following applies:

(a) the accuracy of the personal data is contested by the data subject, for a period enabling the controller to verify the accuracy of the personal data;
(b) the processing is unlawful and the data subject opposes the erasure of the personal data and requests the restriction of their use instead;
(c) the controller no longer needs the personal data for the purposes of the processing, but they are required by the data subject for the establishment, exercise or defence of legal claims;
(d) the data subject has objected to processing pursuant to Article 21(1) pending the verification whether the legitimate grounds of the controller override those of the data subject.

2. Where processing has been restricted under paragraph 1, such personal data shall, with the exception of storage, only be processed with the data subject's consent or for the establishment, exercise or defence of legal claims or for the protection of the rights of another natural or legal person or for reasons of important public interest of the Union or of a Member State.

3. A data subject who has obtained restriction of processing pursuant to paragraph 1 shall be informed by the controller before the restriction of processing is lifted.

Relevant Recitals[edit | edit source]

Recital 67: Methods for the restriction of processing - Article 18

Methods by which to restrict the processing of personal data could include, inter alia, temporarily moving the selected data to another processing system, making the selected personal data unavailable to users, or temporarily removing published data from a website. In automated filing systems, the restriction of processing should in principle be ensured by technical means in such a manner that the personal data are not subject to further processing operations and cannot be changed. The fact that the processing of personal data is restricted should be clearly indicated in the system.

Commentary[edit | edit source]

The right to restriction of processing was introduced with the GDPR. It is a newly established right for data subjects. When a data subject asks for restriction of processing and one of the below listed cases applies, the data controller may still store the personal data but it cannot otherwise process it without consent unless an exception applies. GDPR also provides for a definition of that restriction under Article 4(3). Data subjects bear the burden to demonstrate and prove that one of the following legal grounds applies, whereas data controllers bear always the burden to demonstrate and prove that an exception applies. Recital 67 provides insight into possible methods to implement restriction of processing.

(1) Legal grounds[edit | edit source]

The right can be effectively exercised only when one of the following grounds applies.

(a) Contestation of accuracy[edit | edit source]

Help us fill this section!

(b) Unlawful processing[edit | edit source]

Help us fill this section!

(c) Legal claims[edit | edit source]

In this case the data controller has to retain the personal data even though it might not need it anymore, in order to ensure the data subject's legitimate interests. The restriction period should normally last until the data subject's legal claims are established, exercised or defended.

(d) Objection to processing[edit | edit source]

Help us fill this section!

(2) Exceptions[edit | edit source]

Consent[edit | edit source]

Help us fill this section!

Legal claims[edit | edit source]

Help us fill this section!

Protection of others' rights[edit | edit source]

Help us fill this section!

Important public interest[edit | edit source]

Help us fill this section!

(3) Information of the data subject[edit | edit source]

See also Article 19 GDPR.

Decisions[edit | edit source]

→ You can find all related decisions in Category:Article 18 GDPR

References[edit | edit source]