Article 18 GDPR: Difference between revisions

From GDPRhub
Line 214: Line 214:
As previously mentioned, the right to restriction of processing can be effectively exercised only when one of the following grounds applies:  
As previously mentioned, the right to restriction of processing can be effectively exercised only when one of the following grounds applies:  


====(a) Contestation of Accuracy====
====(a) The Accuracy of the Personal Data is Contested====
''Help us fill this section!''
Data subjects have a right to rectification of their personal data under [[Article 16 GDPR]]. The rectification of personal data may however take a short or longer period of time depending on various factors, such as the diligence of the controller, the amount of data, or the scope of the error. While awaiting the rectification of their personal data, data subjects may want to protect themselves from any adverse effect linked to the continuous processing of erroneous or incomplete data. In that context, the right to restriction of processing can apply upon request of the data subject for the limited period of time during which a controller is verifying the accuracy and/or rectifying the personal data. The right to restriction of processing may be exercised after or in parallel to the right to rectification. For example, if a data subject notices that a controller is processing inaccurate personal data and that such processing can have adverse consequences for him or her, he or she may invoke simultaneously [[Article 16 GDPR]] (right to rectification) and Article 18 GDPR in order to request the controller to stop processing the personal data (except for storage) until the personal data have been rectified.


====(b) Unlawful Processing====
====(b) Unlawful Processing====
''Help us fill this section!''
If it is found that a controller is processing personal data unlawfully, for example because the processing does not have any valid legal basis (as listed in [[Article 6 GDPR|Article 6]] or [[Article 9 GDPR]]), the controller or processor may decide to erase the personal data in order to put an end to the unlawful processing operations. Similarly, a controller may have planned to delete personal data at a given date in order to comply with the GDPR, including the storage limitation principle enshrined in [[Article 5 GDPR|Article 5(1)(e) GDPR]]. In some instances, however, the data subjects may want to prevent or temporarily suspend the erasure of the personal data because the latter are still useful or necessary for his or her own purpose. The right to restriction of processing enables data subjects to <span id="1b">oppose the erasure of their personal data and to request the restriction of their use instead. The controller or processor are then put under the obligation to keep the personal data until, for example, the data subject has been able to obtain a copy of them.</span>
 
It is interesting to note in this respect that data subjects also have the right to object to the processing of personal data by exercising their right to object under [[Article 21 GDPR]]. Theoretically, a data subject could thus also object to the erasure of his or her personal data by a controller or processor. One may thus question the relevance of this parallel right to restriction of the processing.


====(c) Legal Claims====
====(c) Legal Claims====

Revision as of 15:03, 10 September 2021

Article 18 - Right to restriction of processing
Gdpricon.png
Chapter 10: Delegated and implementing acts

Legal Text


Article 18 - Right to restriction of processing

1. The data subject shall have the right to obtain from the controller restriction of processing where one of the following applies:

(a) the accuracy of the personal data is contested by the data subject, for a period enabling the controller to verify the accuracy of the personal data;
(b) the processing is unlawful and the data subject opposes the erasure of the personal data and requests the restriction of their use instead;
(c) the controller no longer needs the personal data for the purposes of the processing, but they are required by the data subject for the establishment, exercise or defence of legal claims;
(d) the data subject has objected to processing pursuant to Article 21(1) pending the verification whether the legitimate grounds of the controller override those of the data subject.

2. Where processing has been restricted under paragraph 1, such personal data shall, with the exception of storage, only be processed with the data subject's consent or for the establishment, exercise or defence of legal claims or for the protection of the rights of another natural or legal person or for reasons of important public interest of the Union or of a Member State.

3. A data subject who has obtained restriction of processing pursuant to paragraph 1 shall be informed by the controller before the restriction of processing is lifted.

Relevant Recitals

Recital 67: Right to Restriction of Processing
Methods by which to restrict the processing of personal data could include, inter alia, temporarily moving the selected data to another processing system, making the selected personal data unavailable to users, or temporarily removing published data from a website. In automated filing systems, the restriction of processing should in principle be ensured by technical means in such a manner that the personal data are not subject to further processing operations and cannot be changed. The fact that the processing of personal data is restricted should be clearly indicated in the system.

Recital 156: Processing of Personal Data for Archiving Purposes in the Public Interest, Scientific, Historical Research or Statistical Purposes
The processing of personal data for archiving purposes in the public interest, scientific or historical research purposes or statistical purposes should be subject to appropriate safeguards for the rights and freedoms of the data subject pursuant to this Regulation. Those safeguards should ensure that technical and organisational measures are in place in order to ensure, in particular, the principle of data minimisation. The further processing of personal data for archiving purposes in the public interest, scientific or historical research purposes or statistical purposes is to be carried out when the controller has assessed the feasibility to fulfil those purposes by processing data which do not permit or no longer permit the identification of data subjects, provided that appropriate safeguards exist (such as, for instance, pseudonymisation of the data). Member States should provide for appropriate safeguards for the processing of personal data for archiving purposes in the public interest, scientific or historical research purposes or statistical purposes. Member States should be authorised to provide, under specific conditions and subject to appropriate safeguards for data subjects, specifications and derogations with regard to the information requirements and rights to rectification, to erasure, to be forgotten, to restriction of processing, to data portability, and to object when processing personal data for archiving purposes in the public interest, scientific or historical research purposes or statistical purposes. The conditions and safeguards in question may entail specific procedures for data subjects to exercise those rights if this is appropriate in the light of the purposes sought by the specific processing along with technical and organisational measures aimed at minimising the processing of personal data in pursuance of the proportionality and necessity principles. The processing of personal data for scientific purposes should also comply with other relevant legislation such as on clinical trials.

Commentary on Article 18

The right to restriction of processing is a right which allows the data subject to temporarily limit the type of processing operations that a controller or processor can perform on his or her personal data.

The right to restriction of processing was introduced by the GDPR. It did not have any identical or close equivalent under the Directive 95/46 (DPD). Rather, Article 12(2) DPD referred to the possibility for the data subjects to request the 'blocking of data' in case the processing was unlawful. The DPD did not specify, however, the meaning of 'blocking' personal data would concretely entail. The lack of clarity of that provision prompted the Commission to replace any reference to the 'blocking' of personal by an additional and more specific right for the data subjects: the right to restriction of processing.

The right to restriction of processing can be invoked in four different situations by the data subjects, as further detailed below (see below 'Legal Grounds'). Those situations have two elements in common: (1) the existence of an ongoing claim or objection relating to the personal data, and (2) the possibility for the data subject to temporarily restrict the processing of his or her data, awaiting the resolution of that claim or objection. More specifically, when a data subject exercises his right to restriction of processing under Article 18 GDPR, the controller or processor becomes subject to a dual obligation: (1) the obligation to store the personal data; and (2) the obligation not to perform any other operation on the personal data. The controller or processor therefore becomes a passive holder of the personal data, and is not allowed to disclose them, erase them, or perform any other operation on them, unless a specific exception applies (e.g. consent of the data subject).

(1) Legal Grounds

As previously mentioned, the right to restriction of processing can be effectively exercised only when one of the following grounds applies:

(a) The Accuracy of the Personal Data is Contested

Data subjects have a right to rectification of their personal data under Article 16 GDPR. The rectification of personal data may however take a short or longer period of time depending on various factors, such as the diligence of the controller, the amount of data, or the scope of the error. While awaiting the rectification of their personal data, data subjects may want to protect themselves from any adverse effect linked to the continuous processing of erroneous or incomplete data. In that context, the right to restriction of processing can apply upon request of the data subject for the limited period of time during which a controller is verifying the accuracy and/or rectifying the personal data. The right to restriction of processing may be exercised after or in parallel to the right to rectification. For example, if a data subject notices that a controller is processing inaccurate personal data and that such processing can have adverse consequences for him or her, he or she may invoke simultaneously Article 16 GDPR (right to rectification) and Article 18 GDPR in order to request the controller to stop processing the personal data (except for storage) until the personal data have been rectified.

(b) Unlawful Processing

If it is found that a controller is processing personal data unlawfully, for example because the processing does not have any valid legal basis (as listed in Article 6 or Article 9 GDPR), the controller or processor may decide to erase the personal data in order to put an end to the unlawful processing operations. Similarly, a controller may have planned to delete personal data at a given date in order to comply with the GDPR, including the storage limitation principle enshrined in Article 5(1)(e) GDPR. In some instances, however, the data subjects may want to prevent or temporarily suspend the erasure of the personal data because the latter are still useful or necessary for his or her own purpose. The right to restriction of processing enables data subjects to oppose the erasure of their personal data and to request the restriction of their use instead. The controller or processor are then put under the obligation to keep the personal data until, for example, the data subject has been able to obtain a copy of them.

It is interesting to note in this respect that data subjects also have the right to object to the processing of personal data by exercising their right to object under Article 21 GDPR. Theoretically, a data subject could thus also object to the erasure of his or her personal data by a controller or processor. One may thus question the relevance of this parallel right to restriction of the processing.

(c) Legal Claims

In this case the data controller has to retain the personal data even though it might not need it anymore, in order to ensure the data subject's legitimate interests. The restriction period should normally last until the data subject's legal claims are established, exercised or defended.

(d) Objection to Processing

Help us fill this section!

(2) Exceptions

Consent

Help us fill this section!

Legal Claims

Help us fill this section!

Protection of Others' Rights

Help us fill this section!

Important Public Interest

Help us fill this section!

(3) Information of the Data Subject

See also Article 19 GDPR.

Decisions

→ You can find all related decisions in Category:Article 18 GDPR

References