1. Home
  2. Data subject's rights
  3. Restriction of processing under the GDPR: what is it?
Searching...
EDPB - EDPB-EDPS Joint Opinion 03/2022 on the Proposal for a Regulation on the European Health Data Space
12 Jul. 2022
EDPB-EDPS Joint Opinion 03/2022
Download document
EDPB - Statement 02/2022 on personal data transfers to the Russian Federation
12 Jul. 2022
Statement 02/2022
Download document
EDPB - CSC Work Programme 2022-2024
6 Jul. 2022
CSC Work program 2022-2024
Download document
EDPB - Opinion 11/2022 on the draft decision of the competent supervisory authority of Poland regarding the approval of the requirements for accreditation of a certification body pursuant to Article 43.3 (GDPR)
4 Jul. 2022
Opinion 11/2022
Download document
EDPB - Opinion 12/2022 on the draft decision of the competent supervisory authority of France regarding the approval of the requirements for accreditation of a certification body pursuant to Article 43.3 (GDPR)
4 Jul. 2022
Opinion 12/2022
Download document
EDPB - Opinion 13/2022 on the draft decision of the competent supervisory authority of Bulgaria regarding the approval of the requirements for accreditation of a certification body pursuant to Article 43.3 (GDPR)
4 Jul. 2022
Opinion 13/2022
Download document
EDPB - Opinion 14/2022 on the draft decision of the competent supervisory authority of Bulgaria regarding the approval of the requirements for accreditation of a code of conduct monitoring body pursuant to article 41 GDPR
4 Jul. 2022
Opinion 14/2022
Download document
EDPB - Opinion 15/2022 on the draft decision of the competent supervisory authority of Luxembourg regarding the approval of the requirements for accreditation of a code of conduct monitoring body pursuant to article 41 GDPR
4 Jul. 2022
Opinion 15/2022
Download document
EDPB - Opinion 16/2022 on the draft decision of the competent supervisory authority of Slovenia regarding the approval of the requirements for accreditation of a code of conduct monitoring body pursuant to article 41 GDPR
4 Jul. 2022
Opinion 16/2022
Download document
CJEU – Ligue des droits humains v Conseil des ministres – C-817/19
21 Jun. 2022
Ligue des droits humains
EDPB - Response to EDRi regarding the structural and procedural enforcement of the GDPR and its work to promote and safeguard data protection
14 Jun. 2022
EDPB GDPR Enforcement Letter
Download document
EDPB - Response of the EDPB to the European Commission's targeted consultation on a digital euro
14 Jun. 2022
EDPB Digital Euro Letter
Download document
EDPB - Guidelines 07/2022 on certification as a tool for transfers - Version 1.0
14 Jun. 2022
Guidelines 07/2022
Download document
EDPB - EDPB response to the joint payments industry regarding the Guidelines on the interplay of Second Payment Services Directive (PSD2) and GDPR
12 May. 2022
EDPB Guidelines PSD2 and GDPR Letter
Download document
EDPB - Guidelines 06/2022 on the practical implementation of amicable settlements - Version 2.0
12 May. 2022
Guidelines 06/2022
Download document

Restriction of processing under the GDPR: what is it?

Contents

Restriction of processing as mentioned in article 18 GDPR, effectively ‘pauses’ or ‘freezes’ further processing operations. What does this mean and what are the consequences when a data subject invokes this right?

Importance of the processing restriction right

Before we dive into the definition of the right to restriction of processing, we highlight four points on why it is important to comply with the relevant GDPR provisions.

Responsibility of the controller

First of all, every controller is responsible to process personal data in such manner that its activities can facilitate the data subject’s rights, including the right to restriction of processing (see e.g. 24 GDPR). The GDPR expects that the controller facilitates this and other rights based on the principle of data protection by design and by default (25 GDPR). This is why the EDPB recommends the use of so-called profile management systems. These allow data subjects to change their privacy settings and provide them with control over their data. An effective way to exercise their rights, including their right to restrict the processing (EDPB Guidelines 1/2020, paras. 90 – 91).

Processor’s role

Second, processors play an important role. They need to build software or otherwise ensure that measures are in place which enable data subjects to exercise of their rights. Otherwise controllers cannot live up to their GDPR responsibilities.

There are at least two additional arguments on why processors should care about the controller’s GDPR responsibilites:

  1. Controllers are only allowed to use processors providing sufficient guarantees to implement appropriate technical and organisational measures in such a manner that the processing will meet the GDPR requirements and ensure the protection of the data subject’s rights (28(1) GDPR).
  2. Processors need to assist the controller by appropriate technical and organisational measures (insofar as this is possible) for the fulfilment of the controller’s obligation to respond to requests for exercising the data subject’s rights, including the data restriction right (28(3)(e) GDPR).

Reasons why processors need to facilitate data subject rights, such as the right to restriction of processing.

SAs can order processing restrictions

Third, SAs have the power to order restriction of processing pursuant as well as the notification of such action to recipients to whom the personal data have been disclosed (58(2) GDPR). Controllers need to comply with such orders.

Adverse effects and fines following non-compliance

Last, but certainly not least, the right to restriction of processing aims to protect the data subject in several situations. For instance, the right can help the data subject to correct inaccurate data which have an adverse effect for him or her. Reasons why this right should not be overlooked.

The GDPR underlines the right’s importance considering the potential fines. Infringements regarding the restriction right and the accompanying obligation to notify recipients are subject to administrative fines up to 20,000,000.00 EUR (two million Euros), or in the case of an undertaking, up to 4 % of the total worldwide annual turnover of the preceding financial year, whichever is higher (83(2) GDPR). This is the highest category of GDPR fines.

Reminder: specific derogations and transparency obligations

Keep the following in mind. According to the GDPR, EU or Member State law may provide for derogations from the right to restriction of processing (23 GDPR, 89 GDPR). Therefore, always consider if any laws contain specific provisions which apply to your situation.

Next to this, controllers must provide information to data subjects on their rights, including the right to restriction of processing (1214 GDPR, see also WP260rev1). Such information should also be provided as part of the right of access by the data subject (15(1)(e) GDPR).

What is the restriction of processing?

The terms restriction of processing are defined in 4 GDPR as:

“the marking of stored personal data with the aim of limiting their processing in the future.”

The accompanying recital explains what this right means in practice. The restriction of processing entails:

“(…) Methods by which to restrict the processing of personal data could include, inter alia, temporarily moving the selected data to another processing system, making the selected personal data unavailable to users, or temporarily removing published data from a website. (…)”
Recital 67

The definition of restriction of processing speaks of the marking of stored data. Yet, based on the recital it is clear that this right is about ‘pausing’ or ‘freezing’ the data processing activities. In other words, the controller has to ensure that the personal data are not subject to further processing operations and cannot be changed. This could mean that in certain cases the mere marking of data is not good enough, but that published data have to be removed as well.

The recital offers two more hints on how restriction of processing should be facilitated:

  1. First, in automated filing systems, the restriction of processing should in principle be ensured by technical means in such a manner that the personal data are not subject to further processing operations and cannot be changed.
  2. Second, the fact that the processing of personal data is restricted should be clearly indicated in the filing system. In the context of Directive 2016/680, the WP29 recommends that the restrictions should be documented and mention for instance when the limitation started and stopped (WP258, pp. 21 – 22).

Whether the WP29’s recommendation should apply under the GDPR remains unclear. However, one could argue that data controllers should document the duration of the limitation following the data restriction as part of the accountability obligation (5(2) GDPR).

When does the processing restriction right apply?

This is an important question, because the right to restriction of processing only applies in four situations. Read the answer here: When does the processing restriction right apply?.

What are consequences of restriction?

The GDPR describes several consequences following an invoked restriction right. You can learn about those here: What are the consequences of restriction?.

Was this article helpful?

Yes No

About The Author

Joost Gerritsen

Author and creator of GDPR Beetle Joost Gerritsen is a data protection lawyer since 2010. Based in The Netherlands, he advises companies and governments. His publications have been picked up by the European Commission (JRC), the Council of Europe and UNESCO.

Related Articles

Leave a Comment