Restriction of processing as mentioned in article 18 GDPR, effectively ‘pauses’ or ‘freezes’ further processing operations. What does this mean and what are the consequences when a data subject invokes this right?
Importance of the processing restriction right
Before we dive into the definition of the right to restriction of processing, we highlight four points on why it is important to comply with the relevant GDPR provisions.
Responsibility of the controller
First of all, every controller is responsible to process personal data in such manner that its activities can facilitate the data subject’s rights, including the right to restriction of processing (see e.g. 24 GDPR). The GDPR expects that the controller facilitates this and other rights based on the principle of data protection by design and by default (25 GDPR). This is why the EDPB recommends the use of so-called profile management systems. These allow data subjects to change their privacy settings and provide them with control over their data. An effective way to exercise their rights, including their right to restrict the processing (EDPB Guidelines 1/2020, paras. 90 – 91).
Second, processors play an important role. They need to build software or otherwise ensure that measures are in place which enable data subjects to exercise of their rights. Otherwise controllers cannot live up to their GDPR responsibilities.
There are at least two additional arguments on why processors should care about the controller’s GDPR responsibilites:
- Controllers are only allowed to use processors providing sufficient guarantees to implement appropriate technical and organisational measures in such a manner that the processing will meet the GDPR requirements and ensure the protection of the data subject’s rights (28(1) GDPR).
- Processors need to assist the controller by appropriate technical and organisational measures (insofar as this is possible) for the fulfilment of the controller’s obligation to respond to requests for exercising the data subject’s rights, including the data restriction right (28(3)(e) GDPR).
SAs can order processing restrictions
Third, SAs have the power to order restriction of processing pursuant as well as the notification of such action to recipients to whom the personal data have been disclosed (58(2) GDPR). Controllers need to comply with such orders.
Adverse effects and fines following non-compliance
Last, but certainly not least, the right to restriction of processing aims to protect the data subject in several situations. For instance, the right can help the data subject to correct inaccurate data which have an adverse effect for him or her. Reasons why this right should not be overlooked.
The GDPR underlines the right’s importance considering the potential fines. Infringements regarding the restriction right and the accompanying obligation to notify recipients are subject to administrative fines up to 20,000,000.00 EUR (two million Euros), or in the case of an undertaking, up to 4 % of the total worldwide annual turnover of the preceding financial year, whichever is higher (83(2) GDPR). This is the highest category of GDPR fines.
Reminder: specific derogations and transparency obligations
Keep the following in mind. According to the GDPR, EU or Member State law may provide for derogations from the right to restriction of processing (23 GDPR, 89 GDPR). Therefore, always consider if any laws contain specific provisions which apply to your situation.
Next to this, controllers must provide information to data subjects on their rights, including the right to restriction of processing (12 – 14 GDPR, see also WP260rev1). Such information should also be provided as part of the right of access by the data subject (15(1)(e) GDPR).
What is the restriction of processing?
The terms restriction of processing are defined in 4 GDPR as:
“the marking of stored personal data with the aim of limiting their processing in the future.”
The accompanying recital explains what this right means in practice. The restriction of processing entails:
“(…) Methods by which to restrict the processing of personal data could include, inter alia, temporarily moving the selected data to another processing system, making the selected personal data unavailable to users, or temporarily removing published data from a website. (…)”
The definition of restriction of processing speaks of the marking of stored data. Yet, based on the recital it is clear that this right is about ‘pausing’ or ‘freezing’ the data processing activities. In other words, the controller has to ensure that the personal data are not subject to further processing operations and cannot be changed. This could mean that in certain cases the mere marking of data is not good enough, but that published data have to be removed as well.
The recital offers two more hints on how restriction of processing should be facilitated:
- First, in automated filing systems, the restriction of processing should in principle be ensured by technical means in such a manner that the personal data are not subject to further processing operations and cannot be changed.
- Second, the fact that the processing of personal data is restricted should be clearly indicated in the filing system. In the context of Directive 2016/680, the WP29 recommends that the restrictions should be documented and mention for instance when the limitation started and stopped (WP258, pp. 21 – 22).
Whether the WP29’s recommendation should apply under the GDPR remains unclear. However, one could argue that data controllers should document the duration of the limitation following the data restriction as part of the accountability obligation (5(2) GDPR).
When does the processing restriction right apply?
This is an important question, because the right to restriction of processing only applies in four situations. Read the answer here: When does the processing restriction right apply?.
What are consequences of restriction?
The GDPR describes several consequences following an invoked restriction right. You can learn about those here: What are the consequences of restriction?.