The right to restriction of processing applies in four situations. When do these apply?
Four relevant data restriction situations
- the accuracy of the personal data is contested by the data subject, for a period enabling the controller to verify the accuracy of the personal data;
- the processing is unlawful and the data subject opposes the erasure of the personal data and requests the restriction of their use instead;
- the controller no longer needs the personal data for the purposes of the processing, but they are required by the data subject for the establishment, exercise or defence of legal claims;
- the data subject has objected to processing pursuant to 21(1) GDPR pending the verification whether the legitimate grounds of the controller override those of the data subject.
All these cases have in common that personal data are (or have been) processed. Then, the right to restriction of processing must be respected. It does not matter how the data processing occurs. For instance, the right has to be facilitated in any stage of profiling activities (WP251rev1, p. 18) or when data are used for AI training and/or prediction (EDPB-EDPS Joint Opinion 5/2021, par. 60).
Let’s investigate the four applicable situations below.
A. Contested data accuracy
Accuracy is one of the fundamental GDPR principles. The accuracy principle of 5(1)(d) GDPR entails that personal data shall be accurate and, where necessary, kept up to date. This obligation expects that every reasonable step must be taken to ensure that personal data that are inaccurate are erased or rectified. This has to be done without delay, since inaccurate data can have adverse effects on individuals.
The right to processing restriction applies to the situation in which the accuracy of the personal data is contested by the data subject. For example as part of the data subject’s right of erasure (17 GDPR).
The GDPR clarifies that the restriction right applies for a period enabling the controller to verify the accuracy of the personal data. This verification should be done in an efficient and timely manner (see, by comparison, Fashion ID, par. 102). As a principle rule the verification period should not be longer than one month, in light of 12(3) GDPR.
B. Restriction instead of erasure
Another fundamental GDPR principle is related to integrity and confidentiality (5(1)(f) GDPR). Based on this principle, personal data shall be processed in a manner that ensures appropriate security of the personal data, including protection against unauthorised or unlawful processing among other things, using appropriate technical or organisational measures.
A data subject can invoke the right to erasure as described in 17 GDPR when data have been unlawfully processed (17(1)(d) GDPR). Normally a controller deletes personal data if it concludes that the processing has been unlawful. However, if the processing is unlawful, for example due to a lack of legal basis, and the data subject opposes the erasure of the personal data and requests the restriction of their use instead, then the controller should respect the restriction request.
This situation shows that controllers should not blindly delete unlawful processed data, without first considering whether or not a data subject has invoked his or her right to restriction of processing.
C. Data subject’s legal claims
The GDPR recognizes the importance of the establishment, exercise or defence of legal claims in several places. Firstly, the prohibition regarding special categories of personal data can be lifted when this necessary for said establishment, exercise or defence of legal claims (9(2)(f) GDPR). Also, to the extent that processing is necessary in those cases, a data subject’s right to erasure shall not apply (17(3)(d) GDPR) or can be reasons not to fulfill a data subject’s right to object (21(1) GDPR). Lastly, the establishment, excercise or defense of legal claims may act as derogations in the context of transfers of personal data to third countries (49 GDPR and WP262, pp. 12 – 13).
In the context of special categories of data and third country transfer derogations, the GDPR’s recitals clarify that the type of legal claim does not matter. The establishment, excercise or defense of legal claims can be part of judicial procedures such as court proceedings, administrative or any out-of-court procedures (recitals 52 or 111). This notion would apply in this context of the right to processing restriction as well, as there are no indications in the GDPR pointing to the contrary.
This third situation applies if the controller no longer needs the personal data for the purposes of the processing, yet these data are required by the data subject for the establishment, exercise or defence of legal claims. Unlike legal claims in relation to the right to erasure, the GDPR makes clear that the claims come from the data subject. Consequently, this situation does not apply when the legal claims are made by the controller or a third party.
It can be difficult for controllers to comply with the GDPR in this situation. For instance, the storage limitation principle of the GDPR mandates that personal data shall be kept in a form which permits identification of data subjects for no longer than necessary for the purposes for which the personal data are processed. If a data subject invokes his or her restriction right because of legal claims shortly before the ending of the data retention period, then the controller should act adequatly by halting any inteded deletion actions.
D. Pending verification of legitimate grounds
The fourth and last situation in which the data subject’s restriction right applies, arrives after the data subject invoked its right to object to processing of personal data concerning him or her which is based on point (e) or (f) of 6(1) GDPR. These legal grounds relate to the performance of the controller’s task carried out in the public interest or the legitimate interests pursued by the controller (or by a third party).
When a controller receives a request based on the right object, then it has to verify whether its legitimate grounds override those of the data subject. If that is the case, the data processing may continue. Otherwise, as a principle rule, the controller shall no longer process the personal data. Pending this verification process the controller must restrict the processing.