1. Home
  2. Data subject's rights
  3. When does the processing restriction right apply?
Searching...
EDPB - EDPB-EDPS Joint Opinion 03/2022 on the Proposal for a Regulation on the European Health Data Space
12 Jul. 2022
EDPB-EDPS Joint Opinion 03/2022
Download document
EDPB - Statement 02/2022 on personal data transfers to the Russian Federation
12 Jul. 2022
Statement 02/2022
Download document
EDPB - CSC Work Programme 2022-2024
6 Jul. 2022
CSC Work program 2022-2024
Download document
EDPB - Opinion 11/2022 on the draft decision of the competent supervisory authority of Poland regarding the approval of the requirements for accreditation of a certification body pursuant to Article 43.3 (GDPR)
4 Jul. 2022
Opinion 11/2022
Download document
EDPB - Opinion 12/2022 on the draft decision of the competent supervisory authority of France regarding the approval of the requirements for accreditation of a certification body pursuant to Article 43.3 (GDPR)
4 Jul. 2022
Opinion 12/2022
Download document
EDPB - Opinion 13/2022 on the draft decision of the competent supervisory authority of Bulgaria regarding the approval of the requirements for accreditation of a certification body pursuant to Article 43.3 (GDPR)
4 Jul. 2022
Opinion 13/2022
Download document
EDPB - Opinion 14/2022 on the draft decision of the competent supervisory authority of Bulgaria regarding the approval of the requirements for accreditation of a code of conduct monitoring body pursuant to article 41 GDPR
4 Jul. 2022
Opinion 14/2022
Download document
EDPB - Opinion 15/2022 on the draft decision of the competent supervisory authority of Luxembourg regarding the approval of the requirements for accreditation of a code of conduct monitoring body pursuant to article 41 GDPR
4 Jul. 2022
Opinion 15/2022
Download document
EDPB - Opinion 16/2022 on the draft decision of the competent supervisory authority of Slovenia regarding the approval of the requirements for accreditation of a code of conduct monitoring body pursuant to article 41 GDPR
4 Jul. 2022
Opinion 16/2022
Download document
CJEU – Ligue des droits humains v Conseil des ministres – C-817/19
21 Jun. 2022
Ligue des droits humains
EDPB - Response to EDRi regarding the structural and procedural enforcement of the GDPR and its work to promote and safeguard data protection
14 Jun. 2022
EDPB GDPR Enforcement Letter
Download document
EDPB - Response of the EDPB to the European Commission's targeted consultation on a digital euro
14 Jun. 2022
EDPB Digital Euro Letter
Download document
EDPB - Guidelines 07/2022 on certification as a tool for transfers - Version 1.0
14 Jun. 2022
Guidelines 07/2022
Download document
EDPB - EDPB response to the joint payments industry regarding the Guidelines on the interplay of Second Payment Services Directive (PSD2) and GDPR
12 May. 2022
EDPB Guidelines PSD2 and GDPR Letter
Download document
EDPB - Guidelines 06/2022 on the practical implementation of amicable settlements - Version 2.0
12 May. 2022
Guidelines 06/2022
Download document

When does the processing restriction right apply?

Contents

The right to restriction of processing applies in four situations. When do these apply?

Four relevant data restriction situations

Article 18 GDPR describes the right of data subjects to obtain from the controller restriction of processing. It makes clear that this right applies in (one or more) of the following situations:

  1. the accuracy of the personal data is contested by the data subject, for a period enabling the controller to verify the accuracy of the personal data;
  2. the processing is unlawful and the data subject opposes the erasure of the personal data and requests the restriction of their use instead;
  3. the controller no longer needs the personal data for the purposes of the processing, but they are required by the data subject for the establishment, exercise or defence of legal claims;
  4. the data subject has objected to processing pursuant to 21(1) GDPR pending the verification whether the legitimate grounds of the controller override those of the data subject.

All these cases have in common that personal data are (or have been) processed. Then, the right to restriction of processing must be respected. It does not matter how the data processing occurs. For instance, the right has to be facilitated in any stage of profiling activities (WP251rev1, p. 18) or when data are used for AI training and/or prediction (EDPB-EDPS Joint Opinion 5/2021, par. 60).

Let’s investigate the four applicable situations below.

A. Contested data accuracy

Accuracy is one of the fundamental GDPR principles. The accuracy principle of 5(1)(d) GDPR entails that personal data shall be accurate and, where necessary, kept up to date. This obligation expects that every reasonable step must be taken to ensure that personal data that are inaccurate are erased or rectified. This has to be done without delay, since inaccurate data can have adverse effects on individuals.

The right to processing restriction applies to the situation in which the accuracy of the personal data is contested by the data subject. For example as part of the data subject’s right of erasure (17 GDPR).

The GDPR clarifies that the restriction right applies for a period enabling the controller to verify the accuracy of the personal data. This verification should be done in an efficient and timely manner (see, by comparison, Fashion ID, par. 102). As a principle rule the verification period should not be longer than one month, in light of 12(3) GDPR.

B. Restriction instead of erasure

Another fundamental GDPR principle is related to integrity and confidentiality (5(1)(f) GDPR). Based on this principle, personal data shall be processed in a manner that ensures appropriate security of the personal data, including protection against unauthorised or unlawful processing among other things, using appropriate technical or organisational measures.

A data subject can invoke the right to erasure as described in 17 GDPR when data have been unlawfully processed (17(1)(d) GDPR). Normally a controller deletes personal data if it concludes that the processing has been unlawful. However, if the processing is unlawful, for example due to a lack of legal basis, and the data subject opposes the erasure of the personal data and requests the restriction of their use instead, then the controller should respect the restriction request.

This situation shows that controllers should not blindly delete unlawful processed data, without first considering whether or not a data subject has invoked his or her right to restriction of processing.

The GDPR recognizes the importance of the establishment, exercise or defence of legal claims in several places. Firstly, the prohibition regarding special categories of personal data can be lifted when this necessary for said establishment, exercise or defence of legal claims (9(2)(f) GDPR). Also, to the extent that processing is necessary in those cases, a data subject’s right to erasure shall not apply (17(3)(d) GDPR) or can be reasons not to fulfill a data subject’s right to object (21(1) GDPR). Lastly, the establishment, excercise or defense of legal claims may act as derogations in the context of transfers of personal data to third countries (49 GDPR and WP262, pp. 12 – 13).

In the context of special categories of data and third country transfer derogations, the GDPR’s recitals clarify that the type of legal claim does not matter. The establishment, excercise or defense of legal claims can be part of judicial procedures such as court proceedings, administrative or any out-of-court procedures (recitals 52 or 111). This notion would apply in this context of the right to processing restriction as well, as there are no indications in the GDPR pointing to the contrary.

This third situation applies if the controller no longer needs the personal data for the purposes of the processing, yet these data are required by the data subject for the establishment, exercise or defence of legal claims. Unlike legal claims in relation to the right to erasure, the GDPR makes clear that the claims come from the data subject. Consequently, this situation does not apply when the legal claims are made by the controller or a third party.

Furthermore, based on the text of 18(1)(c) GDPR, it does not matter to whom the legal claims of the data subject are aimed. This can be the controller, but this does not have to be the case.

It can be difficult for controllers to comply with the GDPR in this situation. For instance, the storage limitation principle of the GDPR mandates that personal data shall be kept in a form which permits identification of data subjects for no longer than necessary for the purposes for which the personal data are processed. If a data subject invokes his or her restriction right because of legal claims shortly before the ending of the data retention period, then the controller should act adequatly by halting any inteded deletion actions.

D. Pending verification of legitimate grounds

The fourth and last situation in which the data subject’s restriction right applies, arrives after the data subject invoked its right to object to processing of personal data concerning him or her which is based on point (e) or (f) of 6(1) GDPR. These legal grounds relate to the performance of the controller’s task carried out in the public interest or the legitimate interests pursued by the controller (or by a third party).

When a controller receives a request based on the right object, then it has to verify whether its legitimate grounds override those of the data subject. If that is the case, the data processing may continue. Otherwise, as a principle rule, the controller shall no longer process the personal data. Pending this verification process the controller must restrict the processing.

Was this article helpful?

Yes No

About The Author

Joost Gerritsen

Author and creator of GDPR Beetle Joost Gerritsen is a data protection lawyer since 2010. Based in The Netherlands, he advises companies and governments. His publications have been picked up by the European Commission (JRC), the Council of Europe and UNESCO.

Related Articles

Leave a Comment