Article 18 GDPR enables the data subjects to temporarily restrict a controller from processing their personal data. Such right enshrines a reconciliation of interests between the data subjects’ in a rectification or erasure of their information and the controller’s interest in continuing the data processing. The GDPR does not define how the request should be done:it is nonetheless a matter of good practicethat it is made in a sufficiently clear way.
Pursuant to Article 18.1 GDPR, the data subject’s request can be made, when:
- The accuracy of the personal data is contested (See right to rectification);
- The processing is unlawful, and the data subject opts for the restriction of the processing, rather than the erasure of the personal data;
- The data must be kept for the exercise or defence of legal claims;
- A decision is pending on the legitimate interests of the data controller prevailing over the interests of the data subject.
As provided by Recital 67 GDPR, the methods in which the controller can restrict personal data processing can include, for example, temporary movement of the selected data to another processing system, making the data unavailable to users or the removal of personal data on a temporary basis. Overall, the aim is to prevent data from being processed, with the exception of the storage (Article 18.2 GDPR).
While the restriction is pending, personal data can still be processed:
- on grounds of the data subject’s consent;
- for the establishment, exercise or defence of legal claims;
- for the protection of the rights of another individual or legal person;
- for reasons of important public interest of the EU/an EU Member State.
On grounds of Article 19 GDPR, the controller must communicate the restriction of the processing to each recipient to whom the personal data has been disclosed, unless this proves impossible or involves disproportionate effort. The disproportionate effort depends on the specific circumstances and could involve, for example, the vast number of recipients and following notifications, or the difficulty in identifying the recipient.
Finally, the controller must notify the data subject before the restriction on processing is lifted.In fact, the restriction could be temporary, especially when the data subjects exercises their rights to rectification and to object.
Turning now to the data processing for archiving purposes in the public interest, scientific or historical research purposes or statistical purposes, Article 89 GDPR and Recital 156 GDPR allows Member States to provide, under specific conditions and subject to appropriate safeguards for data subjectsspecifications and derogations with regard to the right […] to object. In this respect, the European Data Protection Supervisor (2020) recognizes that the objection of a large number of individuals to all or part of the project could negatively affect the representativeness and reliability of the research data. According to the EU authority, the scope of this derogation should therefore remain limited to cases where the integrity of research would be compromised by the exercise of data subjects’ rights.
Checklist for complying with a restriction of processing request
Is the exercise of the right to restriction of processing compliant with the GDPR?
☐ Did you receive a request to restrict data the processing from a legal entity? If yes, please indicate that the request was not lodged by an individual;
☐ Have the individuals correctly identified themselves? If not, please ask for further information to confirm identity;
☐ Does the request fall within one of the scenarios laid down in Article 18.1 GDPR? If not, please inform the data subject that the request shall be denied;
☐ Can the request be fulfilled within one month? If not, please inform why and how long will it take to process the request?
☐ The request needs to be fulfilled.
How to further comply with all the GDPR obligations:
☐ Remember that the restriction does not encompass the data storage;
☐ When restriction is pending, personal data can still be processed under the circumstances laid down in Article 18.2 GDPR;
☐ Communicate the restriction of the processing to each recipient to whom the personal data has been disclosed in compliance with Article 19 GDPR, unless this proves impossible or involves disproportionate effort.
1Ibid., p. 164 ↑
2EDPS, “A Preliminary Opinion on data protection and scientific research”, January 2020, p. 21-22 ↑