Exercise Your Rights – Article 18 – Restrict the processing of your data!

Has your gym unlawfully kept some of your personal information, but you do not want them to delete it? Are you trying to rectify some inaccurate data on your fitness tracker, and do not want it to be used until the problem is fixed?

In any of those cases, Article 18 of the GDPR might be the move for you.

Article 18 creates a new right that entitles you to have the processing of your data restricted in certain circumstances. Read on to find out how you can exercise your right to restriction…

Your Right to Restriction of Processing

What is a restriction on processing personal data?

“Restriction of processing” generally means limiting how a controller can use your personal data. If your personal data is restricted, then the controller may only store it, and cannot further use it without your permission.

Methods for restricting processing can include moving personal data to another system, making the data unavailable to users of a service, or temporarily removing the data from the controller’s website.

Step 1: Contacting the Controller

Step 2: Drafting your Request

Step 3: Controller Reply

Step 4: what if the controller refuses my request?


Why would I want to restrict processing?

Alternative to erasure: You may want to prevent a controller from using certain personal information for any other purposes, but still want the controller to keep that information on file and do not want them to erase it.

Preventing the use of incorrect information while exercising other data subject rights: While you are exercising your right to modify your data or right to object to processing , you may want the controller to stop using the contested information for any purpose other than dealing with your request.

When can I exercise my right to restrict processing?

Article 18 of the GDPR gives you four circumstances where you can restrict processing:

  • The controller is responding a rectification request you made (to find out how to make a rectification request and exercise your right to modifying inaccurate data, click here);
  • You have objected to the processing of your data and the controller is verifying the request;
  • The processing is unlawful (ie it violates Article 5 or Article 6 of the GDPR) and you do not want the controller to erase the data;
  • The controller no longer needs the personal data for the purposes of the processing, but you require them to keep it for legal claim in which you are involved.

Can I restrict the processing of my data forever?

No, if the processing of your data is being restricted for the purposes of handling a rectification or objection request. The controller may lift the restriction once they have rectified your data or decided on your objection request. However, the controller must notify you of this before they lift the restriction.

No, if the data is being restricted for the purposes of legal claim. Here, the restriction period will generally last until your legal claims have been established, carried out, or defended. Again, the controller must notify you of their intention to lift the restriction.

In the case of unlawful processing, the GDPR does not specify a deadline or time period for restriction. In this case, it is most likely that the restriction would last until you decided the controller no longer needed to store the data. If you change your mind and want the data deleted, you can exercise your right to erasure.


How do I restrict processing?

Step 1: Contacting the Controller

Your request to restrict the processing of your data should be addressed to the controller (the organisation/entity/administration/company processing your data).

This can be done by email, letter, fax or through a form, as long as you have a written record of the request.

The relevant email address can usually be found in the “privacy policy” or “contact us” section of the controller’s website. It will generally have a name like privacy@company.com or legal@publicauthority.eu. If this is difficult to find, or if there is no specific address to which you can send your request, that’s the fault of the controller, not yours - the GDPR requires controllers to make this information easily accessible. Where there is no specific email address, you can use the general contact details of the controller.


Step 2: Drafting your Request

  • Inform the controller that you are seeking to restrict the processing of your data. If you are seeking the restriction of processing to accompany a request to rectify data or object to processing, we suggest combining these two requirements into one request. We show you how to do this in our pages on modifying your data and objecting to processing.
  • Specify your name or other identifier used by the controller (eg an account username). To help the controller address your request more efficiently, include some information that would help to identify your account, such as your phone number (if you gave it when you signed up), username or account name, or IP address. This will be particularly helpful if you have a common first name and surname. 
  • Specify the data whose processing you want restricted and the reason you are seeking a restriction (see “When can I restrict processing?”). If possible, include some evidence to back up your choice of circumstance,
  • Include the date in the text if you put your request in an attachment to the email or in a letter. This clarifies the controller’s deadline for providing the information.


Step 3: Controller Reply

Once the controller receives your request, they have one month to respond. This period can only be extended once by a maximum of two further months, in cases of complex or multiple requests.

The controller can ask you additional information to confirm your identity in case of doubt. However, such a request should be limited to the additional information necessary to confirm who you are. The additional information cannot be disproportionate, having considered the context of the processing of your data (eg a shop asking you for a copy of your passport to change the address of a loyalty card would be disproportionate).

Generally, this information must be provided to you in writing, but it can be communicated to you via electronic means such as email, or it can be provided orally if you request it.


Step 4: what if the controller refuses my request?

If the controller decides not to restrict the processing, they must explain and inform you of their decision within a month of receiving your request.

If the controller:

  • rejects your request without a satisfactory explanation,
  • tries to unjustifiably charge you for your request,
  • does not:
    • confirm the restriction of the processing while handling your request
    • respond after a month or after the extended deadline (maximum 3 months in total),

you are entitled to file a complaint with a data protection authority (eg the DPA where you live or work), and the controller should inform you about that.

If you need assistance in assessing the legal elements of a controller’s reply, you can contact us at info@noyb.eu to discuss further steps. 


Back to Exercise Your Rights