Right to Restriction of Processing (Article 18) – Comprehensive Guide for CIPP/E Exam Preparation
Introduction
The Right to Restriction of Processing under Article 18 of the General Data Protection Regulation (GDPR) is one of the key data subject rights that candidates must thoroughly understand for the CIPP/E exam. This right allows individuals to limit the way an organisation uses their personal data in specific circumstances. It essentially acts as a "freeze" on processing, meaning the data can still be stored but not actively used. Understanding this right is critical not only for exam success but also for real-world data protection practice.
Why Is the Right to Restriction of Processing Important?
The right to restriction of processing is important for several reasons:
1. Empowering Data Subjects: It gives individuals meaningful control over their data, particularly in situations where the accuracy or lawfulness of processing is in question. Rather than requiring immediate erasure, it provides a middle ground that preserves the data while limiting its use.
2. Balancing Interests: This right acts as a safeguard that balances the interests of the data subject with those of the controller. For example, when a data subject contests the accuracy of data, restriction allows time for the controller to verify the data without causing potential harm through continued processing.
3. Complementing Other Rights: The right to restriction works in tandem with other data subject rights, such as the right to rectification (Article 16) and the right to object (Article 21). It provides a practical mechanism to protect data subjects while disputes are being resolved.
4. Legal Compliance: Organisations that fail to honour restriction requests risk regulatory enforcement action, fines, and reputational damage. Supervisory authorities expect controllers to have processes in place to handle these requests effectively.
5. Preserving Evidence: In some cases, data subjects may need data to be preserved (rather than erased) for the establishment, exercise, or defence of legal claims. Restriction allows this preservation without ongoing processing.
What Is the Right to Restriction of Processing?
Article 18(1) of the GDPR provides that the data subject has the right to obtain from the controller the restriction of processing where one of the following conditions applies:
(a) Accuracy is Contested: The data subject contests the accuracy of the personal data, and restriction applies for a period enabling the controller to verify the accuracy of the personal data.
(b) Processing is Unlawful, but Erasure is Opposed: The processing is unlawful, and the data subject opposes the erasure of the personal data and requests the restriction of their use instead. This is a crucial scenario — the data subject prefers restriction over deletion.
(c) Controller No Longer Needs the Data, but Data Subject Needs It for Legal Claims: The controller no longer needs the personal data for the purposes of the processing, but they are required by the data subject for the establishment, exercise, or defence of legal claims.
(d) Pending Verification of Objection Under Article 21(1): The data subject has objected to processing pursuant to Article 21(1) (objection based on legitimate interests or public interest grounds), pending the verification of whether the legitimate grounds of the controller override those of the data subject.
How Does the Right to Restriction of Processing Work in Practice?
1. What Does "Restriction" Mean?
Article 18(2) clarifies that where processing has been restricted, such personal data shall, with the exception of storage, only be processed:
- With the data subject's consent; or
- For the establishment, exercise, or defence of legal claims; or
- For the protection of the rights of another natural or legal person; or
- For reasons of important public interest of the Union or of a Member State.
This means the data is essentially "frozen" — it can be stored but not actively processed unless one of these exceptions applies.
2. Technical Methods of Restriction
Recital 67 suggests various methods for restricting processing, including:
- Temporarily moving the selected data to another processing system
- Making the selected personal data unavailable to users
- Temporarily removing published data from a website
- Using technical measures to ensure the data is not subject to further processing
3. Obligation to Inform Before Lifting Restriction
Under Article 18(3), the controller must inform the data subject before the restriction of processing is lifted. This is an important procedural safeguard ensuring transparency.
4. Notification to Third Parties
Under Article 19, the controller must communicate any restriction of processing to each recipient to whom the personal data have been disclosed, unless this proves impossible or involves disproportionate effort. The controller must also inform the data subject about those recipients if the data subject requests it.
5. Timeline for Responding
As with other data subject rights under Article 12, the controller must respond to a restriction request without undue delay and in any event within one month of receipt of the request. This period may be extended by two further months where necessary, taking into account the complexity and number of requests, but the data subject must be informed of the extension within one month.
6. No Fee (Generally)
The exercise of this right is generally free of charge. A reasonable fee may only be charged where requests are manifestly unfounded or excessive, particularly if they are repetitive. Alternatively, the controller may refuse to act on the request in such circumstances, but bears the burden of demonstrating the manifestly unfounded or excessive character.
Relationship with Other Data Subject Rights
- Right to Rectification (Article 16): When a data subject requests rectification, the controller may restrict processing while verifying accuracy. If the data subject explicitly requests restriction under Article 18(1)(a), the controller must comply.
- Right to Erasure (Article 17): Article 18(1)(b) is particularly interesting because it applies when processing is unlawful. Instead of erasure, the data subject may prefer restriction. This gives the data subject a choice.
- Right to Object (Article 21): When a data subject objects under Article 21(1), processing may be restricted under Article 18(1)(d) while the controller assesses whether their legitimate grounds override the data subject's interests.
- Right to Data Portability (Article 20): While there is no direct link, restriction can interact with portability in complex scenarios where data is being disputed or contested.
Key Distinctions to Remember
- Restriction vs. Erasure: Restriction keeps the data but limits processing; erasure deletes the data entirely. The data subject may prefer restriction when they need the data to be preserved (e.g., for legal claims).
- Restriction vs. Blocking: While similar in concept to blocking under older data protection laws, restriction under GDPR is a specific, formally defined right with clear conditions and exceptions.
- Storage is Always Permitted: Even when restriction applies, the controller may still store the data. The restriction applies to all other forms of processing.
Practical Scenarios for the CIPP/E Exam
Scenario 1: A data subject believes their address on file is incorrect and requests rectification. While the controller verifies the correct address, the data subject requests restriction of processing. The controller must restrict processing (no mailings, no sharing) until accuracy is confirmed.
Scenario 2: A supervisory authority finds that a company's processing of certain employee data is unlawful. An employee requests restriction rather than erasure because they want the data preserved for a pending employment tribunal case. The controller must restrict processing but retain the data.
Scenario 3: A data subject objects to processing of their data for direct marketing profiling under Article 21(1). While the controller evaluates whether their legitimate interests override those of the data subject, the data subject requests restriction. The controller must restrict processing pending this assessment.
Common Exam Pitfalls
- Confusing restriction with erasure — they are distinct rights with different outcomes.
- Forgetting that storage is always permitted during restriction.
- Not recognising all four grounds for restriction under Article 18(1).
- Overlooking the obligation under Article 18(3) to inform the data subject before lifting restriction.
- Forgetting the Article 19 obligation to notify recipients of the restriction.
- Confusing the right to object under Article 21(1) (legitimate interests/public interest) with Article 21(2) (direct marketing) — only Article 21(1) objections trigger the restriction ground under Article 18(1)(d).
Exam Tips: Answering Questions on Right to Restriction of Processing (Article 18)
1. Memorise the Four Grounds: Know all four conditions under Article 18(1) by heart — accuracy contested, unlawful processing (data subject opposes erasure), data no longer needed but required for legal claims, and pending verification of an Article 21(1) objection. Exam questions frequently test whether you can identify the correct ground from a factual scenario.
2. Understand the Exceptions to Restriction: Remember that restricted data can still be processed with consent, for legal claims, to protect the rights of others, or for important public interest. This is a common area for multiple-choice distractors.
3. Focus on the Data Subject's Choice: A key theme in Article 18 is that the data subject actively chooses restriction. In the case of unlawful processing, they choose restriction instead of erasure. Be alert to scenarios where the question tests this choice.
4. Link to Other Articles: Exam questions may test your understanding of how Article 18 interacts with Articles 16, 17, 19, and 21. Be prepared to trace the logical flow from one right to another.
5. Remember the Notification Obligations: Article 18(3) (informing the data subject before lifting restriction) and Article 19 (informing recipients) are frequently tested. These are procedural obligations that candidates often overlook.
6. Watch for Timing Questions: The standard one-month response period (extendable by two months) under Article 12(3) applies to restriction requests as well. If a question asks about response timelines, apply the Article 12 framework.
7. Distinguish Between Direct Marketing and Other Objections: Article 18(1)(d) specifically references Article 21(1) objections (legitimate interest/public interest grounds). It does not reference Article 21(2) objections (direct marketing), because direct marketing objections are absolute and processing must cease immediately — there is no need for restriction pending assessment.
8. Read Scenarios Carefully: Exam questions often present a fact pattern and ask which right applies or which ground for restriction is relevant. Read the facts carefully to identify whether the scenario involves contested accuracy, unlawful processing, data preservation for legal claims, or a pending objection assessment.
9. Think About Technical Implementation: Some questions may touch on how restriction is practically implemented. Remember Recital 67's guidance: moving data to another system, making data unavailable to users, or temporarily removing published data.
10. Use Process of Elimination: For multiple-choice questions, eliminate answers that confuse restriction with erasure, that suggest storage is prohibited during restriction, or that state the controller can continue unrestricted processing during a dispute. These are common incorrect answer choices designed to test your precise understanding.
Summary
The Right to Restriction of Processing under Article 18 is a nuanced and powerful data subject right that serves as a middle ground between continued processing and erasure. For the CIPP/E exam, candidates must understand the four specific grounds triggering this right, the limited exceptions allowing processing of restricted data, the procedural obligations on controllers (including notification before lifting restriction and informing recipients), and how this right interacts with other GDPR rights such as rectification, erasure, and objection. By mastering these elements and practicing with scenario-based questions, candidates will be well-prepared to handle any exam question on this topic.
