Skip to content

GDPR Article 18: Right to Restriction

Cat Coode 12/23/19 10:00 PM

GDPR Article 18 is Right to restriction of Processing.

What it is 

This is where the company stops or limits use of data for an individual but does not fully remove them from the system.

If the data subject wishes to have the processing of their data terminated but does not want the permanence of the Right to Erasure, they may invoke this Right where the company keeps the data and stops the use.

Why it is important for the Data Subject

When the Right to Erasure is invoked, all of the user’s personalized data must be removed from a system. If ever the user wanted to re-enable their account, all of their information, including personalized settings and preferences, would be gone. This right allows the company to keep the data but ensures that the user’s data is being stored and not processed.

What it means to the organization 

Similar to Right to Erasure, the organization will need to uncover all of the records that are personally identifiable to the user. Those records that are not anonymized will need to be removed from processing and analysis. This can be automated or done manually depending on the number of requests and the complexity of the system. 

The non-permanent nature of this Right makes it less risky than Right to Erasure however the restricting processing on records that continue to exist can be more complicated to handle.

Real world example 

A social network that connects neighbours based on location tracks their users via GPS. A current user decides that they do not want to be tracked while they are travelling for 6 months. The user does not want to delete their account because they have preferences stored within the system. They do not have a way to remove the tracking without uninstalling the app. The user selects a company provided option called ‘deactivate my account’. The feature allows the company to maintain the user’s information but ceases processing on that data. When and if the user wants to return, they can reactivate their account. This will return the account to previous functionality and allow the company to resume data processing on GPS.

Questions about GDPR and the Data Subject Rights? Check out our full article on GDPR or contact us.