Article 18 means data subjects can request you temporarily limit how their personal data is used. There are specific scenarios where their request must be honored (see next question). Your company needs procedures in place to respond appropriately to these.

A data controller must restrict the processing of a data subject’s personal data when there are doubts about the accuracy of their data, until this has been verified.

If the processing of personal data is deemed unlawful, the data subject can choose to have the processing of their personal data restricted rather than having it erased. This option may be relevant in cases where a legal claim is pending against the data controller. The restriction allows for the preservation of evidence of the unlawful practice, while ensuring the data cannot be used for the unlawful purpose.

The data subject can request the data controller to continue processing their data, but in a restricted manner. This can be done when the controller no longer has a purpose for processing, while the data subject needs the data intact for the establishment, exercise, or defense of legal claims against the data controller

Article 21(1) allows data subjects to object to a data controller’s processing of their data when it is founded on the legal bases of “public interest” or “legitimate interests”. When a data subject objects to the processing of their personal data as per Article 21(1), the processing must be restricted until it is determined whether the data controller’s legitimate reasons override those of the data subject.

When data processing is restricted, the data controller can store the data but cannot modify, share, or use it without the data subject’s consent.

However, there are exceptions where processing is still allowed:

• Consent is obtained from the data subject.
• Processing is needed for the establishment, exercise, or defense of legal claims.
• Processing is necessary to protect the rights of another individual.
• Processing is required for compelling reasons of public interest for the EU or a Member State.

To comply with a restriction request, you must have a process in place to receive and respond to such requests, ensuring data subjects can easily contact you.

Establish a mechanism to flag restricted data to prevent accidental use that would violate the restriction.

When a restriction is lifted, you must notify the data subject before the restriction is lifted, giving them time to respond.

Yes, restricting processing affects data shared with third parties. When you restrict processing, you must inform any third parties who have received the data about the restriction so they also comply and do not process the data further. Therefore, it is important to have updated records of how data is shared with third parties.

When a data subject requests that the data controller restrict processing, it impacts automated decision-making and profiling by halting these activities. The data cannot be used in automated systems or for profiling purposes until the restriction is lifted.