Overview
This article grants data subjects the right to request a restriction on the processing of their personal data in certain circumstances, such as when the accuracy of the data is disputed, processing is unlawful, or the data is required for legal claims. During the restriction period, data may only be stored or processed for specific legal purposes until the restriction is lifted.
Key Principles
Accuracy Disputes: Restrict processing while the accuracy of the personal data is verified.
Unlawful Processing: Stop further processing of unlawfully processed data, except for storage.
Legal Claims: Restrict processing when data is needed for legal proceedings.
Temporary Measures: Restriction remains until the data is corrected, deleted, or the reason for restriction no longer applies.
Organizational Applicability
This article applies to all organizations processing personal data within the EU:
Controllers managing personal data of EU/EEA data subjects.
Public and private sector entities handling disputed, unlawful, or legally required personal data.
Teams responsible for IT systems, records management, legal compliance, and data governance.
Implementation Requirements
Implement procedures to receive, verify, and process restriction requests.
Apply restrictions so that personal data is not processed further except for storage or specific legal purposes.
Document all restrictions, actions taken, and duration of restriction.
Coordinate with internal departments and third-party processors to enforce restrictions.
Implementation Guidance
Track restricted data in systems to prevent unauthorized processing.
Train staff to recognize valid restriction requests and implement controls effectively.
Regularly review restricted data to lift restrictions when appropriate.
Communicate with data subjects about the status and duration of the restriction.
Periodic Review
Frequency: Annually or when new processing systems or procedures are introduced.
Responsible Role: Data Protection Officer (DPO) or Compliance Team.
Outcome: Ensure all processing restrictions are enforced properly and lifted in compliance with GDPR.
Non-Compliance Risks
Fines: Up to €20 million or 4% of global annual turnover.
Legal Exposure: Complaints or enforcement actions for failing to implement restrictions.
Reputational Damage: Loss of trust from data subjects and stakeholders.
Operational Risk: Unauthorized processing during restriction periods may lead to regulatory scrutiny.